Adaptable feature-selecting and threshold-moving complete autoencoder for DDoS flood attack mitigation

Abstract

DDoS attacks remain one of the top cyber threats targeting the financial, health care, retail, gaming, and political sectors, which affects Internet service disruption, data or monetary loss. Security experts have predicted that the development of 5G technology will increase the frequency and the vector of DDoS attacks. Moreover, enhanced DDoS attack technology utilises artificial intelligence [1], which will escalate the level of difficulty to identify malicious traffic correctly to mitigate the attack effectively. The Internet service provider (ISP) is the connector between the users and the Internet. Deploying DDoS mitigation systems within the ISP domain can offer an efficient solution. Therefore, we propose a dynamic learning system (DLS) for the ISP. The DLS is an unsupervised ensemble model using the Complete Autoencoder (CA) as base learners to classify network traffic. The utmost difference between the CA and the regular Autoencoder is that the CA exploits the imbalanced characteristic of the attack data to generate a binary classification via a class switch. When the predicted number of normal IP addresses is over 50% of the total IP addresses, the CA swaps the class of the IP addresses. The CA is directed by a reference object (RO), which is either a reference limit or the mean of a reference error function (RL1¯), to furnish the automation to the DLS. The DLS was trained with a TCP-ICMP flood attack and tested with a UDP-TCP and a UDP-TCP-ICMP flood attack data set. The average Recall, Precision and F1 Score are all above 0.97. Additionally, the DLS outperformed the K-means and the Self-Organising Map models on a UDP flood attack data set.