Skip to main content
SpringerLink
Log in

Towards real-time ML-based DDoS detection via cost-efficient window-based feature extraction

  • Research Paper
  • Published:
Science China Information Sciences Aims and scope Submit manuscript

Abstract

Distributed denial of service (DDoS) detection is still an open and challenging problem. In particular, sophisticated attacks, e.g., attacks that disguise attack packets as benign traffic always appear, which can easily evade traditional signature-based methods. Due to the low requirements for computing resources compared to deep learning, many machine learning (ML)-based methods have been realistically deployed to address this issue. However, most existing ML-based DDoS detection methods are highly dependent on the features extracted from each flow, which incur remarkable detection delay and computation overhead. This article investigates the limitations of typical ML-based DDoS detection methods caused by the extraction of flow-level features. Moreover, we develop a cost-efficient window-based method that extracts features from a fixed number of packets periodically, instead of per flow, aiming to reduce the detection delay and computation overhead. The newly proposed window-based method has the advantages of well-controlled overhead and wide support of common routers due to its simplicity and high efficiency by design. Through extensive experiments on real datasets, we evaluate the performance of flow-based and window-based methods. The experimental results demonstrate that our proposed window-based method can significantly reduce the detection delay and computation overhead while ensuring detection accuracy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Antonakakis M, April T, Bailey M, et al. Understanding the mirai botnet. In: Proceedings of the 26th USENIX Security Symposium (USENIX Security), 2017. 1093–1110

  2. Zheng J, Li Q, Gu G, et al. Realtime DDoS defense using COTS SDN switches via adaptive correlation analysis. IEEE Trans Inform Forensic Secur, 2018, 13: 1838–1853

    Article  Google Scholar 

  3. Wang C, Miu T T N, Luo X, et al. SkyShield: a sketch-based defense system against application layer DDoS attacks. IEEE Trans Inform Forensic Secur, 2017, 13: 559–573

    Article  Google Scholar 

  4. Xiao B, Chen W, He Y, et al. An active detecting method against SYN flooding attack. In: Proceedings of the 11th IEEE International Conference on Parallel and Distributed Systems (ICPADS), 2005. 709–715

  5. Kambourakis G, Moschos T, Geneiatakis D, et al. Detecting DNS amplification attacks. In: Proceeding of International Workshop on Critical Information Infrastructures Security, Berlin, 2007. 185–196

  6. Sun C, Liu B, Shi L. Efficient and low-cost hardware defense against DNS amplification attacks. In: Proceedings of IEEE Global Telecommunications Conference (GLOBECOM), 2008. 1–5

  7. Chen Y W, Sheu J P, Kuo Y C, et al. Design and implementation of IoT DDoS attacks detection system based on machine learning. In: Proceedings of IEEE European Conference on Networks and Communications (EuCNC), 2020. 122–127

  8. Wani A R, Rana Q P, Saxena U, et al. Analysis and detection of DDoS attacks on cloud computing environment using machine learning techniques. In: Proceedings of Amity International Conference on Artificial Intelligence (AICAI), 2019. 870–875

  9. Degirmencioglu A, Erdogan H T, Mizani M A, et al. A classification approach for adaptive mitigation of SYN flood attacks: preventing performance loss due to SYN flood attacks. In: Proceedings of IEEE/IFIP Network Operations and Management Symposium, 2016. 1109–1112

  10. Radware. DDoS protection & DDoS mitigation solutions. 2021. https://www.radware.com/solutions/ddos-protection/

  11. Safavian S R, Landgrebe D. A survey of decision tree classifier methodology. IEEE Trans Syst Man Cybern, 1991, 21: 660–674

    Article  MathSciNet  Google Scholar 

  12. Biau G. Analysis of a random forests model. J Mach Learning Res, 2012, 13: 1063–1095

    MathSciNet  MATH  Google Scholar 

  13. Rish I. An empirical study of the naive Bayes classifier. In: Proceedings of IJCAI Workshop on Empirical Methods in Artificial Intelligence, 2001. 41–46

  14. Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Comput Commun Rev, 2004, 34: 39–53

    Article  Google Scholar 

  15. Karimazad R, Faraahi A. An anomaly-based method for DDoS attacks detection using RBF neural networks. In: Proceedings of the International Conference on Network and Electronics Engineering (ICNEE), 2011. 44–48

  16. Osanaiye O, Choo K K, Dlodlo M. Analysing feature selection and classification techniques for DDoS detection in cloud. In: Proceedings of Southern Africa Telecommunication, 2016. 198–203

  17. Barati M, Abdullah A, Udzir N I, et al. Distributed denial of service detection using hybrid machine learning technique. In: Proceedings of International Symposium on Biometrics and Security Technologies (ISBAST), 2014. 268–273

  18. Wang W, Gombault S. Efficient detection of DDoS attacks with important attributes. In: Proceedings of International Conference on Risks and Security of Internet and Systems (CRiSIS), 2008. 61–67

  19. Braga R, Mota E, Passito A. Lightweight DDoS flooding attack detection using NOX/OpenFlow. In: Proceedings of IEEE Local Computer Network Conference (LCN), 2010. 408–415

  20. Korczynski M, Janowski L, Duda A. An accurate sampling scheme for detecting SYN flooding attacks and portscans. In: Proceedings of IEEE International Conference on Communications (ICC), 2011. 1–5

  21. Huawei. HUAWEI: configuring the device to capture packets. 2021. https://support.huawei.com/enterprise/en/doc/EDOC1100112354/bd0e10ad/configuring-the-device-to-capture-packets

  22. Cisco. Cisco: configure packet capture on Cisco SCE 8000. 2021. https://www.cisco.com/c/en/us/support/docs/service-exchange/service-control-operating-system-software/200464-Packet-caputre-on-Cisco-SCE-8000.html

  23. Alkasassbeh M, Al-Naymat G, Hassanat A, et al. Detecting distributed denial of service attacks using data mining techniques. Int J Adv Comput Sci Appl, 2016, 7: 436–445

    Google Scholar 

  24. Seufert S, O’Brien D. Machine learning for automatic defence against distributed denial of service attacks. In: Proceedings of IEEE International Conference on Communications (ICC), 2007. 1217–1222

  25. Tsiatsikas Z, Geneiatakis D, Kambourakis G, et al. Realtime DDoS detection in sip ecosystems: machine learning tools of the trade. In: Proceedings of International Conference on Network and System Security (NSS), 2016. 126–139

  26. Holte R C. Very simple classification rules perform well on most commonly used datasets. Machine Learn, 1993, 11: 63–90

    Article  MATH  Google Scholar 

  27. Ruck D W, Rogers S K, Kabrisky M, et al. The multilayer perceptron as an approximation to a Bayes optimal discriminant function. IEEE Trans Neural Netw, 1990, 1: 296–298

    Article  Google Scholar 

  28. Zeng Z Q, Yu H B, Xu H R, et al. Fast training support vector machines using parallel sequential minimal optimization. In: Proceedings of IEEE International Conference on Intelligent System and Knowledge Engineering (ISKE), Xiamen, 2008. 997–1001

  29. Vesanto J, Alhoniemi E. Clustering of the self-organizing map. IEEE Trans Neural Netw, 2000, 11: 586–600

    Article  Google Scholar 

  30. Breiman L. Bagging predictors. Machine Learn, 1996, 24: 123–140

    Article  MATH  Google Scholar 

  31. Reynolds K, Kontostathis A, Edwards L. Using machine learning to detect cyberbullying. In: Proceedings of IEEE International Conference on Machine Learning and Applications and Workshops, 2011. 241–244

  32. Musavi M T, Ahmed W, Chan K H, et al. On the training of radial basis function classifiers. Neural Networks, 1992, 5: 595–603

    Article  Google Scholar 

  33. Zhao Y, Xu K, Wang H Y, et al. Stability-based analysis and defense against backdoor attacks on edge computing services. IEEE Network, 2021, 35: 163–169

    Article  Google Scholar 

  34. Zhao Y, Xu K, Wang H Y, et al. MEC-enabled hierarchical emotion recognition and perturbation-aware defense in smart cities. IEEE Internet Things J, 2021, 8: 16933–16945

    Article  Google Scholar 

  35. Zhao Y, Qiao M N, Wang H Y, et al. TDFI: two-stage deep learning framework for friendship inference via multi-source information. In: Proceedings of IEEE INFOCOM, 2019. 1981–1989

  36. Mirsky Y, Doitshman T, Elovici Y, et al. Kitsune: an ensemble of autoencoders for online network intrusion detection. In: Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, 2018. 1–15

  37. Zhao Y, Xu K, Li Q, et al. Intelligent networking in adversarial environment: challenges and opportunities. Sci China Inf Sci, 2022, 65: 170301

    Article  Google Scholar 

  38. Osterweil E, Stavrou A, Zhang L. 21 years of distributed denial-of service: current state of affairs. Computer, 2020, 53: 88–92

    Article  Google Scholar 

  39. Jin C, Wang H, Shin K G. Hop-count filtering: an effective defense against spoofed DDoS traffic. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), 2003. 30–41

  40. Song D X, Perrig A. Advanced and authenticated marking schemes for IP traceback. In: Proceedings IEEE International Conference on Computer Communications (INFOCOM), 2001. 878–886

  41. Dietzel C, Wichtlhuber M, Smaragdakis G, et al. Stellar: network attack mitigation using advanced blackholing. In: Proceedings of International Conference on emerging Networking Experiments and Technologies (CoNEXT), 2018. 152–164

  42. Zhang M, Li G, Wang S, et al. Poseidon: mitigating volumetric DDoS attacks with programmable switches. In: Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, 2020. 1–18

  43. Liu Z, Namkung H, Nikolaidis G, et al. Jaqen: a high-performance switch-native approach for detecting and mitigating volumetric DDoS attacks with programmable switches. In: Proceedings of USENIX Security Symposium (USENIX Security), 2021. 3829–3846

  44. Li Y, Li H, Lv Z, et al. Deterrence of intelligent DDoS via multi-hop traffic divergence. In: Proceedings of ACM SIGSAC Conference on Computer and Communications Security (CCS), 2021. 923–939

  45. Zhang X, Hsiao H C, Hasker G, et al. SCION: scalability, control, and isolation on next-generation networks. In: Proceedings of IEEE Symposium on Security and Privacy (S&P), 2011. 212–227

  46. Wu J, Bi J, Bagnulo M, et al. Source address validation improvement (SAVI) framework. RFC7039. 2013. https://datatracker.ietf.org/doc/html/rfc7039

  47. Zargar S T, Joshi J, Tipper D. A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun Surv Tutorials, 2013, 15: 2046–2069

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported in part by China National Funds for Distinguished Young Scientists (Grant No. 61825204), National Natural Science Foundation of China (Grant Nos. 61932016, 62132011, 62202258), Beijing Outstanding Young Scientist Program (Grant No. BJJWZYJH01201910003011), China Postdoctoral Science Foundation (Grant No. 2021M701894), China National Postdoctoral Program for Innovative Talents, and Shuimu Tsinghua Scholar Program.

Author information

Authors and Affiliations

  1. Department of Computer Science and Technology, Tsinghua University, Beijing, 100084, China

    Haibin Li, Yi Zhao, Wenbing Yao & Ke Xu

  2. Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing, 100084, China

    Qi Li

  3. Beijing National Research Center for Information Science and Technology (BNRist), Beijing, 100084, China

    Ke Xu & Qi Li

Authors
  1. Haibin Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yi Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wenbing Yao
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ke Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Qi Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Yi Zhao or Ke Xu.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Li, H., Zhao, Y., Yao, W. et al. Towards real-time ML-based DDoS detection via cost-efficient window-based feature extraction. Sci. China Inf. Sci. 66, 152105 (2023). https://doi.org/10.1007/s11432-021-3545-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s11432-021-3545-0

Keywords

Search

Navigation