Abstract
Distributed denial of service (DDoS) detection is still an open and challenging problem. In particular, sophisticated attacks, e.g., attacks that disguise attack packets as benign traffic always appear, which can easily evade traditional signature-based methods. Due to the low requirements for computing resources compared to deep learning, many machine learning (ML)-based methods have been realistically deployed to address this issue. However, most existing ML-based DDoS detection methods are highly dependent on the features extracted from each flow, which incur remarkable detection delay and computation overhead. This article investigates the limitations of typical ML-based DDoS detection methods caused by the extraction of flow-level features. Moreover, we develop a cost-efficient window-based method that extracts features from a fixed number of packets periodically, instead of per flow, aiming to reduce the detection delay and computation overhead. The newly proposed window-based method has the advantages of well-controlled overhead and wide support of common routers due to its simplicity and high efficiency by design. Through extensive experiments on real datasets, we evaluate the performance of flow-based and window-based methods. The experimental results demonstrate that our proposed window-based method can significantly reduce the detection delay and computation overhead while ensuring detection accuracy.
Similar content being viewed by others
References
Antonakakis M, April T, Bailey M, et al. Understanding the mirai botnet. In: Proceedings of the 26th USENIX Security Symposium (USENIX Security), 2017. 1093–1110
Zheng J, Li Q, Gu G, et al. Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans Inform Forensic Secur, 2018, 13: 1838–1853
Wang C, Miu T T N, Luo X, et al. SkyShield: a sketch-based defense system against application layer DDoS attacks. IEEE Trans Inform Forensic Secur, 2017, 13: 559–573
Xiao B, Chen W, He Y, et al. An active detecting method against SYN flooding attack. In: Proceedings of the 11th IEEE International Conference on Parallel and Distributed Systems (ICPADS), 2005. 709–715
Kambourakis G, Moschos T, Geneiatakis D, et al. Detecting DNS amplification attacks. In: Proceeding of International Workshop on Critical Information Infrastructures Security, Berlin, 2007. 185–196
Sun C, Liu B, Shi L. Efficient and low-cost hardware defense against DNS amplification attacks. In: Proceedings of IEEE Global Telecommunications Conference (GLOBECOM), 2008. 1–5
Chen Y W, Sheu J P, Kuo Y C, et al. Design and implementation of IoT DDoS attacks detection system based on machine learning. In: Proceedings of IEEE European Conference on Networks and Communications (EuCNC), 2020. 122–127
Wani A R, Rana Q P, Saxena U, et al. Analysis and detection of DDoS attacks on cloud computing environment using machine learning techniques. In: Proceedings of Amity International Conference on Artificial Intelligence (AICAI), 2019. 870–875
Degirmencioglu A, Erdogan H T, Mizani M A, et al. A classification approach for adaptive mitigation of SYN flood attacks: preventing performance loss due to SYN flood attacks. In: Proceedings of IEEE/IFIP Network Operations and Management Symposium, 2016. 1109–1112
Radware. DDoS protection & DDoS mitigation solutions. 2021. https://www.radware.com/solutions/ddos-protection/
Safavian S R, Landgrebe D. A survey of decision tree classifier methodology. IEEE Trans Syst Man Cybern, 1991, 21: 660–674
Biau G. Analysis of a random forests model. J Mach Learning Res, 2012, 13: 1063–1095
Rish I. An empirical study of the naive Bayes classifier. In: Proceedings of IJCAI Workshop on Empirical Methods in Artificial Intelligence, 2001. 41–46
Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput Commun Rev, 2004, 34: 39–53
Karimazad R, Faraahi A. An anomaly-based method for DDoS attacks detection using RBF neural networks. In: Proceedings of the International Conference on Network and Electronics Engineering (ICNEE), 2011. 44–48
Osanaiye O, Choo K K, Dlodlo M. Analysing feature selection and classification techniques for DDoS detection in cloud. In: Proceedings of Southern Africa Telecommunication, 2016. 198–203
Barati M, Abdullah A, Udzir N I, et al. Distributed denial of service detection using hybrid machine learning technique. In: Proceedings of International Symposium on Biometrics and Security Technologies (ISBAST), 2014. 268–273
Wang W, Gombault S. Efficient detection of DDoS attacks with important attributes. In: Proceedings of International Conference on Risks and Security of Internet and Systems (CRiSIS), 2008. 61–67
Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proceedings of IEEE Local Computer Network Conference (LCN), 2010. 408–415
Korczynski M, Janowski L, Duda A. An accurate sampling scheme for detecting SYN flooding attacks and portscans. In: Proceedings of IEEE International Conference on Communications (ICC), 2011. 1–5
Huawei. HUAWEI: configuring the device to capture packets. 2021. https://support.huawei.com/enterprise/en/doc/EDOC1100112354/bd0e10ad/configuring-the-device-to-capture-packets
Cisco. Cisco: configure packet capture on Cisco SCE 8000. 2021. https://www.cisco.com/c/en/us/support/docs/service-exchange/service-control-operating-system-software/200464-Packet-caputre-on-Cisco-SCE-8000.html
Alkasassbeh M, Al-Naymat G, Hassanat A, et al. Detecting distributed denial of service attacks using data mining techniques. Int J Adv Comput Sci Appl, 2016, 7: 436–445
Seufert S, O’Brien D. Machine learning for automatic defence against distributed denial of service attacks. In: Proceedings of IEEE International Conference on Communications (ICC), 2007. 1217–1222
Tsiatsikas Z, Geneiatakis D, Kambourakis G, et al. Realtime DDoS detection in sip ecosystems: machine learning tools of the trade. In: Proceedings of International Conference on Network and System Security (NSS), 2016. 126–139
Holte R C. Very simple classification rules perform well on most commonly used datasets. Machine Learn, 1993, 11: 63–90
Ruck D W, Rogers S K, Kabrisky M, et al. The multilayer perceptron as an approximation to a Bayes optimal discriminant function. IEEE Trans Neural Netw, 1990, 1: 296–298
Zeng Z Q, Yu H B, Xu H R, et al. Fast training support vector machines using parallel sequential minimal optimization. In: Proceedings of IEEE International Conference on Intelligent System and Knowledge Engineering (ISKE), Xiamen, 2008. 997–1001
Vesanto J, Alhoniemi E. Clustering of the self-organizing map. IEEE Trans Neural Netw, 2000, 11: 586–600
Breiman L. Bagging predictors. Machine Learn, 1996, 24: 123–140
Reynolds K, Kontostathis A, Edwards L. Using machine learning to detect cyberbullying. In: Proceedings of IEEE International Conference on Machine Learning and Applications and Workshops, 2011. 241–244
Musavi M T, Ahmed W, Chan K H, et al. On the training of radial basis function classifiers. Neural Networks, 1992, 5: 595–603
Zhao Y, Xu K, Wang H Y, et al. Stability-based analysis and defense against backdoor attacks on edge computing services. IEEE Network, 2021, 35: 163–169
Zhao Y, Xu K, Wang H Y, et al. MEC-enabled hierarchical emotion recognition and perturbation-aware defense in smart cities. IEEE Internet Things J, 2021, 8: 16933–16945
Zhao Y, Qiao M N, Wang H Y, et al. TDFI: two-stage deep learning framework for friendship inference via multi-source information. In: Proceedings of IEEE INFOCOM, 2019. 1981–1989
Mirsky Y, Doitshman T, Elovici Y, et al. Kitsune: an ensemble of autoencoders for online network intrusion detection. In: Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, 2018. 1–15
Zhao Y, Xu K, Li Q, et al. Intelligent networking in adversarial environment: challenges and opportunities. Sci China Inf Sci, 2022, 65: 170301
Osterweil E, Stavrou A, Zhang L. 21 years of distributed denial-of service: current state of affairs. Computer, 2020, 53: 88–92
Jin C, Wang H, Shin K G. Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), 2003. 30–41
Song D X, Perrig A. Advanced and authenticated marking schemes for IP traceback. In: Proceedings IEEE International Conference on Computer Communications (INFOCOM), 2001. 878–886
Dietzel C, Wichtlhuber M, Smaragdakis G, et al. Stellar: network attack mitigation using advanced blackholing. In: Proceedings of International Conference on emerging Networking Experiments and Technologies (CoNEXT), 2018. 152–164
Zhang M, Li G, Wang S, et al. Poseidon: mitigating volumetric DDoS attacks with programmable switches. In: Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, 2020. 1–18
Liu Z, Namkung H, Nikolaidis G, et al. Jaqen: a high-performance switch-native approach for detecting and mitigating volumetric DDoS attacks with programmable switches. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 3829–3846
Li Y, Li H, Lv Z, et al. Deterrence of intelligent DDoS via multi-hop traffic divergence. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 923–939
Zhang X, Hsiao H C, Hasker G, et al. SCION: scalability, control, and isolation on next-generation networks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2011. 212–227
Wu J, Bi J, Bagnulo M, et al. Source address validation improvement (SAVI) framework. RFC7039. 2013. https://datatracker.ietf.org/doc/html/rfc7039
Zargar S T, Joshi J, Tipper D. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tutorials, 2013, 15: 2046–2069
Acknowledgements
This work was supported in part by China National Funds for Distinguished Young Scientists (Grant No. 61825204), National Natural Science Foundation of China (Grant Nos. 61932016, 62132011, 62202258), Beijing Outstanding Young Scientist Program (Grant No. BJJWZYJH01201910003011), China Postdoctoral Science Foundation (Grant No. 2021M701894), China National Postdoctoral Program for Innovative Talents, and Shuimu Tsinghua Scholar Program.
Author information
Authors and Affiliations
Corresponding authors
Rights and permissions
About this article
Cite this article
Li, H., Zhao, Y., Yao, W. et al. Towards real-time ML-based DDoS detection via cost-efficient window-based feature extraction. Sci. China Inf. Sci. 66, 152105 (2023). https://doi.org/10.1007/s11432-021-3545-0
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s11432-021-3545-0