Active learning to detect DDoS attack using ranked features

Abstract

Network traffic classification to detect DDoS attacks is challenging in the context of high-speed networks. In this paper, we discuss the need for distributed feature selection in intrusion detection systems using parallel computing. This paper presents a parallel cumulative ranker algorithm to rank the attributes of a dataset for cost-effective classification of network traffic. We use MIT-DARPA, CAIDA, ISCX-IDS and TU-DDoS datasets to validate our method. Our feature ranking algorithm on large datasets (50,000-1,000,000 instances) finds best possible features from the above mentioned datasets and gives high accuracy (92%-97%) in a parallel environment, which takes significantly less time (71%-85% lower) than a sequential environment. We also discuss the importance of active learning to select appropriate instances by an expert module in an unsupervised way to train an SVM binary classifier for detection of DDoS attack traffic. Our approach selects small batches of training samples from a dataset to yield classification of network traffic with high accuracy. Our approach on large data provides better accuracy in classification with fewer training samples. A case study looks into the detection of intrusion in power systems.