Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Deployable Machine Learning for Security Defense

MLHat 2020: Deployable Machine Learning for Security Defense pp 105–121Cite as

Toward Explainable and Adaptable Detection and Classification of Distributed Denial-of-Service Attacks

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1271))

Abstract

By attacking (e.g., flooding) the bandwidth or resources of a victim (e.g., a web server) on the Internet from multiple compromised systems (e.g., a botnet), distributed Denial-of-Service (DDoS) attacks disrupt the services of the victim and make it unavailable to its legitimate users. Albeit studied many years already, the detection of DDoS attacks remains a troubling problem. In this paper, we propose a new, learning-based DDoS detection and classification method that is both explainable and adaptable. This method first utilizes a modified k-nearest neighbors (KNN) algorithm to detect DDoS attacks and then uses risk degree sorting with grids to classify traffic at a fine granularity. It uses a k-dimensional tree to partition the searching space that significantly improves its efficiency and shortens KNN query times. Moreover, compared with the previous DDoS detection and classification approaches, along with the detection results this method further generates risk profiles that provides users with interpretability for filtering DDoS traffic. Additionally, this method does not need to retrain the detection model in order to make it fit in a new network environment. Users can leverage a variety of prior knowledge to evolve the model. We evaluated this approach in both simulated environments and the real world, which shows that our approach is both effective and efficient. It achieves a 98.4% accuracy in detecting DDoS attacks with a delay of around 5 s.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Introduction of the front range GigaPOP (FRGP). https://www.frgp.net/intro.shtml

  2. The CAIDA UCSD “DDoS attack 2007” dataset (2007). https://www.caida.org/data/passive/ddos-20070804_dataset.xml. CAIDA

  3. DARPA 2009 intrusion detection dataset (Colorado State University) (2009). http://www.darpa2009.netsec.colostate.edu/

  4. National cyber awareness system: Security tip - understanding Denial-of-Service Attacks (2009). https://www.us-cert.gov/ncas/tips/ST04-015. US-Cert

  5. FRGP NTP flow data - NTP reflection attack (2014). https://www.impactcybertrust.org/dataset_view?idDataset=776. University of Southern California-Information Sciences Institute

  6. DDoS Chargen 2016 dataset - Internet traffic data containing a DDoS attack based on UDP Chargen protocol (2016). https://www.impactcybertrust.org/dataset_view?idDataset=693. Merit Network Inc

  7. Cisco annual internet report (2018–2023) white paper (2020). https://www.cisco.com/c/en/us/solutions/executive-perspectives/annual-internet-report

  8. Barati, M., Abdullah, A., Udzir, N.I., Mahmod, R., Mustapha, N.: Distributed denial of service detection using hybrid machine learning technique. In: International Symposium on Biometrics and Security Technologies, pp. 268–273. IEEE (2014)

    Google Scholar 

  9. Bhaya, W., EbadyManaa, M.: DDoS attack detection approach using an efficient cluster analysis in large data scale. In: Annual Conference on New Trends in Information & Communications Technology Applications, pp. 168–173. IEEE (2017)

    Google Scholar 

  10. Bhuyan, M.H., Kashyap, H.J., Bhattacharyya, D.K., Kalita, J.K.: Detecting distributed denial of service attacks: methods, tools and future directions. Comput. J. 57(4), 537–556 (2014)

    Article  Google Scholar 

  11. Chen, C.L.: A new detection method for distributed denial-of-service attack traffic based on statistical test. J. Univ. Comput. Sci. 15(2), 488–504 (2009)

    Google Scholar 

  12. Claise, B.: Cisco systems netflow services export version 9. RFC 3954 (2004)

    Google Scholar 

  13. Doshi, R., Apthorpe, N., Feamster, N.: Machine learning DDoS detection for consumer Internet of Things devices. In: IEEE Security and Privacy Workshops, pp. 29–35 (2018)

    Google Scholar 

  14. Feng, Y., Li, J.: Towards explicable and adaptive DDoS traffic classification. In: The 21st Passive and Active Measurement Conference - Poster, March 2020

    Google Scholar 

  15. Feng, Y., Li, J., Nguyen, T.: Application-layer DDoS defense with reinforcement learning. In: IEEE/ACM International Symposium on Quality of Service (2020)

    Google Scholar 

  16. Friedman, J.H.: On bias, variance, 0/1-loss, and the curse-of-dimensionality. Data Min. Knowl. Discov. 1(1), 55–77 (1997). https://doi.org/10.1023/A:1009778005914

    Article  MathSciNet  Google Scholar 

  17. He, Z., Zhang, T., Lee, R.B.: Machine learning based DDoS attack detection from source side in cloud. In: The 4th International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 114–120 (2017)

    Google Scholar 

  18. Kokila, R., Selvi, S.T., Govindarajan, K.: DDoS detection and analysis in SDN-based environment using support vector machine classifier. In: The Sixth International Conference on Advanced Computing, pp. 205–210. IEEE (2014)

    Google Scholar 

  19. Lee, K., Kim, J., Kwon, K.H., Han, Y., Kim, S.: DDoS attack detection method using cluster analysis. Expert Syst. Appl. 34(3), 1659–1665 (2008)

    Article  Google Scholar 

  20. Limwiwatkul, L., Rungsawang, A.: Distributed denial of service detection using TCP/IP header and traffic measurement analysis. IEEE International Symposium on Communications and Information Technology, vol. 1, pp. 605–610 (2004)

    Google Scholar 

  21. Lu, K., Wu, D., Fan, J., Todorovic, S., Nucci, A.: Robust and efficient detection of DDoS attacks for large-scale internet. Comput. Netw. 51(18), 5036–5056 (2007)

    Article  Google Scholar 

  22. Mirkovic, J., Reiher, P.: D-WARD: a source-end defense against flooding denial-of-service attacks. IEEE Trans. Dependable Secure Comput. 2(3), 216–232 (2005)

    Article  Google Scholar 

  23. Odintsov, P.: FastNetMon-very fast DDoS analyzer with sflow/netflow/mirror support. https://github.com/pavel-odintsov/fastnetmon/

  24. Panchen, S., Phaal, P., McKee, N.: InMon corporation’s sFlow: a method for monitoring traffic in switched and routed networks (2001)

    Google Scholar 

  25. Seo, J., Lee, C., Shon, T., Cho, K.-H., Moon, J.: A new DDoS detection model using multiple SVMs and TRA. In: Enokido, T., Yan, L., Xiao, B., Kim, D., Dai, Y., Yang, L.T. (eds.) EUC 2005. LNCS, vol. 3823, pp. 976–985. Springer, Heidelberg (2005). https://doi.org/10.1007/11596042_100

    Chapter  Google Scholar 

  26. Suresh, M., Anitha, R.: Evaluating machine learning algorithms for detecting DDoS attacks. In: Wyld, D.C., Wozniak, M., Chaki, N., Meghanathan, N., Nagamalai, D. (eds.) CNSA 2011. CCIS, vol. 196, pp. 441–452. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22540-6_42

    Chapter  Google Scholar 

  27. Thomas, R., Mark, B., Johnson, T., Croall, J.: NetBouncer: client-legitimacy-based high-performance DDoS filtering. In: Proceedings DARPA Information Survivability Conference and Exposition, vol. 1, pp. 14–25. IEEE (2003)

    Google Scholar 

  28. Wang, J., Phan, R.C.W., Whitley, J.N., Parish, D.J.: Augmented attack tree modeling of distributed denial of services and tree based attack detection method. In: The 10th IEEE International Conference on Computer and Information Technology, pp. 1009–1014 (2010)

    Google Scholar 

  29. Yuan, X., Li, C., Li, X.: DeepDefense: identifying DDoS attack via deep learning. In: IEEE International Conference on Smart Computing, pp. 1–8 (2017)

    Google Scholar 

  30. Zekri, M., El Kafhali, S., Aboutabit, N., Saadi, Y.: DDoS attack detection using machine learning techniques in cloud computing environments. In: The 3rd International Conference of Cloud Computing Technologies and Applications, pp. 1–7. IEEE (2017)

    Google Scholar 

  31. Zhang, G., Jiang, S., Wei, G., Guan, Q.: A prediction-based detection algorithm against distributed denial-of-service attacks. In: International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly, pp. 106–110 (2009)

    Google Scholar 

  32. Zi, L., Yearwood, J., Wu, X.W.: Adaptive clustering with feature ranking for DDoS attacks detection. In: The Fourth International Conference on Network and System Security, pp. 281–286. IEEE (2010)

    Google Scholar 

Download references

Acknowledgments

This project is the result of funding provided by the Science and Technology Directorate of the United States Department of Homeland Security under contract number D15PC00204. The views and conclusions contained herein are those of the authors and should not be interpreted necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security or the US Government.

Author information

Authors and Affiliations

  1. University of Oregon, Eugene, OR, 97403, USA

    Yebo Feng & Jun Li

Authors
  1. Yebo Feng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yebo Feng .

Editor information

Editors and Affiliations

  1. University of Illinois at Urbana Champaign, Urbana, IL, USA

    Gang Wang

  2. Blue Hexagon Inc., Sunnyvale, CA, USA

    Arridhana Ciptadi

  3. Blue Hexagon Inc., Sunnyvale, CA, USA

    Ali Ahmadzadeh

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Feng, Y., Li, J. (2020). Toward Explainable and Adaptable Detection and Classification of Distributed Denial-of-Service Attacks. In: Wang, G., Ciptadi, A., Ahmadzadeh, A. (eds) Deployable Machine Learning for Security Defense. MLHat 2020. Communications in Computer and Information Science, vol 1271. Springer, Cham. https://doi.org/10.1007/978-3-030-59621-7_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-59621-7_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-59620-0

  • Online ISBN: 978-3-030-59621-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation