Abstract
Dealing with network attacks is becoming more uphill as we go further due to the complexity of computer networks. Among all the network attacks, DDoS attacks are widespread and challenging to detect. Because launching these attacks requires no vulnerability in the target network and they are like legitimate traffic, there is no certain solution for detecting them. Analyzing network users’ behavior can be a well-founded solution for detecting anomalies in network resource usage. Since, in most networks, the users’ behavior differs at different times of the day, in this paper, we proposed a DDoS attack detection method that clusters the network users’ behavior based on adaptive time intervals in a single day. Our contribution is introducing the Timestamp feature as a primary indicator of normal behavior during different times of the day. Time intervals are computed adaptively by clustering the network IP flow using DBSCAN. This process leads to the extraction of a new feature that helps to detect DDoS attacks more accurately. To demonstrate the importance and impact of our new feature, several attack classification models have been trained using prevalent shallow machine algorithms such as Support Vector Machine (SVM), Random Forest (RF), and XGBoost. The method is also validated with the CICDDoS2019 and the CICIoT2023 datasets, which are the most popular and latest DDoS attack datasets. The results showed that our new feature has improved the evaluation metrics impressively with both datasets.
Similar content being viewed by others
References
Mahjabin T, Xiao Y, Sun G, Jiang W (2017) A survey of distributed denial-of-service attack, prevention, and mitigation techniques. Int J Distrib Sens Netw 13(12)
D. Menscher. "Exponential growth in DDoS attack volumes." Google Cloud. https://cloud.google.com/blog/products/identity-security/identifying-and-protecting-against-the-largest-ddos-attacks (accessed December 2022)
Wang M, Cui Y, Wang X, Xiao S, Jiang J (2018) Machine learning for networking: workflow, advances and opportunities. IEEE Netw 32(2):92–99
Novaes MP, Carvalho LF, Lloret J, Proença ML (2020) Long short-term memory and fuzzy logic for anomaly detection and mitigation in software-defined network environment. IEEE Access 8
Jia Y, Zhong F, Alrawais A, Gong B, Cheng X (2020) FlowGuard: An intelligent edge defense mechanism against IoT DDoS attacks. IEEE Internet Things J 7(10)
Pontes CF, De Souza MM, Gondim JJ, Bishop M, Marotta MA (2021) A new method for flow-based network intrusion detection using the inverse Potts model. IEEE Trans Netw Serv Manag 18(2):1125–1136
Salahuddin MA, Pourahmadi V, Alameddine HA, Bari MF, Boutaba R (2021) Chronos: DDoS attack detection using time-based autoencoder. IEEE Trans Netw Serv Manag 19:1–1
Liu Z, Hu C, Shan C (2021) Riemannian manifold on stream data: Fourier transform and entropy-based DDoS attacks detection method. Comput Secur 109:102392
Alamri HA, Thayananthan V (2020) Bandwidth control mechanism and extreme gradient boosting algorithm for protecting software-defined networks against DDoS attacks. IEEE Access 8:194269–194288
Hearst MA, Dumais ST, Osuna E, Platt J, Scholkopf B (1998) Support vector machines. IEEE Intell Syst Appl 13(4):18–28
Breiman L (2001) Random forests. Mach Learn 45(1):5–32
T. Chen and C. Guestrin, "XGBoost," presented at the proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining, 2016
Sharafaldin I, Lashkari AH, Hakak S, Ghorbani AA (2019) Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. 2019 International Carnahan Conference on Security Technology (ICCST), pp 1–8
Yang B, Sun S, Li J, Lin X, Tian Y (2019) Traffic flow prediction using LSTM with feature enhancement. Neurocomputing 332:320–327
Nashat D, Hussain FA (2021) Multifractal detrended fluctuation analysis based detection for SYN flooding attack. Comput Secur 107:102315
Z. Yang, I. S. Bozchalooi, and E. Darve, "Regularized cycle consistent generative adversarial network for anomaly detection," 2020
Zang XD, Gong J, Hu XY (2019) An adaptive profile-based approach for detecting anomalous traffic in backbone. IEEE Access 7:56920–56934. https://doi.org/10.1109/ACCESS.2019.2914303
Najafimehr M, Zarifzadeh S, Mostafavi S (2022) A hybrid machine learning approach for detecting unprecedented DDoS attacks. J Supercomput 78(6):8106–8136
Aamir M, Ali Zaidi SM (2021) Clustering based semi-supervised machine learning for DDoS attack classification. J King Saud Univ – Comput Inf Sci 33(4):436–446
Yu X, Yu W, Li S, Yang X, Chen Y, Lu H (2021) WEB DDoS attack detection method based on Semisupervised learning. Secur Commun Netw 2021:9534016
Pandey N, Mishra P (2023) Detection of DDoS attack in IoT traffic using ensemble machine learning techniques. Netw Heterog Media 18:1393–1409
Mishra P, Varadharajan V, Tupakula U, Pilli ES (2019) A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE Commun Surv Tutor 21(1):686–728
A. Habibi Lashkari, CICFlowmeter-V4.0 (formerly known as ISCXFlowMeter) is a network traffic Bi-flow generator and analyser for anomaly detection. https://github.com/ISCX/CICFlowMeter. 2018 (accessed December 2021)
Ester M, Kriegel H-P, Sander J, Xu X (1996) A density-based algorithm for discovering clusters in large spatial databases with noise. Knowledge discovery and data mining
T. Mullins, "DBSCAN Parameter Estimation," vol. 2022, ed: Medium, 2020
Sander J, Ester M, Kriegel H-P, Xu X (1998) Density-based clustering in spatial databases: the algorithm GDBSCAN and its applications. Data Min Knowl Disc 2(2):169–194
Rahmah N, Sitanggang IS (2016) Determination of optimal epsilon (eps) value on DBSCAN algorithm to clustering data on peatland hotspots in Sumatra. IOP Conf Ser: Earth Environ Sci 31(1):012012
Weglarczyk S (2018) Kernel density estimation and its application. ITM Web Conf 23:00037
Maćkiewicz A, Ratajczak W (1993) Principal components analysis (PCA). Comput Geosci 19(3):303–342
Klema V, Laub A (1980) The singular value decomposition: its computation and some applications. IEEE Trans Autom Control 25(2):164–176
Geurts P, Ernst D, Wehenkel L (2006) Extremely randomized trees. Mach Learn 63(1):3–42. https://doi.org/10.1007/s10994-006-6226-1
A. Shamekhi. "NetworkPattern-TimeIntervalExtractor." https://github.com/alishamekhi/NetworkPattern-TimeIntervalExtractor (accessed Jan 2024, 2024)
Neto EC, Dadkhah S, Ferreira R, Zohourian A, Lu R, Ghorbani AA CICIoT2023: A real-time dataset and benchmark for large-scale attacks in iot environment. Sensors 23(13). https://doi.org/10.3390/s23135941
Sharafaldin I, Gharib A, Habibi Lashkari A, Ghorbani A (2017) Towards a reliable intrusion detection benchmark dataset. Softw Netw 2017:177–200
Availability of data and materials
We used the free available CICDDoS2019 and CICIoT2023 datasets published in 2019 and 2023, respectively by the University of New Brunswick in Canada (UnB).
Funding
There is no funding for this research.
Author information
Authors and Affiliations
Contributions
The first author implemented the code and wrote the draft of the paper.
The second author supervised, approved the idea and checked the work.
The third author advised, made many corrections on the paper and its writing and the correspondence.
Corresponding author
Ethics declarations
Ethical approval
Not applicable.
Competing interests
The authors declare that there are no any competing interests.
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Shamekhi, A., Shamsinejad Babaki, P. & Javidan, R. An intelligent behavioral-based DDOS attack detection method using adaptive time intervals. Peer-to-Peer Netw. Appl. (2024). https://doi.org/10.1007/s12083-024-01690-2
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s12083-024-01690-2