Predicting DDoS Attacks Using Machine Learning Algorithms in Building Management Systems

Abstract

The rapid growth of the Internet of Things (IoT) in smart buildings necessitates the continuous evaluation of potential threats and their implications. Conventional methods are increasingly inadequate in measuring risk and mitigating associated hazards, necessitating the development of innovative approaches. Cybersecurity systems for IoT are critical not only in Building Management System (BMS) applications but also in various aspects of daily life. Distributed Denial of Service (DDoS) attacks targeting core BMS software, particularly those launched by botnets, pose significant risks to assets and safety. In this paper, we propose a novel algorithm that combines the power of the Slime Mould Optimization Algorithm (SMOA) for feature selection with an Artificial Neural Network (ANN) predictor and the Support Vector Machine (SVM) algorithm. Our enhanced algorithm achieves an outstanding accuracy of 97.44% in estimating DDoS attack risk factors in the context of BMS. Additionally, it showcases a remarkable 99.19% accuracy in predicting DDoS attacks, effectively preventing system disruptions, and managing cyber threats. To further validate our work, we perform a comparative analysis using the K-Nearest Neighbor Classifier (KNN), which yields an accuracy rate of 96.46%. Our model is trained on the Canadian Institute for Cybersecurity (CIC) IoT Dataset 2022, enabling behavioral analysis and vulnerability testing on diverse IoT devices utilizing various protocols, such as IEEE 802.11, Zigbee-based, and Z-Wave.

1. Introduction

Building Management Systems (BMSs), also known as Building Automation Systems (BASs), Building Management and Control Systems (BMCSs), Direct Digital Controls (DDCs), or building controllers, are intelligent microprocessor-based control networks designed to monitor and manage all electronic and mechanical devices within a building. As the BMS extends its integration across multiple buildings, ensuring comprehensive control and operation as a unified system becomes crucial. With the increasing proliferation of IoT devices within these systems and the diverse communication protocols in use, ensuring their security has emerged as a significant challenge [1,2].

A BMS refers to a control system used for monitoring and managing the mechanical, electrical, and electromechanical services inside a given facility. These services include a range of essential functions, such as power supply, heating, ventilation, air conditioning, physical access control, pumping stations, lifts, and lighting systems. A rudimentary BMS comprises software, a server housing a database, and intelligent sensors that are interconnected inside an Internet-enabled network. Intelligent sensors deployed throughout the premises collect data and transmit them to the BMS where they are then stored inside a designated database. If a sensor detects data that deviate from predetermined circumstances, the BMS will initiate an alert. In the context of a data center, it is plausible for the BMS to initiate an alert system if the temperature inside a server rack exceeds the predetermined tolerable thresholds.

Recent advancements in BMSs, while beneficial, have concurrently amplified cybersecurity challenges. Particularly concerning are Distributed Denial of Service (DDoS) attacks. These attacks have morphed over time, with some now originating from within the network, adeptly bypassing firewall controls and causing significant damage to interconnected devices. While the problem is well defined, traditional methods focused primarily on mere data monitoring, proving increasingly inadequate against the sophistication of modern DDoS attacks. Recognizing this evolving threat landscape, our study introduces a novel, multi-stage, modular DDoS attack detection system. This system, which stands apart from prevailing solutions, delivers an impressive accuracy of 97.44% in estimating DDoS attack risk factors and a notable 99.19% accuracy in predicting attacks [3].

The promise of machine learning in defense models offers a fresh perspective to this challenge. These models, with their ability to detect and predict an array of network intrusions, have spotlighted potential solutions to vulnerabilities rampant in IoT [4]. Building on this foundation, our proposal amalgamates the Software Defined-Wide Area Network (SD-WAN) packet duplication detection algorithm with a Firewall as a Service (FWaaS). The latter integrates a Support Vector Machine (SVM) modeling resolver to meticulously analyze packets and connections. We conducted an extensive evaluation of these developed models using the reputable Canadian Institute for Cybersecurity (CIC) IoT Dataset 2022.

In terms of cybersecurity, protection measures have become difficult as the attack vectors of cyber threats increase. This issue has become especially important for the security of IoT devices used in smart BMSs. In this respect, taking precautions against DDoS attacks is important for service continuity. In this work, our main contribution is to propose a new algorithm that combines the power of the Slime Mold Optimization Algorithm (SMOA) with an Artificial Neural Network (ANN) estimator and an SVM algorithm for feature selection.

This paper unfolds as follows: Section 2 delves into the background and the compelling motivations behind our proposed system. It emphasizes the pressing need for fortified security measures in BMSs, especially in the face of DDoS threats. Section 3 offers a detailed exposition of our innovative, multi-stage, modular DDoS attack detection system. Here, the intricacies of the SD-WAN packet duplication detection algorithm and the SVM-integrated FWaaS are unraveled. Furthermore, this section delineates the incorporation of Artificial Neural Networks (ANNs) in predicting DDoS attack risk factors.

Section 4 meticulously details our experimental setup, the dataset deployed, the evaluation metrics applied, and how our proposition stacks up against existing methodologies. This section also sheds light on the robust performance metrics of our system; chiefly, its accuracy and efficiency in warding off DDoS attacks. Also, Section 4 compares our system against contemporary defense models, underscoring the superiority of our approach in accuracy, robustness, and adaptability to a spectrum of DDoS attacks. This comparative analysis also touches upon the potential of hybrid models, which marry machine learning techniques with time-tested defense mechanisms, enhancing the detection and mitigation prowess of cybersecurity frameworks.

Finally, rounds off the paper, encapsulating the seminal contributions of our research. It also sketches a roadmap for prospective studies, underscoring the pressing need for innovative machine-learning-based defense models. In the ever-evolving cybersecurity domain, particularly within BMSs and similar IT systems, the looming threat of DDoS attacks warrants relentless research. Future endeavors could delve deeper, exploring the amalgamation of advanced machine learning stratagems like deep learning and reinforcement learning. Such exploration holds the key to crafting security systems that can not only match but outpace the rapidly evolving cyber threat landscape.

2. Related Work

Understanding past research and innovations concerning DDoS attacks’ analysis and prevention for BMSs offers essential insight into the ongoing challenges and solutions. DDoS attacks in IoT networks typically overload servers using deceptive requests from a myriad of IoT devices, effectively incapacitating them [5,6]. A significant case in point was the 2016 incident where hackers instigated a DDoS attack that disrupted the heating systems of two Finnish apartments [7]. Another seminal episode revolved around the infection of IoT devices via DDoS methodologies, leading to the temporary incapacitation of Dyn, a significant US domain name service provider, thereby affecting various websites across North America [8].

The penetration and popularity of IoT devices have soared over recent years. By 2017, sales figures reached a staggering 22 million units for Amazon Echo and USD 310.4 million for wearables [9]. The count of IoT devices escalated to 30.73 billion, and projections indicate this number might burgeon to 41 billion by 2027 [10]. This rapid proliferation has an attached economic magnitude, with these devices’ total cost likely to hit USD 2.4 trillion. Compounding the complexity of this vast landscape is a concerning statistic from 2017, where DDoS attacks accounted for 89% of all potential attack types, underscoring their menace and stealth [11].

Several solutions have been postulated in the recent literature. Singh et al. proposed the Edge-Based Hybrid Intrusion Detection Framework (EHIDF), integrating a machine learning (ML) technique with Mobile Edge Computing (MEC) [12]. Their model achieved an accuracy of 90.25% while maintaining a low False Alarm Rate (FAR) of 1.1%. Wu et al. introduced the Edge Node Firewall (ENFW), crafted specifically for edge computing adaptability [13]. Another significant contribution came from Zhang et al., who designed a DDoS detection and prevention model anchored on Bidirectional Long Short-Term Memory (BiLSTM), boasting 95.96% accuracy [14].

Myneni et al. shed light on the merit of capturing over 90% of DDoS traffic right at the inception point, which substantially amplifies the detection and mitigation efficacy of smart defense [15]. They charted out strategies centered on efficient network traffic management and DDoS flow programming, respectively [16,17].

The study was conducted by Zhang et al. through the implementation of a three-layer back propagation network; the researchers demonstrated that a Neural Network with a dynamic structure may provide identical control parameters within the specified flying circumstances, resulting in consistent responses, as seen before [18]. The use of game theory approaches in conventional artificial intelligence decision-making systems has yielded beneficial outcomes, as shown by the work of Yang et al. These methods are rooted in classical mathematical modeling methodologies [19].

Forestiero et al. conducted an approach based on the multi-agent paradigm and inspired by biological systems, such as ant and termite colonies, for building an efficient information system in Grids. The approach was exploitable in very large networks because it is fully decentralized and self-organizing. Two complex objectives are specifically addressed: reorganization and the discovery of resources [20].

Abualigah et al. studied optimization algorithms, such as particle swarm optimization, harmony search, firefly algorithm, and cuckoo search. They also present a variety of solution techniques for optimization problems, emphasizing concepts rather than rigorous mathematical details and proofs [21].

A pivotal challenge in the IoT realm is the heterogeneity of end-point devices, complicating packet inspection for suspicious DDoS activities. To this end, our method incorporates an edge computing system design, functioning as a firewall, to streamline and optimize detection in intricate device communications. This multi-modular approach affords the flexibility to integrate updates and new functionalities, a feat unattainable in conventional, static firewall systems.

In summary, the reviewed literature accentuates the urgency and significance of sculpting efficient techniques to thwart DDoS attacks in IoT frameworks, especially within BMS. Advancements leveraging edge computing, machine learning, and multi-modularity herald promising strides toward enhancing the precision and effectiveness of DDoS attack mitigation. As the IoT domain burgeons, so does its associated security vulnerability landscape. Building on the bedrock of extant research, future endeavors should focus on devising increasingly robust and adaptable protective measures for IoT and BMS infrastructures. It is worth noting that research articles containing expansive datasets deposited in publicly accessible repositories should delineate the deposit location and supply the pertinent accession numbers. These numbers should be furnished before publication if they are not available during the manuscript’s submission.

3. Materials and Methods

The proposed system aims to tackle the ever-increasing challenge of cyber threats targeting large-scale networks. With a surge in DDoS attacks affecting numerous institutions and industries, our research offers a solution that bridges the gaps identified in existing studies. Primarily, our work consists of two components concerning functionality and technological integration: SD-WAN Packet duplication detection and Firewall as a Service (FWaaS) with SVM modeling resolver.

3.1. Experiment Setup

The experimental setup and simulation were conducted using Visual Studio Code, utilizing an environment featuring Python 3.10.4 64-bit. The system configuration is as follows:

• Operating System: Microsoft Windows 11 Home, version 10.0.22621 Build 22621, System Type x64-based PC.
• Hardware Specifications: 11th Gen Intel(R) Core (TM) i7-11600H @ 2.90GHz processor, 2918 MHz, 6 Core(s), 12 Logical Processor(s), and an installed total physical memory of 15.7 GB.
• Libraries: Scikit-learn, Matplotlib, NumPy, and Pandas were pivotal in performing various operations and analyses.

3.2. Pseudo-Code of the Proposed Algorithm

The first and foremost step involves the collection and preprocessing of the dataset, as exemplified in Algorithm 1. The data flow connectivity is validated, ensuring each packet in the stream is cross-referenced with the attack dictionary. Packets identified as threats are filtered and blacklisted. The artificial intelligence prediction technique is recurrently applied to subsequent flows, updating the blacklist.

Algorithm 1 Pseudo-code of the proposed algorithm

Inputs: Request flags, Packets count, Packets data, Ti (Period time for the check-up loop), Tj (Maximum allowed period for traffic allocation)     Synchronize threads DS ← Detection_step() and PS ← Prediction_step()     Wait Until (DS.is_running == PS.is_running == false) FilteredAccess ← (DS.result NOR PS.result) * Packets_matrix(Packet data, Packet count) Return FilteredAccess Function Detection_step()    Each Ti seconds connections_available ← Access_control_retriever(Request flags, Packets count, Packets data)   For each connection of connections_available do selected_features ← Slime_Mould_Optimization_Algorithm(connection.packetData)     get_first(connection_dictionary(p=connection.packetData)):Merge(selected_ features, connection.packetData), append(connection_dictionary(p=connection.packetData, i= connection.packetCount))   If(get_first(connection_dictionary(p=connection.packetData))>unnorm_traffic) during Tj seconds then subnet_x ← Find_SubNet_In_blacklist_dataset(connection)     insert_SubNet_in_blacklist_dataset(subnet_x, connection)     Move connection to blacklist_dataset   Else     reset_data(get_first(connection_dictionary(p=connection.packetData))) End If End For End Function Function Prediction_step()   Each Ti seconds connections_available ← Duplication_detection_retriever(Request flags, Packets count, Packets data)   For each connection of connections_available do selected_features ← Slime_Mould_Optimization_Algorithm(connection.packetData)    get_first(connection_dictionary(p=connection.packetData)):connection_dictionary(p=connection.packetData).packetCount+connection.packetCount,append(connection_dictionary(p=connection.packetData, i=connection.packetCount))   If(get_first(connection_dictionary(p=connection.packetData))>unnorm_traffic) during Tj seconds then subnet_x ← Find_SubNet_In_blacklist_dataset(connection)     insert_SubNet_in_blacklist_dataset(subnet_x, connection)     Move connection to blacklist_dataset   Else     reset_count(get_first(connection_dictionary(p=connection.packetData))) End If End For End Function

Our proposed algorithm addresses DDoS attacks in BMS using two primary components: Detection_step and Prediction_step. These components, functioning in harmony, offer a comprehensive solution against DDoS attacks by monitoring, analyzing, and predicting potential threats.

3.3. Two Mainstream Proposed Algorithm

The SD-WAN mesh mechanism efficiently determines the communication paths for traffic, targeting internet portals, cloud-based applications, and data centers. With the foundation of overlay architecture, the SD-WAN mesh reduces operational intricacy and optimizes the user experience [22,23]. The system also facilitates the speedy deployment of applications and services, in addition to standardizing and enforcing regulations across various locations. Figure 1 provides a visual representation of the system’s prevention mechanism against unprotected internet traffic.

The implemented access control is instrumental in preventing data breaches, malware penetrations, and other cyber threats. Notably, our system incorporates FWaaS with SVM modeling resolver, transforming a conventional physical firewall into a cloud infrastructure. This addition provides an enhanced layer of security, including URL filtering, advanced threat mitigation, and DDoS prevention, among other features. Figure 2 offers an illustrative depiction of the OSI model and system functionalities based on layers.

3.4. Dataset Justification

The choice of the Canadian Institute for Cybersecurity (CIC) IoT Dataset 2022 for evaluation in our study requires clarification [24]. Although the dataset primarily comprises Denial of Service (DoS) attacks, it provides valuable insights into attack patterns, network behavior, and system vulnerabilities that contribute to understanding the problem of DDoS attacks in BMS. The dataset, despite its focus on DoS attacks, enables us to gain knowledge applicable to the development of effective defense mechanisms against DDoS attacks in the BMS context. Building upon the existing pseudo-code, we modified it to integrate the SMOA for feature selection. The enhanced pseudo-code provided a step-by-step representation of our algorithm, incorporating SMOA within the feature selection process. This modification improves the clarity and replicability of our proposed approach. Although the dataset used for evaluation in our study primarily focuses on DoS attacks rather than DDoS attacks, it still contributes significantly to understanding the challenges posed by DDoS attacks in BMSs. The dataset’s relevance stems from the following justifications:

• Similar Attack Patterns: Despite the distinction between DoS and DDoS attacks, they share fundamental similarities in terms of their objectives and impact [8]. Both attack types aim to overwhelm system resources, leading to service disruption or unavailability. By studying DoS attacks, which are extensively documented in existing datasets, we can gain valuable insights into attack mechanisms, traffic patterns, and mitigation techniques that can be adapted to address DDoS attacks in BMSs.
• Detection and Response Strategies: The detection and response strategies employed to counter DoS attacks can serve as a solid foundation for developing effective countermeasures against DDoS attacks. While the scale and complexity of DDoS attacks may differ, understanding the principles of detection and response can facilitate the adaptation and enhancement of existing techniques to mitigate DDoS attacks in BMS effectively [25].
• Resource Utilization and Performance Evaluation: DoS attacks often target specific system resources or services, resulting in abnormal resource utilization and performance degradation. By analyzing DoS attacks within the BMS context, we can gain insights into the impact of such attacks on critical resources, system performance, and overall operational efficiency. This understanding can inform the design of robust defense mechanisms and resource allocation strategies to mitigate the effects of DDoS attacks.
• Algorithm Validation: Although an ideal dataset specifically tailored to DDoS attacks in BMS would be preferable, the availability of comprehensive and well-labeled datasets is limited. Thus, the DoS attack dataset utilized in our study serves as a foundation for validating the effectiveness and performance of our proposed algorithm in detecting and mitigating attacks. Conducting experiments with a realistic attack dataset, even if not DDoS-specific, allows us to assess the algorithm’s robustness, accuracy, and scalability within a relevant context.

Our choice of the Canadian Institute for Cybersecurity (CIC) IoT Dataset 2022 is not arbitrary. While the dataset predominantly focuses on DoS attacks, it provides invaluable insights into attack trends, system vulnerabilities, and network behaviors. This knowledge is paramount for understanding and tackling DDoS threats in BMS.

3.5. Recorded Data Distribution

For the training and testing of our model, we employed the CIC IoT Dataset 2022 [24]. This dataset sheds light on DDoS attacks’ impact on server resources, firewalls, and other communication devices. For a visual representation of these distributions, histograms were created, as depicted in Figure 3.

3.6. Artificial Intelligence (AI) Model Elaboration

The vulnerability of IT and OT endpoints in IoT is a rising concern, especially given that DDoS traffic often mimics regular traffic. Addressing this, our method uses multiple AI techniques to formulate a dynamic machine-learning-based model. This model, using an SVM classifier, efficiently classifies DDoS attack traffic and detects potential threats.

Table 1. Extracted model structure with parameters.

Output Model and Shape	Layer Type	Parameter Number
(Sequential, 28)	Dense	1596
(Sequential, 10)	Dense	290
(Sequential, 01)	Dense	11
Total params: 1897	Trainable params: 1897	Non-trainable params: 0

provides a comprehensive view of the AI model’s structure, highlighting the output model/shape, layer type, and number of parameters.

Further testing revealed the efficacy of our proposed model. Using SVM, KNN, and LR classifiers, we observed that our model outperformed alternative classifiers in detecting and mitigating attacks.

Table 2. Comparison of proposed method using classifiers.

Classifier Algorithms	Model Testing Accuracy
SVM	97.44%
KNN	96.46%
LR	83.69%

presents a comparative analysis of these results.

4. Results and Discussion

Following a comprehensive literature review and the development of machine learning models using the NN DDoS detection method, we obtained our results. Our algorithm contrasts the NN outputs with a specialized SVM to authenticate the findings. We performed an analysis using the CIC IoT Dataset 2022 attack data combined with the NS-2 network simulation to validate the functionality and efficacy of the proposed algorithm. Figure 4 illustrates the data results distribution based on packet counts, flows, and byte counts. Additionally, the attacked data are labeled with 1 and an orange color, and the normal data traffic is labeled with 0 and a blue color, as shown in Figure 4 below. Data are displayed graphically according to traffic flows, the byte count, the density of the traffic, and the count of the packets.

Simulation assessments of the implemented algorithm revealed that the proposed method outperformed single NN projects in detecting intricate DDoS techniques, such as combinational attacks using UDP flood, SYN flood, Zero-day, fragmented packets, and ping of death attacks. Whereas single NN projects reported accuracies of 73% and 76% [25], our algorithm, incorporating SVM and multiple layers of Neural Networks, achieved an impressive accuracy of 99.19% with the CIC dataset, as documented in

Table 3. Extracted model structure with parameters.

Precision Factors	Recall	F1 Score 1	Val-Accuracy
Accuracy	0.9923	0.9920	0.9919
Value loss	0.0195	0.9920	0.9919

¹ F1 Score = 2 × (Precision × Recall)/(Precision + Recall).

. Figure 5 visualizes the training and validation accuracy over various epochs.

DDoS attacks can instigate significant technical and infrastructure disruptions, resulting in substantial damage or compromised system operations [25]. Traditional IoT protocols, such as the Message Queuing Telemetry Transport (MQTT) protocol, are often inadequate in warding off advanced DDoS assaults [26,27]. A myriad of studies have delved into DDoS attack detection in IoT systems utilizing machine learning techniques; however, a majority report sub-optimal detection accuracy for sophisticated DDoS strikes [28,29].

In comparison to existing methods that prioritize features based on top scores from multiple classifiers, our proposed method stands out. Despite leveraging a reduced set of features, our methodology delivered enhanced accuracy, as showcased in

Table 4. Extracted model structure with parameters.

Method	No of Features	Classifiers	Accuracy
R.J. Alzahrani and A. Alzahrani [30]	24	KNN, SVM, NB, DT, RF, and LR	99%
M. Aamir and S.M.A. Zaidi [31]	25	KNN, SVM	98%
Sekar et al. [32]	18	DT	96.25%
Khanday et al. [33]	20	Lineer SVM, NB, LR, ANN, LSTM	99%
Proposed Method	21	SVM, KNN, LR + Parallel Synchronized 2-step algorithm (Detection and Verification Using Predictor)	99.19%

. Parameters, such as classification type, feature count, and algorithms used, were taken into account for this comparison.

When the evaluation of our suggested technique is conducted using the relevant articles, methodologies, and datasets used in our literature review, our research exhibits divergence in terms of the dataset and methodology employed. The primary distinction in our approach is in the use of hybrid modelling techniques. The correctness of the model is verified by the F1 Score, as shown in Table 3 and Table 4. Furthermore, it is widely acknowledged that the metric of Recall, which quantifies the proportion of transactions correctly identified as positive, indicates that our mistake tolerance stays at a minimal threshold. Through the implementation of a three-layer back propagation network, Zhang and colleagues demonstrated that a Neural Network with a dynamic structure is capable of producing identical control parameters within the specified flight circumstances, resulting in consistent responses, as seen before. The methods used in game theory are well-established mathematical modelling tools. Notably, game theories have been effectively implemented in conventional artificial intelligence decision-making systems, as shown by the successful outcomes achieved.

5. Conclusions

The advent of intelligent building applications has the potential to provide cybersecurity vulnerabilities for both individuals and organizations, as well as the technologies they rely on. One of the significant risks that deserves attention is the DDoS assaults perpetrated by botnets targeting BMSs. The objective of these DDoS attacks is to compromise both websites and the whole BMS infrastructure by inundating connections with a substantial volume of data. Despite the emergence of several machine-learning-supported detection systems, our work presents a novel defense approach. The present research used a machine learning model with a focus on Neural Networks to detect DDoS threats.

Additionally, SVM was utilized to enhance the accuracy of the detection process. The SMOA algorithm is used for feature selection to enhance the efficacy of DDoS detection in BMSs, hence reinforcing its sensitivity. The model effectively identifies and mitigates intrusion attempts by offering robust defense mechanisms against DDoS assaults. The findings obtained in this study confirm the significant efficacy of the algorithm suggested, particularly in its ability to identify intricate DDoS assaults. One notable limitation is the incongruity between the research emphasis of our work, which centers on DDoS assaults, and the assessment dataset, which mostly focuses on DoS attacks. Furthermore, a discrepancy exists between the system model described in our research work and the testing conditions of the dataset. Moreover, the system model does not comprehensively represent the SDN-enabled smart building environment. The existence of this difference raises concerns about the suitability of the dataset for use in BMS situations. Notwithstanding these constraints, our study indicates significant advancements in the identification and alleviation of DDoS attacks in BMSs. The use of NN, SVM, and SMOA enhances the efficacy of our approach in mitigating DDoS attacks. The accuracy of the suggested model was found to be 99.19% when assessed using the CIC dataset and using modular MVP coding paradigms.

After overcoming the highlighted limitations, our technique is positioned to achieve even higher efficacy, offering a bright outlook for the advancement of smart buildings. Our forthcoming endeavors include completing the necessary tasks to enhance the degree of security protection in BMSs by implementing several layers of defense against various cyber-attack techniques.