ML-Based DDoS Detection and Identification Using Native Cloud Telemetry Macroscopic Monitoring

Abstract

The detection and identification of Distributed Denial-of-Service (DDoS) attacks remains a challenge in cloud/edge/fog computing environments. It usually requires network middleboxes, such as deep packet inspectors (DPI), for detection task mostly. But clouds and fogs have native powerful telemetry systems that are not yet fully exploited for DDoS detection; and provide so much information that could aid attack identification tasks as well. Machine Learning (ML) algorithms can help one diving into the richness of cloud’s native data collection services, which have a multitude of metrics from both physical and virtual hosts. This paper evaluates the use of ML algorithms over datasets collected from a experimental testbed based on OpenStack. Controlled attack scenarios were used to investigate the ability of ML for tasks such as detecting and identifying SYN_Flood and GET_Flood DDoS attacks mixed, in different proportions, with legitimate clients. kNN and Random Forest ML algorithms were trained and tested, and for evaluation the metrics accuracy, recall, precision, and F1-score were used. Our experiments presented about 87% of accuracy in the detection of SYN_Flood and GET_Flood DDoS attacks, whereas Snort IDS mostly fails to detect the latter attack by processing the corresponding packet traces. Also, the detection of PING_Flood DDoS attack was tested without training as an initial evaluation towards the generalization of the proposal.