Detection of Unknown DDoS Attacks with Deep Learning and Gaussian Mixture Model
Abstract
:1. Introduction
- We identify the detection of unknown DDoS attacks as an Open Set Recognition problem and demonstrate its impact on conventional detection approaches.
- We propose a new BI-LSTM-GMM model to detect the unknown network attack. The proposed framework can successfully differentiate novel instances from samples drawn from trained models.
- Using the data sets CIC-IDS2017 and CIC-DDoS2019 for training, testing, and evaluation, experiment results show that the proposed BI-LSTM-GMM can achieve recall, precision, and accuracy up to 94%.
2. Related Works
3. Proposed Framework—BI-LSTM-GMM
3.1. BI-LSTM Module
3.2. GMM Module
3.3. Incremental Learning
4. Experiments
4.1. Data Set
4.2. BI-LSTM Module
4.3. GMM Module
4.4. BI-LSTM-GMM with Incremental Learning
5. Conclusions
Author Contributions
Funding
Acknowledgments
Conflicts of Interest
References
- Mahjabin, T.; Xiao, Y.; Sun, G.; Jiang, W. A survey of distributed denial-of-service attack, prevention, and mitigation techniques. Int. J. Distrib. Sens. Netw. 2017, 13. [Google Scholar] [CrossRef] [Green Version]
- Genie-Networks. DDoS Attack Statistics and Trends Report for 2020. 2021. Available online: https://www.genie-networks.com/gnnews/ddos-attack-statistics-and-trends-report-for-h1-2020/ (accessed on 6 May 2021).
- Jonker, M.; Sperotto, A.; Pras, A. DDoS Mitigation: A measurement-based approach. In NOMS 2020–2020 IEEE/IFIP Network Operations and Management Symposium; IEEE: Piscataway Township, NJ, USA, 2020; pp. 1–6. [Google Scholar]
- Priya, S.S.; Sivaram, M.; Yuvaraj, D.; Jayanthiladevi, A. Machine learning based DDoS detection. In Proceedings of the 2020 International Conference on Emerging Smart Computing and Informatics, Pune, India, 12–14 March 2020; IEEE: Piscataway Township, NJ, USA, 2020; pp. 234–237. [Google Scholar]
- Pouyanfar, S.; Sadiq, S.; Yan, Y.; Tian, H.; Tao, Y.; Reyes, M.P.; Shyu, M.; Chen, S.; Iyengar, S.S. A survey on deep learning: Algorithms, techniques, and applications. ACM Comput. Surv. 2018, 51, 1–36. [Google Scholar] [CrossRef]
- Yulita, I.N.; Fanany, M.I.; Arymuthy, A.M. Bi-directional Long Short-Term Memory using Quantized data of Deep Belief Networks for Sleep Stage Classification. Procedia Comput. Sci. 2017, 116, 530–538. [Google Scholar] [CrossRef]
- Geng, C.; Huang, S.J.; Chen, S. Recent advances in open set recognition: A survey. IEEE Trans. Pattern Anal. Mach. Intell. 2020, 14, 1–19. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Cao, A.; Luo, Y.; Klabjan, D. Open-set recognition with Gaussian mixture variational autoencoders. arXiv 2020. Available online: https://arxiv.org/abs/2006.02003 (accessed on 6 May 2021).
- Cheng, J.; Yin, J.; Liu, Y.; Cai, Z.; Wu, C. DDoS attack detection using IP address feature interaction. In Proceedings of the IEEE International Conference on Intelligent Networking and Collaborative Systems, Thessalonika, Greece, 24–26 November 2010; IEEE: Piscataway Township, NJ, USA, 2009; pp. 113–118. [Google Scholar]
- Vu, N.H. DDoS attack detection using K-Nearest Neighbor classifier method. In Proceedings of the International Conference on Telehealth/Assistive Technologies, Baltimore, Maryland, USA, 16–18 April 2008; IEEE: Piscataway Township, NJ, USA, 2008; pp. 248–253. [Google Scholar]
- Fadlil, A.; Riadi, I.; Aji, S. Review of detection DDoS attack detection using Naïve Bayes classifier for network forensics. Bull. Electr. Eng. Inform. 2017, 6, 140–148. [Google Scholar] [CrossRef]
- Wang, C.; Zheng, J.; Li, X. Research on DDoS attacks detection based on RDF-SVM. In Proceedings of the 10th International Conference on Intelligent Computation Technology and Automation, Changsha, China, 9–12 October 2017. [Google Scholar]
- Dincalp, U. Anomaly based distributed denial of service attack detection and prevention with machine learning. In Proceedings of the 2nd International Symposium on Multidisciplinary Studies and Innovative Technologies, Ankara, Turkey, 19–21 October 2018. [Google Scholar]
- Ahanger, T.A. An effective approach of detecting DDoS using artificial neural networks. In Proceedings of the 2017 International Conference on Wireless Communications, Signal Processing and Networking, Chennai, India, 22–24 March 2017; IEEE: Piscataway Township, NJ, USA, 2017; pp. 707–711. [Google Scholar]
- Li, Y.; Lu, Y. LSTM-BA: DDoS detection approach combining LSTM and Bayes. In Proceedings of the 7th International Conference on Advanced Cloud and Big Data, Suzhou, China, 21–22 September 2019; IEEE: Piscataway Township, NJ, USA, 2009; pp. 180–185. [Google Scholar]
- Yang, K.; Zhang, J.; Xu, Y.; Chao, J. DDoS attack detection with AutoEncoder. In IEEE/IFIP Operations and Management Symposium; IEEE: Piscataway Township, NJ, USA, 2020; pp. 1–9. [Google Scholar]
- Doriguzzi-Corin, R.; Millar, S.; Scott-Hayward, S.; Martinez-del-Rincon, J.; Siracusa, D. LUCID: A practical, lightweight deep learning solution for DDoS attack detection. IEEE Trans. Netw. Serv. Manag. 2020, 17, 876–889. [Google Scholar] [CrossRef] [Green Version]
- Yong, B.; Wei, W.; Li, K.-C.; Shen, J.; Zhou, Q.; Wozniak, M.; Połap, D.; Damaševičius, R. Ensemble machine learning approaches for webshell detection in Internet of things environments. Trans. Emerg. Telecommun. Technol. 2020, 30. [Google Scholar] [CrossRef]
- Hemalatha, J.; Roseline, S.A.; Geetha, S.; Kadry, S.; Damaševiˇcius, R. An efficient DenseNet-based deep learning model for malware detection. Entropy 2021, 23, 344. [Google Scholar] [CrossRef] [PubMed]
- Bendale, A.; Boult, T.E. Towards open set deep networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, Las Vegas, NV, USA, 27–30 June 2016; IEEE: Piscataway Township, NJ, USA, 2016; pp. 1563–1572. [Google Scholar]
- Sabeel, U.; Heydari, S.S.; Mohanka, H.; Bendhaou, Y.; Elgazzar, K.; El-Khatib, K. Evaluation of deep learning in detecting unknown network attacks. In Proceedings of the 2019 International Conference on Smart Applications, Communications and Networking, Sharm El Sheik, Egypt, 17–19 December 2019; pp. 1–6. [Google Scholar]
- Rudd, E.M.; Jain, L.P.; Scheirer, W.J.; Boult, T.E. The extreme value machine. IEEE Trans. Pattern Anal. Mach. Intell. 2018, 40, 762–768. [Google Scholar] [CrossRef] [PubMed]
- University of New Brunswick. Intrusion Detection Evaluation Dataset (CIC-IDS2017). 2017. Available online: https://www.unb.ca/cic/datasets/ids-2017.html (accessed on 6 May 2021).
- University of New Brunswick. DDoS Evaluation Dataset (CIC-DDoS2019). 2019. Available online: https://www.unb.ca/cic/datasets/ddos-2019.html (accessed on 6 May 2021).
- Canadian Institute for Cybersecurity. CICFlowMeter (4.0) [Source Code]. 2016. Available online: https://github.com/CanadianInstituteForCybersecurity/CICFlowMeter (accessed on 6 May 2021).
Data Set | Traffic Type | # of Instances | Ratio | Total # of Instances |
---|---|---|---|---|
CIC-IDS2017/Wednesday | BENIGN | 440,031 | 0.63 | 692,703 |
DoS GoldenEye | 10,293 | 0.014 | ||
DoS Hulk | 231,073 | 0.333 | ||
DoS Slowhttptest | 5499 | 0.008 | ||
DoS Slowloris | 5796 | 0.008 | ||
Heartbleed | 11 | |||
CIC-IDS2017/Friday | BENIGN | 97,718 | 0.432 | 225,745 |
DDoS | 128,027 | 0.567 | ||
CIC-DDoS2019/NTP | BENIGN | 14,365 | 0.0118 | 1,217,007 |
DDoS/NTP | 1,202,642 | 0.9881 | ||
CIC-DDoS2019/LDAP | BENIGN | 1612 | 0.0007 | 2,181,542 |
DDoS/LDAP | 2,179,930 | 0.9992 | ||
CIC-DDoS2019/SSDP | BENIGN | 763 | 0.0002 | 2,611,374 |
DDoS/SSDP | 2,610,611 | 0.9997 | ||
CIC-DDoS2019/ Syn | BENIGN | 392 | 0.0002 | 1,582,681 |
Syn | 1,582,289 | 0.9997 | ||
CIC-DDoS2019/ NetBIOS | BENIGN | 1707 | 0.0004 | 4,094,986 |
DDoS/ NetBIOS | 4,093,279 | 0.9995 |
Actual | Attack | Normal | |
---|---|---|---|
Predicted | |||
Attack | TP (True Positive) | FP (False Positive) | |
Normal | FN (False Negative) | TN (True Negative) |
Parameter | Setting |
---|---|
Epoch/Batch Size | 500/1024 |
Clipnorm | 0.9 |
Learning rate | 0.00859 |
Momentum | 0.89 |
Decay | |
Bidirectional Layer | 2 |
Test Data Set | Recall | Precision | Accuracy | AUC | F1 |
---|---|---|---|---|---|
CIC-IDS2017/Wednesday | 0.998 | 0.972 | 0.989 | 0.986 | 0.985 |
CIC-IDS2017/Friday | 0.412 | 0.984 | 0.662 | 0.703 | 0.581 |
Test Data Set | Recall | Precision | Accuracy | AUC | F1 |
---|---|---|---|---|---|
CIC-IDS2017/Wednesday | 0.953 | 0.895 | 0.942 | 0.930 | 0.923 |
CIC-IDS2017/Friday | 0.998 | 0.979 | 0.982 | 0.966 | 0.988 |
Model | Test Data Set | Recall | Precision | Accuracy | AUC | F1 |
---|---|---|---|---|---|---|
BI-LSTM | CIC-DDoS2019/NetBIOS | 0.898 | 0.999 | 0.898 | 0.853 | 0.946 |
BI-LSTM-GMM BI-LSTM-GMM | CIC-IDS2017/Wednesday | 0.995 | 0.736 | 0.868 | 0.836 | 0.846 |
CIC-DDoS2019/NetBIOS | 0.982 | 0.999 | 0.980 | 0.967 | 0.990 | |
BI-LSTM | CIC-DDoS2019/NTP | 0.362 | 0.995 | 0.368 | 0.606 | 0.531 |
BI-LSTM-GMM BI-LSTM-GMM | CIC-IDS2017/Wednesday | 0.985 | 0.750 | 0.875 | 0.850 | 0.852 |
CIC-DDoS2019/NTP | 0.932 | 0.987 | 0.923 | 0.927 | 0.959 | |
BI-LSTM | CIC-DDoS2019/LDAP | 0.392 | 0.999 | 0.392 | 0.568 | 0.563 |
BI-LSTM-GMM BI-LSTM-GMM | CIC-IDS2017/Wednesday | 0.999 | 0.872 | 0.946 | 0.909 | 0.931 |
CIC-DDoS2019/LDAP | 0.956 | 0.996 | 0.953 | 0.948 | 0.976 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Shieh, C.-S.; Lin, W.-W.; Nguyen, T.-T.; Chen, C.-H.; Horng, M.-F.; Miu, D. Detection of Unknown DDoS Attacks with Deep Learning and Gaussian Mixture Model. Appl. Sci. 2021, 11, 5213. https://doi.org/10.3390/app11115213
Shieh C-S, Lin W-W, Nguyen T-T, Chen C-H, Horng M-F, Miu D. Detection of Unknown DDoS Attacks with Deep Learning and Gaussian Mixture Model. Applied Sciences. 2021; 11(11):5213. https://doi.org/10.3390/app11115213
Chicago/Turabian StyleShieh, Chin-Shiuh, Wan-Wei Lin, Thanh-Tuan Nguyen, Chi-Hong Chen, Mong-Fong Horng, and Denis Miu. 2021. "Detection of Unknown DDoS Attacks with Deep Learning and Gaussian Mixture Model" Applied Sciences 11, no. 11: 5213. https://doi.org/10.3390/app11115213