Abstract
By attacking (e.g., flooding) the bandwidth or resources of a victim (e.g., a web server) on the Internet from multiple compromised systems (e.g., a botnet), distributed Denial-of-Service (DDoS) attacks disrupt the services of the victim and make it unavailable to its legitimate users. Albeit studied many years already, the detection of DDoS attacks remains a troubling problem. In this paper, we propose a new, learning-based DDoS detection and classification method that is both explainable and adaptable. This method first utilizes a modified k-nearest neighbors (KNN) algorithm to detect DDoS attacks and then uses risk degree sorting with grids to classify traffic at a fine granularity. It uses a k-dimensional tree to partition the searching space that significantly improves its efficiency and shortens KNN query times. Moreover, compared with the previous DDoS detection and classification approaches, along with the detection results this method further generates risk profiles that provides users with interpretability for filtering DDoS traffic. Additionally, this method does not need to retrain the detection model in order to make it fit in a new network environment. Users can leverage a variety of prior knowledge to evolve the model. We evaluated this approach in both simulated environments and the real world, which shows that our approach is both effective and efficient. It achieves a 98.4% accuracy in detecting DDoS attacks with a delay of around 5 s.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Introduction of the front range GigaPOP (FRGP). https://www.frgp.net/intro.shtml
The CAIDA UCSD “DDoS attack 2007” dataset (2007). https://www.caida.org/data/passive/ddos-20070804_dataset.xml. CAIDA
DARPA 2009 intrusion detection dataset (Colorado State University) (2009). http://www.darpa2009.netsec.colostate.edu/
National cyber awareness system: Security tip - understanding Denial-of-Service Attacks (2009). https://www.us-cert.gov/ncas/tips/ST04-015. US-Cert
FRGP NTP flow data - NTP reflection attack (2014). https://www.impactcybertrust.org/dataset_view?idDataset=776. University of Southern California-Information Sciences Institute
DDoS Chargen 2016 dataset - Internet traffic data containing a DDoS attack based on UDP Chargen protocol (2016). https://www.impactcybertrust.org/dataset_view?idDataset=693. Merit Network Inc
Cisco annual internet report (2018–2023) white paper (2020). https://www.cisco.com/c/en/us/solutions/executive-perspectives/annual-internet-report
Barati, M., Abdullah, A., Udzir, N.I., Mahmod, R., Mustapha, N.: Distributed denial of service detection using hybrid machine learning technique. In: International Symposium on Biometrics and Security Technologies, pp. 268–273. IEEE (2014)
Bhaya, W., EbadyManaa, M.: DDoS attack detection approach using an efficient cluster analysis in large data scale. In: Annual Conference on New Trends in Information & Communications Technology Applications, pp. 168–173. IEEE (2017)
Bhuyan, M.H., Kashyap, H.J., Bhattacharyya, D.K., Kalita, J.K.: Detecting distributed denial of service attacks: methods, tools and future directions. Comput. J. 57(4), 537–556 (2014)
Chen, C.L.: A new detection method for distributed denial-of-service attack traffic based on statistical test. J. Univ. Comput. Sci. 15(2), 488–504 (2009)
Claise, B.: Cisco systems netflow services export version 9. RFC 3954 (2004)
Doshi, R., Apthorpe, N., Feamster, N.: Machine learning DDoS detection for consumer Internet of Things devices. In: IEEE Security and Privacy Workshops, pp. 29–35 (2018)
Feng, Y., Li, J.: Towards explicable and adaptive DDoS traffic classification. In: The 21st Passive and Active Measurement Conference - Poster, March 2020
Feng, Y., Li, J., Nguyen, T.: Application-layer DDoS defense with reinforcement learning. In: IEEE/ACM International Symposium on Quality of Service (2020)
Friedman, J.H.: On bias, variance, 0/1-loss, and the curse-of-dimensionality. Data Min. Knowl. Discov. 1(1), 55–77 (1997). https://doi.org/10.1023/A:1009778005914
He, Z., Zhang, T., Lee, R.B.: Machine learning based DDoS attack detection from source side in cloud. In: The 4th International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 114–120 (2017)
Kokila, R., Selvi, S.T., Govindarajan, K.: DDoS detection and analysis in SDN-based environment using support vector machine classifier. In: The Sixth International Conference on Advanced Computing, pp. 205–210. IEEE (2014)
Lee, K., Kim, J., Kwon, K.H., Han, Y., Kim, S.: DDoS attack detection method using cluster analysis. Expert Syst. Appl. 34(3), 1659–1665 (2008)
Limwiwatkul, L., Rungsawang, A.: Distributed denial of service detection using TCP/IP header and traffic measurement analysis. IEEE International Symposium on Communications and Information Technology, vol. 1, pp. 605–610 (2004)
Lu, K., Wu, D., Fan, J., Todorovic, S., Nucci, A.: Robust and efficient detection of DDoS attacks for large-scale internet. Comput. Netw. 51(18), 5036–5056 (2007)
Mirkovic, J., Reiher, P.: D-WARD: a source-end defense against flooding denial-of-service attacks. IEEE Trans. Dependable Secure Comput. 2(3), 216–232 (2005)
Odintsov, P.: FastNetMon-very fast DDoS analyzer with sflow/netflow/mirror support. https://github.com/pavel-odintsov/fastnetmon/
Panchen, S., Phaal, P., McKee, N.: InMon corporation’s sFlow: a method for monitoring traffic in switched and routed networks (2001)
Seo, J., Lee, C., Shon, T., Cho, K.-H., Moon, J.: A new DDoS detection model using multiple SVMs and TRA. In: Enokido, T., Yan, L., Xiao, B., Kim, D., Dai, Y., Yang, L.T. (eds.) EUC 2005. LNCS, vol. 3823, pp. 976–985. Springer, Heidelberg (2005). https://doi.org/10.1007/11596042_100
Suresh, M., Anitha, R.: Evaluating machine learning algorithms for detecting DDoS attacks. In: Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D. (eds.) CNSA 2011. CCIS, vol. 196, pp. 441–452. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22540-6_42
Thomas, R., Mark, B., Johnson, T., Croall, J.: NetBouncer: client-legitimacy-based high-performance DDoS filtering. In: Proceedings DARPA Information Survivability Conference and Exposition, vol. 1, pp. 14–25. IEEE (2003)
Wang, J., Phan, R.C.W., Whitley, J.N., Parish, D.J.: Augmented attack tree modeling of distributed denial of services and tree based attack detection method. In: The 10th IEEE International Conference on Computer and Information Technology, pp. 1009–1014 (2010)
Yuan, X., Li, C., Li, X.: DeepDefense: identifying DDoS attack via deep learning. In: IEEE International Conference on Smart Computing, pp. 1–8 (2017)
Zekri, M., El Kafhali, S., Aboutabit, N., Saadi, Y.: DDoS attack detection using machine learning techniques in cloud computing environments. In: The 3rd International Conference of Cloud Computing Technologies and Applications, pp. 1–7. IEEE (2017)
Zhang, G., Jiang, S., Wei, G., Guan, Q.: A prediction-based detection algorithm against distributed denial-of-service attacks. In: International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly, pp. 106–110 (2009)
Zi, L., Yearwood, J., Wu, X.W.: Adaptive clustering with feature ranking for DDoS attacks detection. In: The Fourth International Conference on Network and System Security, pp. 281–286. IEEE (2010)
Acknowledgments
This project is the result of funding provided by the Science and Technology Directorate of the United States Department of Homeland Security under contract number D15PC00204. The views and conclusions contained herein are those of the authors and should not be interpreted necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security or the US Government.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Feng, Y., Li, J. (2020). Toward Explainable and Adaptable Detection and Classification of Distributed Denial-of-Service Attacks. In: Wang, G., Ciptadi, A., Ahmadzadeh, A. (eds) Deployable Machine Learning for Security Defense. MLHat 2020. Communications in Computer and Information Science, vol 1271. Springer, Cham. https://doi.org/10.1007/978-3-030-59621-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-59621-7_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59620-0
Online ISBN: 978-3-030-59621-7
eBook Packages: Computer ScienceComputer Science (R0)