Intrusion detection framework based on causal reasoning for DDoS

Abstract

Among network security issues, distributed denial of service (DDoS) attacks are particularly harmful to a network. Several previous machine learning (ML)-based network intrusion detection approaches have been developed to protect against DDoS attacks. However, existing ML detection approaches diagnose the causality between attacks and traffic features based mainly on purely associative features. Causal reasoning shows that this inability to disentangle correlation from causation can result in diagnostic errors. To solve this problem, this paper proposes a framework of DDoS detection based on causal reasoning to solve the problem of false associations. This framework consists of two main parts: feature selection based on “do-operations” and attack detection by counterfactual diagnosis. First, the noise features that are falsely associated with DDoS attacks are deleted during the “do-operations”. Then, the expected number of anomaly features under different DDoS attack types is calculated in the counterfactual situations. The larger the expected value that is calculated for a certain attack, the more likely it is that the anomaly features of the testing data are caused by this attack. The experiments show that the causality between DDoS attacks and the anomaly features can be fully described by our method, which, compared to other classic ML associative methods, increases the detection accuracy by approximately 5% on average.