Skip to main content
SpringerLink
Log in

An intelligent behavioral-based DDOS attack detection method using adaptive time intervals

  • Published:
Peer-to-Peer Networking and Applications Aims and scope Submit manuscript

Abstract

Dealing with network attacks is becoming more uphill as we go further due to the complexity of computer networks. Among all the network attacks, DDoS attacks are widespread and challenging to detect. Because launching these attacks requires no vulnerability in the target network and they are like legitimate traffic, there is no certain solution for detecting them. Analyzing network users’ behavior can be a well-founded solution for detecting anomalies in network resource usage. Since, in most networks, the users’ behavior differs at different times of the day, in this paper, we proposed a DDoS attack detection method that clusters the network users’ behavior based on adaptive time intervals in a single day. Our contribution is introducing the Timestamp feature as a primary indicator of normal behavior during different times of the day. Time intervals are computed adaptively by clustering the network IP flow using DBSCAN. This process leads to the extraction of a new feature that helps to detect DDoS attacks more accurately. To demonstrate the importance and impact of our new feature, several attack classification models have been trained using prevalent shallow machine algorithms such as Support Vector Machine (SVM), Random Forest (RF), and XGBoost. The method is also validated with the CICDDoS2019 and the CICIoT2023 datasets, which are the most popular and latest DDoS attack datasets. The results showed that our new feature has improved the evaluation metrics impressively with both datasets.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26

Similar content being viewed by others

References

  1. Mahjabin T, Xiao Y, Sun G, Jiang W (2017) A survey of distributed denial-of-service attack, prevention, and mitigation techniques. Int J Distrib Sens Netw 13(12)

  2. D. Menscher. "Exponential growth in DDoS attack volumes." Google Cloud. https://cloud.google.com/blog/products/identity-security/identifying-and-protecting-against-the-largest-ddos-attacks (accessed December 2022)

  3. Wang M, Cui Y, Wang X, Xiao S, Jiang J (2018) Machine learning for networking: workflow, advances and opportunities. IEEE Netw 32(2):92–99

    Article  Google Scholar 

  4. Novaes MP, Carvalho LF, Lloret J, Proença ML (2020) Long short-term memory and fuzzy logic for anomaly detection and mitigation in software-defined network environment. IEEE Access 8

  5. Jia Y, Zhong F, Alrawais A, Gong B, Cheng X (2020) FlowGuard: An intelligent edge defense mechanism against IoT DDoS attacks. IEEE Internet Things J 7(10)

  6. Pontes CF, De Souza MM, Gondim JJ, Bishop M, Marotta MA (2021) A new method for flow-based network intrusion detection using the inverse Potts model. IEEE Trans Netw Serv Manag 18(2):1125–1136

    Article  Google Scholar 

  7. Salahuddin MA, Pourahmadi V, Alameddine HA, Bari MF, Boutaba R (2021) Chronos: DDoS attack detection using time-based autoencoder. IEEE Trans Netw Serv Manag 19:1–1

    Google Scholar 

  8. Liu Z, Hu C, Shan C (2021) Riemannian manifold on stream data: Fourier transform and entropy-based DDoS attacks detection method. Comput Secur 109:102392

    Article  Google Scholar 

  9. Alamri HA, Thayananthan V (2020) Bandwidth control mechanism and extreme gradient boosting algorithm for protecting software-defined networks against DDoS attacks. IEEE Access 8:194269–194288

    Article  Google Scholar 

  10. Hearst MA, Dumais ST, Osuna E, Platt J, Scholkopf B (1998) Support vector machines. IEEE Intell Syst Appl 13(4):18–28

    Article  Google Scholar 

  11. Breiman L (2001) Random forests. Mach Learn 45(1):5–32

    Article  Google Scholar 

  12. T. Chen and C. Guestrin, "XGBoost," presented at the proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining, 2016

  13. Sharafaldin I, Lashkari AH, Hakak S, Ghorbani AA (2019) Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. 2019 International Carnahan Conference on Security Technology (ICCST), pp 1–8

    Google Scholar 

  14. Yang B, Sun S, Li J, Lin X, Tian Y (2019) Traffic flow prediction using LSTM with feature enhancement. Neurocomputing 332:320–327

    Article  Google Scholar 

  15. Nashat D, Hussain FA (2021) Multifractal detrended fluctuation analysis based detection for SYN flooding attack. Comput Secur 107:102315

    Article  Google Scholar 

  16. Z. Yang, I. S. Bozchalooi, and E. Darve, "Regularized cycle consistent generative adversarial network for anomaly detection," 2020

  17. Zang XD, Gong J, Hu XY (2019) An adaptive profile-based approach for detecting anomalous traffic in backbone. IEEE Access 7:56920–56934. https://doi.org/10.1109/ACCESS.2019.2914303

    Article  Google Scholar 

  18. Najafimehr M, Zarifzadeh S, Mostafavi S (2022) A hybrid machine learning approach for detecting unprecedented DDoS attacks. J Supercomput 78(6):8106–8136

    Article  Google Scholar 

  19. Aamir M, Ali Zaidi SM (2021) Clustering based semi-supervised machine learning for DDoS attack classification. J King Saud Univ – Comput Inf Sci 33(4):436–446

    Google Scholar 

  20. Yu X, Yu W, Li S, Yang X, Chen Y, Lu H (2021) WEB DDoS attack detection method based on Semisupervised learning. Secur Commun Netw 2021:9534016

    Article  Google Scholar 

  21. Pandey N, Mishra P (2023) Detection of DDoS attack in IoT traffic using ensemble machine learning techniques. Netw Heterog Media 18:1393–1409

    Article  Google Scholar 

  22. Mishra P, Varadharajan V, Tupakula U, Pilli ES (2019) A detailed investigation and analysis of using machine learning techniques for intrusion detection. IEEE Commun Surv Tutor 21(1):686–728

    Article  Google Scholar 

  23. A. Habibi Lashkari, CICFlowmeter-V4.0 (formerly known as ISCXFlowMeter) is a network traffic Bi-flow generator and analyser for anomaly detection. https://github.com/ISCX/CICFlowMeter. 2018 (accessed December 2021)

  24. Ester M, Kriegel H-P, Sander J, Xu X (1996) A density-based algorithm for discovering clusters in large spatial databases with noise. Knowledge discovery and data mining

    Google Scholar 

  25. T. Mullins, "DBSCAN Parameter Estimation," vol. 2022, ed: Medium, 2020

  26. Sander J, Ester M, Kriegel H-P, Xu X (1998) Density-based clustering in spatial databases: the algorithm GDBSCAN and its applications. Data Min Knowl Disc 2(2):169–194

    Article  Google Scholar 

  27. Rahmah N, Sitanggang IS (2016) Determination of optimal epsilon (eps) value on DBSCAN algorithm to clustering data on peatland hotspots in Sumatra. IOP Conf Ser: Earth Environ Sci 31(1):012012

    Article  Google Scholar 

  28. Weglarczyk S (2018) Kernel density estimation and its application. ITM Web Conf 23:00037

    Article  Google Scholar 

  29. Maćkiewicz A, Ratajczak W (1993) Principal components analysis (PCA). Comput Geosci 19(3):303–342

    Article  Google Scholar 

  30. Klema V, Laub A (1980) The singular value decomposition: its computation and some applications. IEEE Trans Autom Control 25(2):164–176

    Article  MathSciNet  Google Scholar 

  31. Geurts P, Ernst D, Wehenkel L (2006) Extremely randomized trees. Mach Learn 63(1):3–42. https://doi.org/10.1007/s10994-006-6226-1

    Article  Google Scholar 

  32. A. Shamekhi. "NetworkPattern-TimeIntervalExtractor." https://github.com/alishamekhi/NetworkPattern-TimeIntervalExtractor (accessed Jan 2024, 2024)

  33. Neto EC, Dadkhah S, Ferreira R, Zohourian A, Lu R, Ghorbani AA CICIoT2023: A real-time dataset and benchmark for large-scale attacks in iot environment. Sensors 23(13). https://doi.org/10.3390/s23135941

  34. Sharafaldin I, Gharib A, Habibi Lashkari A, Ghorbani A (2017) Towards a reliable intrusion detection benchmark dataset. Softw Netw 2017:177–200

    Article  Google Scholar 

Download references

Availability of data and materials

We used the free available CICDDoS2019 and CICIoT2023 datasets published in 2019 and 2023, respectively by the University of New Brunswick in Canada (UnB).

Funding

There is no funding for this research.

Author information

Authors and Affiliations

  1. Computer Engineering and Information Technology Department, Shiraz University of Technology, Shiraz, Iran

    Ali Shamekhi, Pirooz Shamsinejad Babaki & Reza Javidan

Authors
  1. Ali Shamekhi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Pirooz Shamsinejad Babaki
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Reza Javidan
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

The first author implemented the code and wrote the draft of the paper.

The second author supervised, approved the idea and checked the work.

The third author advised, made many corrections on the paper and its writing and the correspondence.

Corresponding author

Correspondence to Reza Javidan.

Ethics declarations

Ethical approval

Not applicable.

Competing interests

The authors declare that there are no any competing interests.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Shamekhi, A., Shamsinejad Babaki, P. & Javidan, R. An intelligent behavioral-based DDOS attack detection method using adaptive time intervals. Peer-to-Peer Netw. Appl. (2024). https://doi.org/10.1007/s12083-024-01690-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s12083-024-01690-2

Keywords

Search

Navigation