DoS attack detection method on application layer for publish-subscribe networks

Abstract

Introduction: For the development of cyberphysical systems, new technologies and data transfer protocols are being developed, in order to reduce the energy costs of communication devices. One of the modern approaches to data transmission in cyberphysical systems is the publish-subscribe model, which is subject to a denial-of-service attack. Purpose: Development of a model for detecting a DoS attack implemented at the application level of publish-subscribe networks based on the analysis of their traffic using machine learning methods. Results: A model is developed for detecting a DoS attack, operating with three classifiers depending on the message type: connection, subscription, and publication. This approach makes it possible to identify the source of an attack. That can be a network node, a particular device, or a user account. A multi-layer perceptron, the random forest algorithm, and a support vector machine of various configurations were considered as classifiers. Training and test data sets were generated for the proposed feature vector. The classification quality was evaluated by calculating the F1 score, the Matthews correlation coefficient, and accuracy. The multilayer perceptron model and the support vector machine with a polynomial kernel and SMO optimization method showed the best values of all metrics. However, in the case of the support vector machine, a slight decrease in the prediction quality was detected when the width of the traffic analysis window was close to the longest period of sending legitimate messages from the training data set. Practical relevance: The results of the research can be used in the development of intrusion detection features for cyberphysical systems using the publish-subscribe model, or other systems based on the same approach