A DRDoS Detection and Defense Method Based on Deep Forest in the Big Data Environment

  • Ruomeng Xu
  • Jieren ChengEmail author
  • Fengkai Wang
  • Xiangyan Tang
  • Jinying Xu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11338)


Distributed denial-of-service (DDoS) has developed multiple variants, one of which is distributed reflective denial-of-service (DRDoS). Within the increasing number of Internet-of-Things (IoT) devices, the threat of DRDoS attack is growing, and the damage of a DRDoS attack is more destructive than other types. Many existing methods for DRDoS cannot generalize early detection, which leads to heavy load or degradation of service when deployed at the final point. In this paper, we propose a DRDoS detection and defense method based on deep forest model (DDDF), and then we integrate differentiated service into defense model to filter out DRDoS attack flow. Firstly, from the statistics perspective on different stages of DRDoS attack flow in the big data environment, we extract a host-based DRDoS threat index (HDTI) from the network flow. Secondly, using the HDTI feature we build a DRDoS detection and defense model based on deep forest, which consists of 5 estimators in each layer. Lastly, the differentiated service procedure applies the detection result from DDDF to drop the identified attack flow in different stages and different detection points. Theoretical analysis and experiments show that the method we proposed can effectively identify DRDoS attack with higher detection rate and a lower false alarm rate, the defense model also shows distinguishing ability to effectively eliminate the DRDoS attack flow, and dramatically reduce the damage of DRDoS attack.


DRDoS Deep forest IoT Big data Differentiated service 



This work was supported by the National Natural Science Foundation of China [61762033, 61702539]; The National Natural Science Foundation of Hainan [617048, 2018CXTD333]; Hainan University Doctor Start Fund Project [kyqd1328]; Hainan University Youth Fund Project [qnjj1444]. This work is partially supported by Social Development Project of Public Welfare Technology Application of Zhejiang Province [LGF18F020019].


  1. 1.
    CERT Coordination Center: Results of the distributed-systems intruder tools workshop. Software Engineering Institute (1999)Google Scholar
  2. 2.
    Garber, L.: Denial-of-service attacks rip the Internet. Computer 33(4), 12–17 (2000)CrossRefGoogle Scholar
  3. 3.
    Kargl, F., Maier, J., Weber, M.: Protecting web servers from distributed denial of service attacks. In: Proceedings of the 10th International Conference on World Wide Web, pp. 514–524. ACM (2001)Google Scholar
  4. 4.
    Jieren, C., Yin, J., Liu, Y.: DDoS attack detection using IP address feature interaction. In: International Conference on Intelligent Networking and Collaborative Systems, pp. 113–118. IEEE Computer Society (2009)Google Scholar
  5. 5.
    Jieren, C., Zhang, B., Yin, J.: DDoS attack detection using three-state partition based on flow interaction. Commun. Comput. Inf. Sci. 29(4), 176–184 (2009)zbMATHGoogle Scholar
  6. 6.
    Jieren, C., Yin, J., Liu, Y.: Detecting distributed denial of service attack based on multi-feature fusion. In: Security Technology - International Conference, pp. 132–139 (2009)Google Scholar
  7. 7.
    Jieren, C., Xiangyan, T., Zhu, X.: Distributed denial of service attack detection based on IP flow interaction. In: International Conference on E -Business and E -Government, pp. 1–4. IEEE (2011)Google Scholar
  8. 8.
    Jieren, C., Chen, Z., Xiangyan, T.: Adaptive DDoS attack detection method based on multiple-kernel learning. Security and Communication Networks (2018)Google Scholar
  9. 9.
    Jieren, C., Ruomeng, X., Xiangyan, T.: An abnormal network flow feature sequence prediction approach for DDoS attacks detection in big data environment. Comput. Mater. Contin. 55(1), 95–119 (2018)Google Scholar
  10. 10.
    Manikopoulos, C., Papavassiliou, S.: Network intrusion and fault detection: a statistical anomaly approach. IEEE Commun. Mag. 40(10), 76–82 (2002)CrossRefGoogle Scholar
  11. 11.
    Aleroud, A., Karabatis, G.: Contextual information fusion for intrusion detection: a survey and taxonomy. Knowl. Inf. Syst. 52(3), 563–619 (2017)CrossRefGoogle Scholar
  12. 12.
    AlEroud, A., Karabatis, G.: Beyond data: contextual information fusion for cyber security analytics. In: 31st ACM Symposium on Applied Computing (2016)Google Scholar
  13. 13.
    Li, J., Wang, L., Wang, L.: Verifiable Chebyshev maps-based chaotic encryption schemes with outsourcing computations in the cloud/fog scenarios. Concurr. Comput.: Pract. Exp. (2018).
  14. 14.
    Li, J., et al.: Multi-authority fine-grained access control with accountability and its application in cloud. J. Netw. Comput. Appl. Scholar
  15. 15.
    Bingshuang, L., Jun, L., Tao, W.: SF-DRDoS: the store-and-flood distributed reflective denial of service attack. Comput. Commun. 69(1), 107–115 (2015)Google Scholar
  16. 16.

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.School of Information Science and TechnologyHainan UniversityHaikouChina
  2. 2.State Key Laboratory of Marine Resource Utilization in South China SeaHaikouChina
  3. 3.Rossier SchoolUniversity of Southern CaliforniaLos AngelesUSA
  4. 4.Zhejiang Science and Technology Information InstituteHangzhouChina

Personalised recommendations