ShieldRNN: A Distributed Flow-Based DDoS Detection Solution for IoT Using Sequence Majority Voting

Abstract

Many of the IoT devices connected to the Internet are insecure which expose the Internet to a variety of cybersecurity threats. The Distributed Denial of Service (DDoS) attack is considered one of the most critical threats on the Internet, blocking legitimate users from accessing online services. Botnets have exploited insecure IoT devices and used them to launch DDoS attacks. Providing IoT devices with the ability to detect DDoS attacks will prevent them from being contributors to these attacks. This paper presents an efficient solution to defend IoT devices against such inevitable attacks. The proposed solution consists of two parts: an IoT node detector and a server detector. The IoT node detector is a lightweight classifier to monitor egress traffic. The server detector is a more accurate classifier that is used by the IoT node if it suspected to be a contributor to a DDoS attack. To develop the accurate server detector, this paper proposes <i>ShieldRNN</i>: a novel training and prediction approach for RNN/LSTM models. We compared <i>ShieldRNN</i> with other supervised and unsupervised models on the CIC-IDS2017 dataset and we showed that it outperformed them. Also, we set baseline results for DDoS detection on the CIC IoT 2022 dataset.