Distributed Denial Of Service Attack Detection Research Articles

Developing information technology for evaluating and enhancing application-layer DDoS attack detection methods

The subject matter of this article is the methods to detect distributed denial-of-service (DDoS) attacks at the Hypertext Transfer Protocol (HTTP) level with the purpose of justifying the requirements for creating software capable of identifying malicious web server clients. The goal of this article is to develop an information technology to evaluate the efficiency of DDoS attack detection methods, which will quantify their operating time, memory consumption, and approximate classification accuracy. In addition, this paper proposes hypotheses and a potential approach to improve existing application-layer DDoS attack detection methods with the intention of increasing their accuracy and identification speed. The tasks of this study are as follows: to analyse modern methods for detecting application-layer DDoS attacks; to investigate their features and short­comings; to develop a software system to assess DDoS attack detection methods; to programmatically implement these methods and experimentally measure their performance indicators, specifically: classification ac­curacy, operating time, and memory usage; to compare the efficiency of the investigated methods; to formulate hypotheses and propose an approach to improve existing methods and/or develop new methods based on the results obtained. The methods employed are abstraction, analysis, systematic approach, and empirical research. In particular, the datasets generated by DDoS utilities were processed using the synthetic minority oversampling technique (SMOTE) to balance them. Furthermore, the studied DDoS attack detection methods were implemented, including fitting the required parameters and training artificial neural network models for evaluation. The following results were obtained. The average classification accuracy, operating time, and random-access memory (RAM) consumption during Internet traffic classification were determined for six DDoS attack detection methods under the same conditions. This study has demonstrated that the development of a novel method to detect DDoS attacks at the HTTP level with enhanced accuracy and classification speed is strongly required. The experimental results demonstrate that the time series-based method exhibited the shortest operating time (1.33 ms for 5000 vectors), whereas the deep neural network-based method exhibited the highest average classification accuracy (ranging from 99.07% to 99.97%) and the lowest memory consumption (39.09 KB for 5000 vectors). Conclusions. In this study, a software system was developed to assess the average accuracy of DDoS attack classification methods and measure the computational resources utilized. The scientific novelty of the obtained results lies in the formulation of two hypotheses and a potential approach to the creation of a novel method for detecting DDoS attacks at the HTTP level, which will have both high classification accuracy and a short operating time to surpass previously studied analogues in these respects. The first hypothesis is based on the additional usage of HTTP request attributes during Internet traffic classification. The second hypothesis is to analyse a graph of user transitions between website pages. The article also superficially describes a potential approach that involves the implementation of the described hypotheses as well as the proposed software architecture of an application-layer DDoS attack detection system for the Kubernetes platform and the Istio framework, which addresses the issue of collecting web request parameter values for websites that use the cryptographically secured HTTPS protocol.

DDoS detection in electric vehicle charging stations: A deep learning perspective via CICEV2023 dataset

Distributed Denial of Service (DDoS) attacks have always been an important research topic in the field of information security. Regarding specialized infrastructures such as electric vehicle charging stations, detecting and preventing such attacks becomes even more critical. In the existing literature, most studies on DDoS attack detection focus on traditional methods that analyze network metrics such as network traffic, packet rates, and number of connections. These approaches attempt to detect attacks by identifying anomalies and irregularities in the network, but can have high error rates and fail to identify advanced attacks. Conversely though, detection methods based on system metrics use deeper and more insightful parameters such as processor utilization, memory usage, disk I/O operations, and system behavior. Such metrics provide a more detailed perspective than network-based approaches, allowing for more accurate detection of attacks. However, work in this area is not yet widespread enough further research and improvement are needed. The adoption of advanced system metrics-based methods can significantly improve the effectiveness of DDoS defense strategies, especially in next-generation and specialized infrastructures. This paper evaluates the applicability and effectiveness of Long Short-Term Memory (LSTM) and Feed-Forward Network (FFN) in detecting DDoS attacks against electric vehicle charging stations through system metrics using CICEV2023 dataset. Experimental results show that the LSTM based model offers advantages in terms of speed and processing capacity, while the FFN is superior in terms of the accuracy.

DTL-5G: Deep transfer learning-based DDoS attack detection in 5G and beyond networks

Network slicing is considered as a key enabler for 5G and beyond mobile networks for supporting a variety of new services, including enhanced mobile broadband, ultra-reliable and low-latency communication, and massive connectivity, on the same physical infrastructure. However, this technology increases the susceptibility of networks to cyber threats, particularly Distributed Denial-of-Service (DDoS) attacks. These attacks have the potential to cause service quality degradation by overloading network function(s) that are central to network slices to operate seamlessly. This calls for an Intrusion Detection System (IDS) as a shield against a wide array of DDoS attacks. In this regard, one promising solution would be the use of Deep Learning (DL) models for detecting possible DDoS attacks, an approach that has already made its way into the field given its manifest effectiveness. However, one particular challenge with DL models is that they require large volumes of labeled data for efficient training, which are not readily available in operational networks. A possible workaround is to resort to Transfer Learning (TL) approaches that can utilize the knowledge learned from prior training to a target domain with limited labeled data. This paper investigates how Deep Transfer Learning (DTL) based approaches can improve the detection of DDoS attacks in 5G networks by leveraging DL models, such as Bidirectional Long Short-Term Memory (BiLSTM), Convolutional Neural Network (CNN), Residual Network (ResNet), and Inception as base models. A comprehensive dataset generated in our 5G network slicing testbed serves as the source dataset for DTL, which includes both benign and different types of DDoS attack traffic. After learning features, patterns, and representations from the source dataset using initial training, we fine-tune base models using a variety of TL processes on a target DDoS attack dataset. The 5G-NIDD dataset, which has a sparse amount of annotated traffic pertaining to several DDoS attack generated in a real 5G network, is chosen as the target dataset. The results show that the proposed DTL models have performance improvements in detecting different types of DDoS attacks in 5G-NIDD dataset compared to the case when no TL is applied. According to the results, the BiLSTM and Inception models being identified as the top-performing models. BiLSTM indicates an improvement of 13.90%, 21.48%, and 12.22% in terms of accuracy, recall, and F1-score, respectively, whereas, Inception demonstrates an enhancement of 10.09% in terms of precision, compared to the models that do not adopt TL.

IDAD: An improved tensor train based distributed DDoS attack detection framework and its application in complex networks

With the vigorous development of Internet technology, the scale of systems in the network has increased sharply, which provides a great opportunity for potential attacks, especially the Distributed Denial of Service (DDoS) attack. In this case, detecting DDoS attacks is critical to system security. However, current detection methods exhibit limitations, leading to compromises in accuracy and efficiency. To cope with it, three key strategies are implemented in this paper: (i) Using tensors to model large-scale and heterogeneous data in complex networks; (ii) Proposing a denoising algorithm based on the improved and distributed tensor train (IDTT) decomposition, which optimizes the tensor train(TT) decomposition in terms of parallel computation and low-rank estimation; (iii) Combining (i), (ii) and Light Gradient Boosting Machine (LightGBM) classification model, an efficient DDoS attack detection framework is proposed. Datasets CIC-DDoS2019 and NSL-KDD are used to evaluate the framework, and results demonstrate that accuracy can reach 99.19% while having the characteristics of low storage consumption and well speedup ratio.

Eye-Net: A Low-Complexity Distributed Denial of Service Attack-Detection System Based on Multilayer Perceptron

Distributed Denial of Service (DDoS) attacks disrupt service availability, leading to significant financial setbacks for individuals and businesses. This paper introduces Eye-Net, a deep learning-based system optimized for DDoS attack detection that combines feature selection, balancing methods, Multilayer Perceptron (MLP), and quantization-aware training (QAT) techniques. An Analysis of Variance (ANOVA) algorithm is initially applied to the dataset to identify the most distinctive features. Subsequently, the Synthetic Minority Oversampling Technique (SMOTE) balances the dataset by augmenting samples for under-represented classes. Two distinct MLP models are developed: one for the binary classification of flow packets as regular or DDoS traffic and another for identifying six specific DDoS attack types. We store MLP model weights at 8-bit precision by incorporating the quantization-aware training technique. This adjustment slashes memory use by a factor of four and reduces computational cost similarly, making Eye-Net suitable for Internet of Things (IoT) devices. Both models are rigorously trained and assessed using the CICDDoS2019 dataset. Test results reveal that Eye-Net excels, surpassing contemporary DDoS detection techniques in accuracy, recall, precision, and F1 Score. The multiclass model achieves an impressive accuracy of 96.47% with an error rate of 8.78%, while the binary model showcases an outstanding 99.99% accuracy, maintaining a negligible error rate of 0.02%.

An entropy and machine learning based approach for DDoS attacks detection in software defined networks

Software-defined networks (SDNs) have been growing rapidly due to their ability to provide an efficient network management approach compared to traditional methods. However, one of the major challenges facing SDNs is the threat of Distributed Denial of Service (DDoS) attacks, which can severely impact network availability. Detecting and mitigating such attacks is challenging, given the constantly evolving range of attack techniques. In this paper, a novel hybrid approach is proposed that combines statistical methods with machine-learning capabilities to address the detection and mitigation of DDoS attacks in SDN environments. The statistical phase of the approach utilizes an entropy-based detection mechanism, while the machine-learning phase employs a clustering mechanism to analyze the impact of active users on the entropy of the system. The k-means algorithm is used for clustering. The proposed approach was experimentally evaluated using three modern datasets, namely, CIC-IDS2017, CSE-CIC-2018, and CICIDS2019. The results demonstrate the effectiveness of the system in detecting and blocking sudden and rapid attacks, highlighting the potential of the proposed approach to significantly enhance security against DDoS attacks in SDN environments.

Software-Defined-Networking-Based One-versus-Rest Strategy for Detecting and Mitigating Distributed Denial-of-Service Attacks in Smart Home Internet of Things Devices.

The number of connected devices or Internet of Things (IoT) devices has rapidly increased. According to the latest available statistics, in 2023, there were approximately 17.2 billion connected IoT devices; this is expected to reach 25.4 billion IoT devices by 2030 and grow year over year for the foreseeable future. IoT devices share, collect, and exchange data via the internet, wireless networks, or other networks with one another. IoT interconnection technology improves and facilitates people's lives but, at the same time, poses a real threat to their security. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks are considered the most common and threatening attacks that strike IoT devices' security. These are considered to be an increasing trend, and it will be a major challenge to reduce risk, especially in the future. In this context, this paper presents an improved framework (SDN-ML-IoT) that works as an Intrusion and Prevention Detection System (IDPS) that could help to detect DDoS attacks with more efficiency and mitigate them in real time. This SDN-ML-IoT uses a Machine Learning (ML) method in a Software-Defined Networking (SDN) environment in order to protect smart home IoT devices from DDoS attacks. We employed an ML method based on Random Forest (RF), Logistic Regression (LR), k-Nearest Neighbors (kNN), and Naive Bayes (NB) with a One-versus-Rest (OvR) strategy and then compared our work to other related works. Based on the performance metrics, such as confusion matrix, training time, prediction time, accuracy, and Area Under the Receiver Operating Characteristic curve (AUC-ROC), it was established that SDN-ML-IoT, when applied to RF, outperforms other ML algorithms, as well as similar approaches related to our work. It had an impressive accuracy of 99.99%, and it could mitigate DDoS attacks in less than 3 s. We conducted a comparative analysis of various models and algorithms used in the related works. The results indicated that our proposed approach outperforms others, showcasing its effectiveness in both detecting and mitigating DDoS attacks within SDNs. Based on these promising results, we have opted to deploy SDN-ML-IoT within the SDN. This implementation ensures the safeguarding of IoT devices in smart homes against DDoS attacks within the network traffic.

Towards Resource-Efficient DDoS Detection in IoT: Leveraging Feature Engineering of System and Network Usage Metrics

The Internet of Things (IoT) is omnipresent, exposing a large number of devices that often lack security controls to the public Internet. In the modern world, many everyday processes depend on these devices, and their service outage could lead to catastrophic consequences. There are many Deep Packet Inspection (DPI) based intrusion detection systems (IDS). However, their linear computational complexity induced by the event-driven nature poses a power-demanding obstacle in resource-constrained IoT environments. In this paper, we shift away from the traditional IDS as we introduce a novel and lightweight framework, relying on a time-driven algorithm to detect Distributed Denial of Service (DDoS) attacks by employing Machine Learning (ML) algorithms leveraging the newly engineered features containing system and network utilization information. These features are periodically generated, and there are only ten of them, resulting in a low and constant algorithmic complexity. Moreover, we leverage IoT-specific patterns to detect malicious traffic as we argue that each Denial of Service (DoS) attack leaves a unique fingerprint in the proposed set of features. We construct a dataset by launching some of the most prevalent DoS attacks against an IoT device, and we demonstrate the effectiveness of our approach with high accuracy. The results show that standalone IoT devices can detect and classify DoS and, therefore, arguably, DDoS attacks against them at a low computational cost with a deterministic delay.

Detection of DDoS Attack Based on Deep Neural Network with various Number of Features

Distributed Denial of Service (DDoS) attacks have become an effective threat to the reliability and availability of the services of the internet in last decades. The effectiveness of utilizing Deep Neural Networks (DNNs) for DDoS attack detection is investigated in this paper. We implemented a reliable detection system that analyzes network traffic data to spot any DDoS activities. A multi-layer perceptron model trained on a dataset containing five different forms of DDoS attacks and normal traffic is used in this method. Also, three cases of varous number of features was investigated to extract the optimal number of features that can be used for detection of DDoS attacks. To improve accuracy, a great deal of testing was done on the model's architecture using various hyperparameters and training procedures. With a 96.5% detection rate, the DNN results showed a high degree of accuracy. This demonstration highlights the ability of deep neural networks to identify DDoS attacks in the midst of regular traffic. The six-category classification enhances detection granularity and facilitates the application of more specialized and successful mitigation techniques. Given the great precision attained, DNNs have the potential to be an essential part of real-time detection systems, providing a major advancement over conventional techniques.

Detection and mitigation of DDoS attacks in SDN based intrusion detection system

Software defined networks (SDN) have completely revolutionized the management and operation of networks. This novel technology entails a distinctive approach to management. Amidst the advancements, a notable security concern arises in the form of distributed denial of service (DDoS) attacks. To counteract this attack, the deployment of intrusion detection systems (IDS) assumes paramount importance. IDS plays a critical role in monitoring network traffic, promptly detecting irregularities that may signify a potential denial of service (DoS) assault. This study delves into a comprehensive exploration of a DDoS attack on an SDN network using the OpenDaylight controller and the Mininet emulator. Furthermore, the assessment extends to evaluating the DDoS attack's repercussions and the effectiveness of IDS in mitigating such risks. Various performance metrics, including throughput according to delay time, are monitored to gauge network performance under duress. The difference in throughput curves when comparing scenarios with and without IDS highlights the significant impact of intrusion detection. When the IDS was absent, there was a noticeable increase in oscillations, indicating greater network susceptibility. On the other hand, the presence of an IDS created a more regulated environment, reducing variances and promoting a more stable network.

A Machine Learning Based Approach for the Detection of DDoS Attacks on Internet of Things Using CICDDoS2019 Dataset - PortMap

In today's technological era, the Internet has become ubiquitous, playing a vital role in our daily lives. With the exponential growth of IoT innovation, millions of interconnected IoT-enabled devices rely on cloud services to communicate over the Internet. However, this rapid development also exposes these devices to various threats, with DDoS (Distributed Denial of Service) and DoS (Denial of Service) attacks being particularly potent and destructive. DDoS attacks present a unique challenge as they are extremely difficult to detect using conventional intrusion detection frameworks and traditional methodologies. Fortunately, advancements in machine learning have provided a promising solution by enabling accurate differentiation between DDoS attacks and other forms of data. This study proposes a DDoS detection model based on machine learning algorithms. To conduct this study, we utilized the most recent and freely available online dataset called CICDDoS2019. Various machine learning-based techniques were explored, aiming to identify the characteristics associated with accurate classification. Among the algorithms tested, AdaBoost and XGBoost demonstrated exceptional performance. As part of future work, a hybrid approach will be incorporated into this model, further improving its capabilities. It is worth noting that this model will be continuously updated with new data on DDoS attacks, ensuring its relevance and effectiveness in combating emerging threats. By leveraging machine learning techniques, this approach enhances the detection of DDoS attacks on Internet of Things networks, safeguarding the integrity and security of connected devices and the overall IoT ecosystem.

Review on DDoS Attack in Controller Environment of Software Defined Network

Distributed Denial of Service (DDoS) attacks pose a significant threat to the security and availability of networks. With the increasing adoption of Software-Defined Networking (SDN) and its multi-controller architectures, there is a need to explore effective DDoS attack detection mechanisms tailored to these environments. An overview of the current research on detecting DDoS attacks in SDN environments, with a focus on different detection techniques, methodologies and problems is presented in this survey paper. The survey attempt to identify the limitations and strengths of current approaches and propose potential research directions for improving DDoS detection in this context.

Detecting Distributed Denial-of-Service (DDoS) attacks that generate false authentications on Electric Vehicle (EV) charging infrastructure

In recent years, smart grid-based Electric Vehicle (EV) charging systems have increasingly faced vulnerabilities to Distributed Denial of Service (DDoS) attacks, especially through malicious authentication failures. These attacks typically involve monopolizing the Grid Server (GS), thereby hindering the authentication process for legitimate EVs. Despite the severity of this issue, no research (to the best of our knowledge) has focused on detecting DDoS attacks exploiting weaknesses in EV authentication. This study introduces a DDoS attack detection model specifically designed for EV authentication. The approach involves developing a machine learning model involving unique feature selection and combination. The proposed approach has been evaluated using a new DDOS attack dataset. The model is engineered to optimize feature combination, aiming for high sampling resolution, minimal information loss, and robust performance under 16 distinct attack scenarios. The feature combination used in this study shows improved accuracy over traditional DDoS detection methods based on access time variation while minimizing information loss.

Traffic Feature Selection and Distributed Denial of Service Attack Detection in Software-Defined Networks Based on Machine Learning.

As 5G technology becomes more widespread, the significant improvement in network speed and connection density has introduced more challenges to network security. In particular, distributed denial of service (DDoS) attacks have become more frequent and complex in software-defined network (SDN) environments. The complexity and diversity of 5G networks result in a great deal of unnecessary features, which may introduce noise into the detection process of an intrusion detection system (IDS) and reduce the generalization ability of the model. This paper aims to improve the performance of the IDS in 5G networks, especially in terms of detection speed and accuracy. It proposes an innovative feature selection (FS) method to filter out the most representative and distinguishing features from network traffic data to improve the robustness and detection efficiency of the IDS. To confirm the suggested method's efficacy, this paper uses four common machine learning (ML) models to evaluate the InSDN, CICIDS2017, and CICIDS2018 datasets and conducts real-time DDoS attack detection on the simulation platform. According to experimental results, the suggested FS technique may match 5G network requirements for high speed and high reliability of the IDS while also drastically cutting down on detection time and preserving or improving DDoS detection accuracy.

تدريب خوارزميات التعلم الآلي للكشف عن هجمات رفض الخدمة الموزعة

Cyber-attacks are becoming more and more sophisticated, posing a serious threat to our technologically dependent society. Such an attack is the Distributed Denial of Service (DDoS) attack, which is becoming a serious threat to businesses that have integrated their technology with public networks since they enable numerous attackers to obtain data or provide services to major corporations or nations. When a company's servers are overloaded with fraudulent requests while legitimate users' requests are denied, Distributed Denial of Service (DDoS) attacks disrupt Web service availability for an arbitrary amount of time. This results in financial losses since services are rendered unavailable. This paper provides a comparative analysis of popular ML algorithms, including Logistic Regression, Random Forest, and Neural Network, in terms of their effectiveness in DDoS attack detection. Along with a comprehensive evaluation of its performance. The study incorporates numerical data analysis and relevant diagrams to offer insights into the comparative efficacy of different ML techniques for DDoS attack detection. Keywords: DDoS attacks, machine learning, random forest, Logistic Regression, Neural Network

A Classification Data Packets Using the Threshold Method for Detection of DDoS

Computer communication is done by first synchronizing one computer with another computer. This synchronization contains Data Packages which can be detrimental if done continuously, it will be categorized as an attack. This type of attack, when performed against a target by many computers, is called a distributed denial of service (DDoS) attack. Technology and the Internet are growing rapidly, so many DDoS attack applications result in these attacks still being a serious threat. This research aims to apply the Threshold method in detecting DDoS attacks. The Threshold method is used to process numeric attributes so obtained from the logfile in a computer network so that data packages can be classified into 2, namely normal access and attack access. Classification results using the Threshold method after going through the fitting process, namely detecting 8 IP Addresses as computer network users and 6 IP addresses as perpetrators of DDoS attacks with optimal accuracy.

A novel CNN‐based approach for detection and classification of DDoS attacks

SummaryAmong the recent network security issues, Distributed Denial of Service (DDoS) attack is one of the most dangerous threats in today's cyberspace that can disrupt essential services. These attacks compromise network security by flooding the target with malicious traffic. Several researchers have designed effective DDoS detection mechanisms using machine learning (ML) and deep learning (DL)‐based techniques. However, existing detection approaches paid less attention to issues such as class imbalance, multi‐classification, or computational cost of the models, especially time. In this study, we propose a novel framework for detecting and classifying DDoS attacks with high accuracy and low computational cost. To address the class imbalance, we employ random sampling, while feature selection techniques such as low information gain, quasi‐constant elimination, and principal component analysis are utilized for optimal feature selection and reduction. Our proposed CNN‐based model achieves outstanding performance, boasting an accuracy of 99.99% for binary classification and 98.44% for multi‐classification. The proposed model is compared to existing works and baseline line models and found to be effective in binary and multi‐classification.

An ensemble-based approach for effective distributed denial of service attack detection in software defined networking

<p>Software defined networking (SDN) is a network framework that aims to redefine network characteristics through the programmability of network components, faster and larger network monitoring, centralized network operation, and effective detection of fraudulent traffic and special malfunctions. However, SDN networks are vulnerable to security threats that can cause complete network failure. To address this issue, in this paper, machine learning techniques are suggested for the swift detection of attacks. Various methods for detecting distributed denial of service (DDoS) attacks are evaluated, and the study identifies the most precise method for categorizing such attacks within a SDN network. The results indicate that the proposed system achieves high accuracy in detecting DDoS attacks, with ensemble learning achieving 99% accuracy. This indicates a remarkable improvement percentage in comparison to the approaches of decision tree (DT), k-nearest neighbors (KNN), and support vector machine (SVM).</p>

SDN Network DDOS Detection Using ML

This paper describes a technique that uses the Ryu Controller and Mininet to identify and mitigate Distributed Denial of Service (DDoS) threats in Software Defined Networks (SDN). Using Mininet, the suggested method entails building a virtual network topology with connected switches and hosts. The Ryu Controller gathers traffic data while Mininet simulates several DDoS attack types, such as ICMP flood, land assault, TCP SYN flood, and UDP attacks. The Ryu Controller collects both benign and DDoS traffic into a dataset that is used to build a machine learning (ML) model that can detect DDoS attacks in real time.

DDoS Attack Detection in Edge-IIoT Network Using Ensemble Learning

Abstract As the number of IoT devices increases daily due to the rapid growth in technology, every device and network is vulnerable to attacks because it is exposed to the internet. Denial of Service (DoS) is a prevalent type of intrusion on the Internet of Things (IoT) network in which the server becomes down due to flooding requests. Distributed Denial of Service (DDoS) is a special type of DoS attack where the network of malicious computers called botnet consumes the target’s system resources by flooding the requests. Edge computing is closely related to Industrial Internet of Things (IIoT), and industry 4.0. Both of them are relatively emerging technologies so security is a crucial part of them. By incorporating our contributions to the current and innovative dataset Edge-IIoT, the proposed study presents a novel approach to detect DDoS attacks in an IIoT network in the domain of edge computing, whether the traffic is normal or malicious (DDoS traffic). This study explores various Ensemble Learning (EL) techniques to predict normal and malicious DDoS traffic along with the type of DDoS attack. The study applies various preprocessing techniques like Synthetic Minority Over Sampling Technique (SMOTE), label encoding, etc. to enhance the model’s performance and reveals how EL techniques performs better in terms of accuracy than the individual classifiers. Further, the performance of all EL techniques has been investigated in terms of all evaluation measures, including the elapsed time. This important addition not only broadens the focus of study in this area but also offers insightful comparisons of the efficiency and precision of various ensemble approaches as well as individual classifiers. The study achieved a maximum of 99.99% in all evaluation measures.