Abstract
Distributed denial of service (DDoS) attacks aim to deplete the network bandwidth and computing resources of targeted victims. Low-rate DDoS attacks exploit protocol features such as the transmission control protocol (TCP) three-way handshake mechanism for connection establishment and the TCP congestion-control induced backoffs to attack at a much lower rate and still effectively bring down the targeted network and computer systems. Most of the statistical and machine/deep learning-based detection methods proposed in the literature require keeping track of packets by flows and have high processing overheads for feature extraction. This paper presents a novel two-stage model that uses Long Short-Term Memory (LSTM) and Random Forest (RF) to detect the presence of attack flows in a group of flows. This model has a very low data processing overhead; it uses only two features and does not require keeping track of packets by flows, making it suitable for continuous monitoring of network traffic and on-the-fly detection. The paper also presents an LSTM Autoencoder to detect individual attack flows with high detection accuracy using only two features. Additionally, the paper presents an analysis of a support vector machine (SVM) model that detects attack flows in slices of network traffic collected for short durations. The low-rate attack dataset used in this study is made available to the research community through GitHub.
Highlights
Denial of service (DoS) attacks attempt to exhaust the network bandwidth or computing resources of a target by overwhelming it with network traffic
If the attack traffic is generated from multiple sources, it is a distributed denial of service (DDoS) attack, which is harder to mitigate since simple Internet Protocol (IP) address filters do not work
Many of these models use a large number of features, which requires more training data and longer training times. These techniques are suitable for offline analyses of network traffic but are impractical for real-time detection of low-rate DDoS (LDDoS) attacks. We address this limitation by designing new Machine Learning (ML)/Deep Learning (DL) models that have low data-processing overheads and are suitable for continuous monitoring of network traffic for on-the-fly detection of LDDoS attacks
Summary
Denial of service (DoS) attacks attempt to exhaust the network bandwidth or computing resources of a target by overwhelming it with network traffic. If the attack traffic is generated from multiple sources, it is a distributed denial of service (DDoS) attack, which is harder to mitigate since simple Internet Protocol (IP) address filters do not work. DDoS attacks, in addition to making target networks and servers unavailable for legitimate users, can hide the network traffic of malware propagating laterally within an organization or communicating with their command and control centers [1]. DDoS attacks exploit the protocols at the network, transport, or application layers of the transmission control protocol (TCP)/IP protocol stack [2]. Cisco report predicts that DDoS attacks will grow to 15 million by 2023 [7]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
