Self-supervised network traffic management for DDoS mitigation within the ISP domain

Abstract

The continuing development of 5G technology increases the number of devices connected to the internet, this provides an increasing potential for cybercriminals to orchestrate detrimental Distributed Denial of Service (DDoS) attacks. The research community continues to develop new techniques to respond to the growing demand for DDoS mitigation. The internet service provider (ISP) provides internet access for users, so the attack traffic arrives at this location before reaching the victim. Deploying the mitigation system within the ISP domain offers an efficient solution. Therefore, we propose a dynamic network traffic managing (DNTM) system, which encompasses an Attack Detector, an IP Prioritiser, a Traffic Manager, and a Netflow Classifier, for the ISP. The IP prioritiser categorises IP addresses into normal and suspicious classes. The Traffic Manager makes use of the existing ISP mechanisms including ingress & egress filtering, rate limiting, blackholing and normal routing to take different mitigation actions. The Netflow Classifier is a hybrid ensemble model that utilises both unsupervised and supervised learning techniques. The classifier employs two self-organising maps (SOMs) to label data to train a supervised ensemble unit, which includes Random Forests, Decision Trees, and Gradient Boosted Trees (SRDG), to get the final classification. The Netflow Classifier achieved over 96% average on recall, precision and F1 score on UDP flood, ICMP flood and TCP flood attack data sets.