deviceddos

DDoSAttacksDetectionusingMachineLearningAlgorithmsQianLiCommunicationUniversityofChinaBeijing,Chinaliqian0716@cuc.
edu.
cnLinhaiMengCommunicationUniversityofChinaBeijing,Chinaxmenglinhai@outlook.
comJinyaoYanCommunicationUniversityofChinaBeijing,Chinajyan@cuc.
edu.
cnYuanZhangCommunicationUniversityofChinaBeijing,Chinayuanzhang@cuc.
edu.
cnABSTRACTAdistributeddenial-of-service(DDoS)attackisamaliciousattempttodisruptnormaltrafficofatargetedserver,serviceornetworkbyoverwhelmingthetargetoritssurroundinginfrastructurewithafloodofInternettraffic.
Ithascausedgreatharmtothesecurityofthenetworkenvironment.
ThispaperdevelopsanovelframeworkcalledPCA-RNN(PrincipalComponentAnalysis-RecurrentNeuralNetwork)toidentifyDDoSattacks.
Inordertocomprehensivelyunderstandthenetworktraffic,weselectmostnetworkcharacteristicstodescribethetraffic.
WefurtherusethePCAalgorithmtoreducethedimensionsofthefeaturesinordertoreducethetimecomplexityofdetection.
ByapplyingPCA,thepredictiontimecanbesignificantlyreducedwhilemostoftheoriginalinformationcanstillbecontained.
DataafterdimensionsreductionisfedintoRNNtotrainandgetdetectionmodel.
Evaluationresultshowsthatfortherealdataset,PCA-RNNcanachievesignificantperformanceimprovementintermsofaccuracy,sensitivity,precision,andF-scorecomparedtotheseveralexistingDDoSattacksdetectionmethods.
CCSCONCEPTSSecurityandprivacyNetworksecurityDenial-of-serviceattacksKEYWORDSDDoSattacks,RNN,PCA,trafficfeatures1MotivationsDDoSattackisdistributedinthewaythattheattackerisusingmultiplecomputerstolaunchthedenialofserviceattack.
AnewstudythattriestomeasurethedirectcostofthatoneDDoSattackforIoT(InternetofThings)deviceuserswhosemachinesweresweptupintheassaultfoundthatitmayhavecostdeviceownersatotalof$323,973.
75inexcesspowerandaddedbandwidthconsumption[1].
Itisurgenttodomorein-depthresearchonDDoSattacks,andDDoSattacksdetectionasaveryimportantparthasbecomeahottopicoftheresearcharea.
Currently,thereexistmanystatisticalDDoSdetectionmethods,suchasnetworktrafficstatisticsfeaturesbaseddetection,sourceIPanddestinationIPaddresses-baseddetection,portentropyvalues-baseddetection,andwavelet-basedanalysis[2,3],anddestinationentropy[4],etc.
However,withthedevelopmentofInternettechnology,theDDoSattackmodelischangingfasterandfaster.
Constructionofanewstatisticalmodelrequiresalotoftimetobuild,sothatitdoesnotadaptwelltotherapidlychangingnetworkenvironment.
Thestatisticalmodelhasasingleapplicationscenarioandalotofcomplexityofbuildingorupgradingthemodel.
Inordertosolvetheaboveproblems,thewayofDDoSattacksdetectionthroughmachinelearningalgorithmshasgraduallybecomethefocusofresearch.
Themachinelearningalgorithmcanfindouttheabnormalinformationbehindthemassivedata,whichiswidelylovedbyresearchers.
Theadvantageofthemachinelearningdetectionmodelisthatnewdatacanquicklyupdatethedetectionmodel.
Therearestillsomedeficiencies.
Duetothehighcomputationalcomplexityofmachinelearningalgorithms,itrequireslongerpredictiontime.
ThemachinelearningalgorithmsusedtodetectDDoSattacksdonotconsiderthetimecorrelationoftrafficdata.
Motivatedbythesechallenges,thispaperpresentsPrincipalComponentAnalysis-RecurrentNeuralNetwork(PCA-RNN)toidentifyDDoSattacks.
Wefirstextractallrelevantfeaturestoensureouralgorithmcancoveralltheattacktypes,whichimprovessingleapplicationscenarioproblem.
Thefeaturesincludesfouraspects,namely,floodfeature,slowattackfeature,flowtimefeatureandwebattackfeature.
Duetothelargenumberoffeaturesselectedinthefirststep,thecomputationalcomplexityofthedetectionalgorithmislargelyincreased.
Wehandlethisproblembyreducingthedimensionofinputfeatures.
WeusePCAasourdimension-reductionmethod,whichisanefficientandflexiblelineardimension-reductionmethod.
Finally,sincenetworktraffichasshorttimecorrelation,itisbeneficialifthedetectionalgorithmcouldincorporatetheshorttimefeaturesoftheinputdata.
Inthisway,weselectRNNalgorithmwhichhasshort-termmemoryandistimelyefficientasourtrainingmodule.
2MethodWedescribethedesigndetailsinthissection.
WefirstselectallrelevantfeaturestoensurethattheneuralnetworkcanthoroughlylearntheDDoSattacksinformation.
Toreducethetimecomplexity,weusePCAtoreducethefeaturevectordimensionsandsimplifytheneuralnetworkmodel.
ComparedwithLinearDiscriminantAnalysis(LDA)andotherlineardimensionalityreductionmethods,PCAismoreflexibletoselecttheoutputdimensionaccordingtoactualrequirements,sowechosePCAasthedimensionreductionmethod.
Finally,weconstructafront-to-backcorrelationofnetworkbyRNNalgorithmsothatDDoSdetectioncanbeperformedfrommultipleperspectives.
ThearchitectureoftheproposedframeworkisillustratedinFigure1.
APNet2018,August2-32018,Beijing,ChinaQianLietal.
Figure1:PCA-RNNModel3PreliminaryResultsWeevaluateouralgorithmandcomparewithseveralexistingdetectionalgorithmusingKDDdataset[5].
TheKDDdatasetisa9weeknetworkconnectiondatacollectedfromasimulatedUnitedStatesAirForceLAN,dividedintoidentifiedtrainingdataandnotidentifiedtestdata.
Thetestdataandthetrainingdatahaveadifferentprobabilitydistribution,andthetestdatacontainssometypesofattackthatdonotappearinthetrainingdata,whichmakestheintrusiondetectionmorerealistic.
Figure2:Performancemetrics.
Figure3:PredictiontimeofPCA-RNNcomparedwithexistingmethods.
AscanbeseeninFigure2andFigure3,thepredictiontimeofPCA-RNNcanbesignificantlydecreasedcomparingtheRNNalgorithmswithsimilaraccuracyrateandF1value.
TheaccuracyandF1ofPCA-BP,BPandPCA-LSTMalgorithmsarelowerthanPCA-RNN.
PCA-SVMpredictiontakes83.
3326sandtakestoolongtodraweasily.
WecanalsoseefromFigure3,PCA-RNNneedstheminimumpredictiontimeabovetheaccuracyof98.
7%.
Figure4.
DetectionaccuracyofPCA-RNNcomparedwithexistingmethods.
WealsocompareourPCA-RNNwithseveralexistingstatisticalalgorithms.
AscanbeseeninFigure4,statisticaldetectionalgorithmscanonlyperformwelloncertaintypesofattacks,whileourPCA-RNNalgorithmshowsgooddetectionaccuracyonalltestingscenarios.
4ConclusionandFutureWorkThispaperpresentsanovelmachinelearningbasedDDoSdetectionmethodwithbothaccuracyandefficiency.
Inthefuturework,wewilltestthealgorithmthroughmorerealdatasetandtrytostudytheinherentcharacteristicsundertheselectedfeatures.
REFERENCES[1]Study:AttackonKrebsOnSecurityCostIoTDeviceOwners$323K,Available:https://krebsonsecurity.
com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/[2]Tao,Y.
,&Yu,S.
(2013).
DDoSAttackDetectionatLocalAreaNetworksUsingInformationTheoreticalMetrics.
IEEEInternationalConferenceonTrust,SecurityandPrivacyinComputingandCommunications(Vol.
8,pp.
233-240).
IEEE.
[3]Dong,P.
,Du,X.
,Zhang,H.
,&Xu,T.
(2016).
AdetectionmethodforanovelDDoSattackagainstSDNcontrollersbyvastnewlow-trafficflows.
IEEEInternationalConferenceonCommunications(pp.
1-6).
IEEE.
[4]Mousavi,S.
M.
,&Sthilaire,M.
(2015).
EarlydetectionofDDoSattacksagainstSDNcontrollers.
InternationalConferenceonComputing,NETWORKINGandCommunications(Vol.
17,pp.
77-81).
IEEEComputerSociety.
[5]KDDCupData,http://kdd.
ics.
uci.
edu/databases/kddcup99/kddcup99.
html.