Evaluating Machine Learning Algorithms for Detecting DDoS Attacks

  • Manjula Suresh
  • R. Anitha
Part of the Communications in Computer and Information Science book series (CCIS, volume 196)


Recently, as the serious damage caused by DDoS attacks increases, the rapid detection of the attack and the proper response mechanisms are urgent. Signature based DDoS detection systems cannot detect new attacks. Current anomaly based detection systems are also unable to detect all kinds of new attacks, because they are designed to restricted applications on limited environments. However, existing security mechanisms do not provide effective defense against these attacks, or the defense capability of some mechanisms is only limited to specific DDoS attacks. It is necessary to analyze the fundamental features of DDoS attacks because these attacks can easily vary the used port/protocol, or operation method. Also lot of research work has been done in detecting the attacks using machine learning techniques. Still what are the relevant features and which technique will be more suitable one for the attack detection is an open question. In this paper, we use the chi-square and Information gain feature selection mechanisms for selecting the important attributes. With the selected attributes, various machine learning models, like Navies Bayes, C4.5, SVM, KNN, K-means and Fuzzy c-means clustering are developed for efficient detection of DDoS attacks. Then our experimental results show that Fuzzy c-means clustering gives better accuracy in identifying the attacks.


Classifier Navies Bayes SVM C4.5 K-NN K-means Fuzzy c-means 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anitha, N.: An Investigation into the detection and Mitigation of Denial of Service (DoS) Attacks, Monograph. Springer, Heidelberg (in press, 2011)Google Scholar
  2. 2.
    A Tutorial on Clustering Algorithms, http://Clustering-FuzzyC-means.htm
  3. 3.
    Cheng, J., Yin, J., Liu, Y., Cai, Z., Li, M.: DDoS Attack Detection Algorithm Using IP Address Features. In: Deng, X., Hopcroft, J., Xue, J. (eds.) FAW 2009. LNCS, vol. 5598, pp. 207–215. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Erskin, E., Arnold, A., Prerau, M., Portnoy, L.: A Geometric Framework for Unsupervised Anomaly Detection: Detecting Intrusions in Unlabeled Data. In: Barbará, D., Jajodia, S. (eds.) Applications of Data Mining in Computer Security, pp. 77–102. Kluwer, Dordrecht (2002)CrossRefGoogle Scholar
  5. 5.
    Jin, S., Yeung, D.S.: A covariance analysis model for ddos attack detection. In: Proceedings of IEEE International Conference on Communications, June 20-24, vol. 4, pp. 1882–1886. IEEE, Los Alamitos (2004)Google Scholar
  6. 6.
    Jang, J.-S.R., Sun, C.-T., Mizutani, E.: Data Clustering Algorithms. In: Neuro-Fuzzy and Soft Computing – A Computational Approach to Learning and Machine Intelligence. ch.15, pp. 423–433. Prentice-Hall, Inc., Englewood Cliffs (1997)Google Scholar
  7. 7.
    Kim, D., Park, J.: Network-Based Intrusion Detection with Support Vector Machines. In: Kahng, H.-K. (ed.) ICOIN 2003. LNCS, vol. 2662, pp. 747–756. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    KNIME, (accessed February 7, 2011)
  9. 9.
    Jalil, K.A., Masrek, M.N.: Comparison of Machine Learning Algorithms Performance in Detection Network Intrusion. In: International Conference on Networking and Information Technology, pp. 221–226. IEEE, Los Alamitos (2010)Google Scholar
  10. 10.
    Lee, K., Kim, J., Kwon, K.H., Han, Y., Kim, S.: DDoS Attack Detection Method using Cluster Analysis. Expert Systems with Applications 34, 1659–1665 (2008)CrossRefGoogle Scholar
  11. 11.
    Panda, M., Patra, M.R.: Evaluating Machine Learning Algorithms for Detecting Network Intrusions. International Journal of Recent Trends in Engineering 1(1), 472–477 (2009)Google Scholar
  12. 12.
    Kim, M., Na, H., Chae, K., Bang, H., Na, H.: A Combine Datamining Approach for DDoS Attack Detection. In: Kahng, H.-K., Goto, S. (eds.) ICOIN 2004. LNCS, vol. 3090, pp. 943–950. Springer, Heidelberg (2004)Google Scholar
  13. 13.
    Mitchell, T.: Machine Learning. McGraw Hill, New York (1997)zbMATHGoogle Scholar
  14. 14.
    Nguyen, H.V., Choi, Y.: Proactive Detection of DDoS Attacks Utilizing K-NN Classifier in an Anti-DDos Framework. International Journal of Electrical and Electronics Engineering 4(4), 247–252 (2009)Google Scholar
  15. 15.
    Paruchuri, V., Durresi, A., Chellappan, S.: TTL based Packet Marking for IP Traceback. In: Proceedings of the IEEE Global Telecommunications Conference, November 30 - Decmber 4, pp. 2552–2556. IEEE, LA (2008)Google Scholar
  16. 16.
    Kabiri, P., Zargar, G.R.: Category-Based Selection of Effective Parameters for Intrusion Detection. IJCSNS International Journal of Computer Science and Network Security 9(9) (September 2009)Google Scholar
  17. 17.
    Seo, J., Lee, C., Shon, T., Cho, K.H., Moon, J.: A New DDoS Detection Model Using Multiple SVMs and TRA. In: Enokido, T., Yan, L., Xiao, B., Kim, D.Y., Dai, Y.-S., Yang, L.T. (eds.) EUC-WS 2005. LNCS, vol. 3823, pp. 976–985. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Xu, T., He, D., Luo, Y.: DDoS Attack Detection Based on RLT Features. In: Proceedings of the International Conference on Computational Intelligence and Security, China, December 15-19, pp. 697–701 (2007)Google Scholar
  19. 19.
    Xu, T., He, D.K., Zheng, Y.: Detecting DDoS Attack Based on One-Way Connection Density. In: Proceedings of IEEE International Conference on Communications, Singapore, pp. 1–5 (October 2006)Google Scholar
  20. 20.
    UCSD Network Telescope – Code-Red Worms Dataset. The Cooperative As-sociation for Internet Data Analysis (2001), (accessed February 7, 2009)
  21. 21.
    Vapnik, V.: The Nature of Statitical Learning Theory. Springer, Heidelberg (1995)CrossRefzbMATHGoogle Scholar
  22. 22.
    Wang, W., Gombault, S.: Efficient detection of DDoS attacks with important attributes. In: Proceedings of the Third International Conference on Risks and Security of Internet and Systems, pp. 61–67 (October 2008)Google Scholar
  23. 23.
    Yuan, J., Mills, K.: Monitoring the Macroscopic Effect of DDoS Flooding Attacks. IEEE Transactions on Dependable and Secure Computing 2, 324–335 (2005)CrossRefGoogle Scholar
  24. 24.
    Zargar, G.R., Kabiri, P.: Identification of effective network features for prob-ing attack detection. In: Proceedings of the First International Conference on Networked Digital Technologies, pp. 392–397 (July 2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Manjula Suresh
    • 1
  • R. Anitha
    • 1
  1. 1.Department of Mathematics and Computer ApplicationsPSG College of TechnologyCoimbatoreIndia

Personalised recommendations