An LDDoS Attack Detection Method Based on Behavioral Characteristics and Stacking Mechanism

Abstract

Today, the development of the Internet of Things has grown, and the number of related IoT devices has reached the order of tens of billions. Most IoT devices are vulnerable to attacks, especially DdoS (Distributed Denial of Service attack) attacks. DDoS attacks can easily cause damage to IoT devices, and LDDoS is an attack launched against hardware resources through a small string of very slow traffic. Compared with traditional large-scale DDoS, their attacks require less bandwidth and generate traffic similar to that of normal users, making them difficult to distinguish when identifying them. This article uses the CICIoT2023 dataset combined with behavioral features and stacking mechanisms to extract information from the attack behavior of low-rate attacks as features and uses the stacking mechanism to improve the recognition effect. A method of behavioral characteristics and stacking mechanism is proposed to detect DDoS attacks. This method can accurately detect LDDoS. Experimental results show that the recognition rate of low-rate attacks of this scheme reaches 0.99, and other indicators such as accuracy, recall, and F1 score are all better than other LDDoS detection methods. Thus, the method model proposed in this paper can effectively detect LDDoS attacks. At present, DDoS attacks are relatively mature, and there are many related results, but there is less research on LDDoS detection alone. This paper focuses on the investigation and analysis of LDDoS attacks in DDoS attacks and deduces feasible LDDoS detection methods.

1. Introduction

IoT devices will continue to increase, the huge number of IoT devices has become the target of DDoS attackers, and the security of the devices still needs to be improved. DDoS attacks have undergone tremendous changes after years of development, evolving from the initial simple high-speed traffic attacks to intelligent low-speed traffic attacks. One of the reasons why this low-speed traffic attack is difficult to detect is that its attack method is often disguised as normal traffic to consume resources. Therefore, ensuring the quality and security of communication between IoT devices is a field of great research significance. In this paper, any type of communication protocol can exist in the communication network of IoT. Nonetheless, IoT devices possess restricted computational capabilities, storage capacity, and network throughput, which precludes them from handling rapid data exchanges [1]. Consequently, attacks that operate at a slower pace pose a significant risk to the IoT ecosystem. Therefore, slow attacks are extremely threatening to IoT.

DDoS is the abbreviation of Distributed Denial of Service, where Denial of Service means using some technical means to exhaust the resources of the attacked server and reject normal requests. Distributed means that multiple computers are combined as an attack platform to issue a large number of requests to the server at the same time to exhaust the resources of the attacked server. Server resources include computing, network, storage, etc., that is, through some means, the computing performance of the server reaches the upper limit, the network bandwidth is full, or the storage space is used up, so that the server cannot respond to normal requests. Server resources include computing, network, storage, and any available resources that can be affected by normal operation. Generally speaking, DDoS consumes various resources with its super-large traffic mixed with illegal requests, such as UDP flood, ICMP flood, etc. This type of attack is easy to distinguish, and its characteristics are large volume and abnormal behavior; so, it is also relatively easy to detect this type of attack, such as using various entropy methods and abnormality recognition methods.

However, LDDoS or low-rate denial of service attacks are difficult to detect. Low-rate and slow attacks are a type of DOS or DDoS attack. The data transfer rate associated with the attack’s resource usage is minimal. In contrast to conventional high-intensity DDoS assaults, these attacks produce a negligible amount of traffic, complicating efforts to counter them, as the malicious data flow closely resembles legitimate traffic. Therefore, it does not cost much to launch this attack, and any device can be used to launch this small-traffic attack. Unlike other flood-like attack types in DDoS, the attack traffic generated by LDDoS is relatively small. The traffic bandwidth when launching an attack accounts for 10~20% of the normal traffic. This characteristic renders the attack stealthy, allowing it to infiltrate the network’s central infrastructure. It can also attack any target on the network, especially causing irreparable damage and loss to large networks.

DDoS assaults are categorized into two main types, “Flood” and “Shrew,” distinguished by their distinctive features and the rate at which they are carried out. Among them, the types of Flood attacks are divided into high-rate (usually DDoS attacks) and low-rate (Flood attacks, the transmission rate is less than 1000 bps). Their classification is based on the packet transmission rate of 1000 bps [2]. Unlike volumetric DDoS attacks that continuously send large amounts of traffic, DDoS attacks are more concealed and difficult to detect due to their small capacity. This characteristic may pose potential risks. For example, when multiple seemingly harmless flows converge together, they will form a strong periodic pulse flow, thus triggering a DDoS attack. This attack method takes advantage of the latency of low-rate attacks and, after successfully infiltrating, suddenly merges into a large flow that is difficult for general network devices to cope with [3]. There is also a new type of network architecture, SDN (Software-Defined Network), which is characterized by the use of centralized control logic for network routing, that is, network programmability. This architecture is also unable to avoid LDDoS intrusion. Traditional security mechanisms protect SDN from DDoS attacks [4].

This paper starts from another angle, the behavioral pattern of the attack, analyzes the behavioral attributes of LDDoS traffic, and forms interactive features through their power combination. Finally, the stacking model is used for training. The resulting model accurately identifies LDDoS and benign traffic, and the overall model also obtains satisfactory results in identifying other attacks in the dataset.

The rest of this paper is as follows. Section 2 reviews related work, and Section 3 explains the origin of the problem. Section 4 describes our proposed framework. Section 5 discusses the experimental results. Section 6 contains the conclusion and future research directions.

2. Related Work

This section introduces related research on low-rate DDoS attacks. The research by Aladaileh and colleagues [5] employed an entropy-based approach within SDN environments to assess the recovery capabilities and false positive rates associated with low-rate DDoS assaults, drawing comparisons with the impacts of high-rate DDoS incidents. This method needs to be further improved in the selection of entropy values. Different entropy values are crucial for determining low-rate or high-rate attacks. Yin and team [1] introduced the DIAMOND method, a sophisticated co-evolutionary feature optimization technique, designed for the identification of LDDoS in SDN-integrated IoT systems. This is a clustering algorithm. It effectively improves the detection accuracy while reducing the size of the relevant feature subset and shortening the detection time of LDDoS. Tang and associates [6] developed a DDoS detection strategy leveraging the MF-Adaboost framework. By analyzing raw network traffic through a curated feature set, they identified key attributes that enhance classifier training within the Adaboost model, resulting in an impressive detection rate of 97.06%. Here, all attack types were detected, and LDoS was not studied because they indicated that the detection algorithm will be further improved to filter LDoS attack traffic.

Zhi Jun et al. [7] proposed a method for detecting LDoS attacks based on MSABMS. This method treats network traffic as a signal based on a small signal model and detects attacks through frequency changes. Siracusano et al. [8] demonstrated that invisible application layer distributed DDoS attacks can be accurately classified from legitimate traffic using features associated with their TCP flows and that a series of artificial intelligence algorithms can accurately predict the presence of attack flows using these features. Both papers detected DDoS attacks, but neither provided detailed detection of DDoS attacks.

Rufai et al. [9] used the membrane computing paradigm to enhance the IDS feature subset selection method based on the Bee algorithm. They conducted experiments using the KDD Cup dataset and significantly improved the classification accuracy, thereby reducing the false alarm rate. This method can provide a reference for the selection of LDDoS attack features. Wu et al. [10] introduced a method to detect LDoS attacks using multifractal theory. They used the MF-DFA algorithm to prove that network traffic has multifractal characteristics. Then, they estimated the Holder index point by point based on wavelet analysis, detected LDoS attacks by comparing the Holder index difference and the detection threshold, and used the t hypothesis test to determine the start or end of the LDoS attack.

Wu et al. [11] summarized the features related to flow rules, constructed a feature set based on these features, and proposed an SDN low-rate DDoS attack detection method based on flow matching rules. In addition, they proposed a flow rule defense method that can prevent the congestion of flow tables and thus improve the packet forwarding success rate in normal traffic. Kumar et al. [12] designed a system that can successfully detect DDoS attacks by combining HAWK and Firerel techniques. High-speed DDoS attacks are detected by calculating the entropy change value and frequency of the packets in the traffic. In addition to successfully preventing high-speed attacks, some low-speed attacks penetrate into the network. Therefore, they also proposed an L-IPS method that only focuses on defending against low-speed DDoS attacks. Kieu et al. [13] adopted a CPR-based approach to address DDoS attacks. They balanced the throughput of TCP traffic during DDoS attacks and the throughput of new TCP flows when the network was normal and implemented an adaptive method for these two flows to address DDoS.

Bhuyan et al. [14] proposed a multi-dimensional LDDoS detection mechanism based on the generalized total change metric. This mechanism can effectively detect LDDoS attacks of different scales. Due to the threshold problem of LDDoS, they developed a method based on the Mahalanobis distance to select a suitable δ value to ensure that there is no misjudgment. Perez and his team [15] built and deployed a scalable and adaptable security framework to identify and mitigate long-term denial of service (LR DDoS) attacks in SDN networks. The framework uses multiple pre-trained machine learning algorithms to analyze network traffic. Kaur et al. [16] used the CPR method of the queue management algorithm using the NS2 simulator to detect DDoS attacks. Alashhab and colleagues [17] developed an online machine learning model that uses a PA classifier to identify distributed denial of service (DDoS) attacks in SDN architectures. This model is known for its high accuracy and low training data loss rate. Jadhav et al. [18] developed a strategy for identifying low-rate DDoS assaults that leverage refined objective entropy (OOE), a form of attack that poses a greater challenge to detect compared to its high-rate counterpart. To refine the threshold setting, a genetic algorithm is deployed to establish the objective function, allowing for its modification to suit varying traffic scenarios.

Lin [19] crafted a system named Fair Robust Random Early Detection (FRRED), an active queue management (AQM) strategy that works in tandem with TCP. At the heart of FRRED lies its “protocol-based hash partitioning” mechanism. This system optimizes space and features a refined design by segregating UDP and TCP flow records within counting Bloom filters. Kieu and colleagues [20] introduced a technique to gauge the TCP throughput of individual TCP streams amidst low-rate DDoS incidents. Even if the round-trip time and attack period Ta of the TCP flow change significantly, this method can estimate the TCP throughput and detect low-rate DDoS.

Liu and team [21] developed an asynchronous federated learning arbitration system incorporating bidirectional LSTM (bi-LSTM) and an attention mechanism (referred to as AsyncFL bLAM), facilitating federated learning across numerous client endpoints. In AsyncFL bLAM, they introduced a leader node selection algorithm to construct an asynchronous federated learning framework, under which the model can achieve higher accuracy with fewer iterations. Marvi et al. [22] proposed a method for developing a general model to detect DDoS attacks. The method is divided into three stages and integrates two different methods: filtering and embedding. The model is trained using the Minimum Gradient Boosting Machine (LGBM) algorithm to classify benign and malicious traffic.

Šimskek et al. [23] proposed a method for metric calculation using pre-congestion periods. The method used ns2 as a simulation tool and simulated nearly 50 different scenarios. By classifying the traffic using 40 packets to perform 40 simple operations, they successfully filtered out 100% of DDoS attacks using standard deviation. Jie Ren et al. [24] designed and implemented an NCAP platform that supports DDoS attack detection and proposed a lightweight detection algorithm to enhance the robustness of the platform. Their experimental results showed that the platform has considerable power consumption and processing power and is able to handle more than 100 request connections simultaneously, thereby enabling the detection of low-rate attacks.

Duravkin et al. [25] proposed a slow HTTP attack detection method based on Web server utilization evaluation and transition time prediction, aiming to overload the system. By analyzing the implementation details of the slow HTTP attack, it is found that during the slow HTTP attack, the request input flow has almost no increase, but at the same time, the service time of the request increases dramatically. The attack detection method proposed for this behavior can measure the time when the attacked system transitions to the overload state. The advantage of the system proposed in this paper is that it can detect attacks against the server failure state, identify intruders, and thus prevent malicious traffic.

The above research on DDoS mainly focuses on detecting high-intensity DDoS attacks. These detection systems use traffic technology to identify attacks, but these technologies have difficulty detecting new DDoS attacks such as low-intensity attacks. Low-intensity attacks generate lower traffic, so they do not trigger any alarms for traffic-based detectors. In many high-rate or low-rate attack detections, the main method adopted is the entropy method, which uses the change of certain information within the unit variable to reach a threshold to determine whether an attack has occurred. However, the setting of the threshold is crucial here. Some papers adopt dynamic thresholds, which is a commendable choice because if a fixed threshold is used, it will ignore the existence of the FlashCrow group and lead to misjudgment. Leveraging machine learning or deep learning is also a viable solution because when low-rate attacks are disguised as normal traffic, although most of the information resembles normal traffic, their behavior will be significantly different from normal traffic. This information can be used to detect low-rate attacks.

3. Problem Statement

Low-rate DDoS attacks, also known as slow attacks, are characterized by using extremely low traffic rates to attack application or server resources. Compared with traditional flood attacks, this type of attack requires very little bandwidth and is therefore more difficult to detect and defend against. In addition, since the traffic characteristics it generates are very similar to normal user requests, it becomes particularly difficult to distinguish malicious traffic from legitimate traffic.

Table 1. Behavioral characteristics of LDDoS attacks.

LDDoS Behavioral Feature
Slow data transmission	Attackers send data at extremely slow speeds.
Periodic attack flow	Utilize periodic pulse attack streams to disrupt victims with higher attack efficiency and less easily detected.
Resource occupancy	Attackers establish hundreds or even thousands of connections until all resources used for incoming connections on the server are exhausted.
Difficult to detect	Due to the similarity between attack traffic and normal traffic, low-speed DDoS attacks are difficult to detect using traditional rate detection techniques.
Long term occupancy of connections	Attackers bundle each thread with slow requests to prevent real users from accessing the service.

summarizes some typical behavioral characteristics of low-rate DDoS attacks.

They take full advantage of the defects in the congestion control mechanism of protocols (such as TCP/IP) to launch attacks. LDDoS attacks are mainly divided into the following steps (taking TCP/IP as an example):

(1)

LDDoS periodically bursts out short-duration, high-intensity attack data flows, causing a large number of packets to be lost in normal TCP flows, forcing the congestion control mechanism to switch to slow start, compressing the window and causing traffic loss;

(2)

After entering a slow start, the LDDoS attack stops. When the TCP flow slowly recovers to normal, the next LDDoS attack cycle begins, and the high-intensity attack data flow continues to attack, leading to the next round of congestion control;

(3)

This vicious cycle repeats over and over again, causing the TCP flow to repeatedly enter a vicious cycle of “congestion avoidance” and “congestion recovery”, resulting in a significant decrease in the throughput of the TCP flow.

From the attack square wave display in Figure 1, LDDoS attacks have obvious periodicity. The large traffic square wave in the period causes the congestion control mechanism to start. When there is no attack, the traffic returns to normal, and the network is unobstructed. When launching an attack, high-intensity data flow attacks continue to be used, resulting in congestion control. In detecting LDDoS, two points need to be noted. First, its content is similar to normal traffic. If it is not processed, it is easy to have a high misjudgment rate and overfitting risk when training the classifier. Second, it is different from normal traffic in behavior. LDDoS attacks only need to maintain high traffic for a short period within a cycle and stop the attack after entering congestion. This results in low attack traffic, which is difficult to detect, and can repeatedly reduce throughput, causing huge fluctuations in throughput, and leading to denial of service. To better detect LDDoS, it is necessary to analyze the characteristics of LDDoS behavior and avoid the risk of overfitting when content is the main classification information. This study introduces relevant features in analyzing the behavioral pattern of this attack and uses the stacking mechanism to avoid overfitting to the greatest extent to obtain satisfactory detection results.

4. Materials and Methods

4.1. Dataset

CICIoT2023is a real IoT attack dataset that uses a wide range of topologies consisting of multiple real IoT devices and uses IoT devices as attackers and victims. This dataset mainly executes, records, and collects data on 33 attacks (divided into 7 categories) against IoT devices. Compared with CICIoT2019, this dataset is a more comprehensive real-time dataset and benchmark for the IoT, designed to evaluate large-scale attacks in the IoT ecosystem. We randomly selected 400,000 records from the CICIoT2023 dataset, each of which contains 46 original features (attributes). The data flow information extracted from this dataset can simulate the real data flow characteristics to the greatest extent, making up for the shortcomings and limitations of previous datasets. The dataset is first preprocessed through a series of data type conversions, label encoding, default value filling, redundant data removal, and data balancing. Then, to unify the measurement, the data needs to be standardized. The traffic types considered in this paper are ‘benign traffic’ and ‘LDDoS traffic’. The obtained dataset is first preprocessed through a series of data type conversion, label encoding, default value filling, redundant data removal and data balancing. Then, in order to unify the measurement, the data needs to be standardized. Utilizing Equation (1), the dataset is normalized to conform to a Gaussian distribution characterized by a zero mean and unit standard deviation.

$$\mathrm{X}={\displaystyle \frac{x-mean}{std}}$$

(1)

where $x$ denotes the initial data value, ‘mean’ represents the dataset’s central tendency, and ‘std’ indicates its variability or dispersion.

Standardizing data helps improve the performance and accuracy of data analysis and machine learning algorithms. Many machine learning algorithms, especially distance-based algorithms (such as K-nearest neighbor, K-means clustering, principal component analysis, etc.), assume that all features are on the same scale. Data standardization can ensure that features have the same scale, thereby improving the performance of these algorithms; in optimization algorithms using gradient descent, if the scales of features vary greatly, it may lead to slower learning. Standardization can speed up convergence; if the model learns the scale of features on the training data, it may not perform well on new data because the scale of features on new data may be different. Standardization helps improve the model’s ability to generalize to new data.

Finally, the CICIoT2023 dataset is divided into a 65% training set for model training and a 35% test set for model prediction.

4.2. Characteristics Based on Behavioral Patterns

The main purpose of feature selection is to select a subset of features from the original feature set to reduce the dimension of the dataset and thus improve the performance of the learning algorithm. This process simplifies the model, making it easier to understand and reducing the difficulty of the learning task by removing irrelevant features. In addition, feature selection can improve the performance of the model, save storage and computing overhead, improve the versatility of the model, and reduce the risk of overfitting. By reducing the number of features, the dimensionality curse problem can be avoided and the model can be more generalized. Commonly used techniques include filtering methods, encapsulation methods, and embedding methods.

Table 2. CICIoT2023 features.

No	Name	No	Name	No	Name
1	flow_duration	16	syn_count	31	ICMP
2	Header_Length	17	fin_count	32	IPv
3	Protocol Type	18	urg_count	33	LLC
4	Duration	19	rst_count	34	Tot sum
5	Rate	20	HTTP	35	Min
6	Srate	21	HTTPS	36	Max
7	Drate	22	DNS	37	AVG
8	fin_flag_number	23	Telnet	38	Std
9	syn_flag_number	24	SMTP	39	Tot size
10	rst_flag_number	25	SSH	40	IAT
11	psh_flag_number	26	IRC	41	Number
12	ack_flag_number	27	TCP	42	Magnitue
13	ece_flag_number	28	UDP	43	Radius
14	cwr_flag_number	29	DHCP	44	Covariance
15	ack_count	30	ARP	45	Variance
				46	Weight

shows the original features.

After analyzing the behavior patterns of LDDoS, the following features related to low-rate attack behaviors were considered from the original features of the dataset: flow duration (1, flow_duration): indicates the duration of the flow, used to identify long connections, which may indicate a DDoS attack or continuous data transmission; message header length (2, Header_Length): the length of the packet header, reflecting the protocol type and potential exploitation; protocol type (3, Protocol type): by analyzing the type of protocol used in the traffic, the nature of the communication can be inferred, such as HTTP, HTTPS or other IoT-related protocols; rate (5, Rate): the rate of the traffic, used to detect sudden traffic increases, which may be a sign of a network attack; the number of flags (15, ack_count, 16, syn_count, 17, fin_count, 18, urg_count, 19, rst_count): the number of flags used to identify different types of network scanning or session hijacking attacks. By combining the properties of these behaviors, a feature set is constructed. For these behavior-related features, feature polynomials are used to generate high-order terms of the original features and interaction terms between features to expand the feature space. By introducing feature polynomials, the nonlinear relationship between features and targets can be simulated, thereby improving the prediction ability of the model. Feature polynomials generate new features through power combinations between features, also known as interactive features.

4.2.1. Chi-Square Filtering

The feature of the CICIoT2023 dataset is discrete labels. The chi-square filter can handle its correlation well. By calculating the correlation between the feature and the target variable, the importance of the feature can be quantified, so that the most predictive feature can be selected. The larger the chi-square statistic, the stronger the correlation between the feature and the target variable. The role of correlation filtering is to filter out the relevant features of the model noise, retain the results of correlation filtering, and then proceed to the next step. The calculation formula of chi-square filtering is as follows (2).

In the chi-square filtering method, the following steps are usually followed for feature selection:

1. Develop a cross-tabulation: Formulate a cross-tabulation to illustrate the association between individual features and the objective variable. In this table, the rows represent the different categories of features, while the columns represent the classification of the target variable. 2. Predict the anticipated frequency: Utilizing the cross-tabulation’s observed figures, determine the projected frequency for each segment using the predefined equation. 3. Assess the chi-square statistic: Apply the chi-square statistical method to ascertain the variance between observed and anticipated frequencies, resulting in the chi-square measure. 4. Examine the level of significance: Contrast the derived chi-square measure against the threshold value of the chi-square distribution for the relevant degrees of freedom to judge the relevance of the connection between the attribute and the target variable. 5. Choose features: Depending on the chi-square outcome or its associated p value, pick the attributes with the strongest link to the target variable for further scrutiny or model development.

$$X^2=\sum {\displaystyle \frac{{(target -expected)}^2}{expected}}$$

(2)

4.2.2. Mutual Information Method

Mutual information serves as a metric to measure the interdependence level of two variables. More precisely, it signifies the informational content gleaned about one stochastic variable through the observation of another, thereby indicating the extent of reduction in the unpredictability of the latter. A high mutual information score between two stochastic variables suggests a robust association between them; on the flip side, a mutual information score of zero implies an absence of any relationship between the variables in question. The specific method of calculating mutual information is given in Formula (3).

$$I(X;Y)=\sum _{y\in \gamma }\sum _{xϵ\chi }p(x,y)log({\displaystyle \frac{p(x,y)}{p\left(x\right)p\left(y\right)}})$$

(3)

The 46 features of the original data and the interactive features generated by the feature polynomial were used as an initial feature set. After screening using the chi-square filtering and mutual information method, a feature set with a correlation greater than 0.3 was obtained as shown in

Table 3. Selected features.

No	Name	No	Name	No	Name
2	Header_Length	34	Tot sum	47	P_H
3	Protocol Type	35	Min	48	H_R
4	Duration	36	Max	49	f_P
5	Rate	37	AVG	50	P_R
6	Srate	38	Std	51	r_R
9	syn_flag_number	39	Tot size	52	f_r
15	ack_count	40	IAT	53	u_R
16	syn_count	42	Magnitue	54	s_R
18	urg_count	43	Radius	55	f_u
19	rst_count	44	Covariance	56	f_s
28	UDP			57	a_R

, which includes 21 original features and 11 interactive features (47–57).

Figure 2 shows the composition of the selected interaction features, which are based on behavioral features. They are combined power-wise through feature polynomials, and the interaction features with correlation rates greater than 0.3 are selected.

4.3. Stacking Ensemble Learning Mechanism

Ensemble learning is a machine learning method that improves the performance of a model by combining multiple basic learning models (also called base learners) into a powerful learning system. By building multiple base learners and letting them make independent predictions on the input data, the prediction results of each base learner are combined in some way to produce the final prediction result. The advantage of this is that each base learner can learn on a different feature subset or in a different model space, thereby reducing the generalization error of the model.

Saia et al. [26] proposed a probability-driven ensemble (PDE) method that uses several classification algorithms and improves the effectiveness of classification algorithms based on probability criteria. The proposed ensemble method exceeds the specificity of a single classifier without suffering a significant penalty in other aspects. Subudhi et al. [1] used clustering and information fusion for assembly learning and applied three different ensemble methods consisting of five different classifiers. The information in the user activity database was used to make the final judgment on abnormal transactions. Experiments show that the system efficiency of ensemble learning achieves good results. Dutta and his team developed an ensemble approach in [27] that combines deep learning models including deep neural networks (DNNs) and long short-term memory networks (LSTMs), with a meta-classifier (e.g., logistic regression) that follows the principle of stacked generalization. This meta-classifier addresses the challenge of acquiring recent network traffic datasets and provides reasonable accuracy in detecting anomalous behavior in the network in a series of experiments. [28,29,30] et al. provided a comprehensive review of the research on intrusion detection systems, especially in the use of machine learning integration methods to improve detection performance, strongly illustrating the effectiveness of the integration mechanism.

Although ensemble learning does not have much structural changes, good results were achieved in experiments using the ensemble mechanism, which greatly confirms the performance of ensemble learning in improving performance. Algorithm 1 gives the stacking mechanism algorithm [31].

Algorithm 1 Stacking

Input: Training data df = $\{X_i,Y_i\}(X_I\in {\mathbb{R}}^n,Y_i\in \mathsf{{\rm Y}}$)

Output: An ensemble classifiers M

1: Step 1: Learn first level classifiers

2: for i ← 1 to K do

3: $\mathrm{Learn} \mathrm{a} \mathrm{base} \mathrm{classifier} m_i$ based on df

4: end for

5: Step 2: Construct new datasets from df

6: for j ← 1 to k do

7: Construct a new dataset that contains $\{X_i^{\prime },y_i\}$ where: $X_{i }^{\prime }$$=\left\{m_1\right(X_1),m_2(X_2),\dots ,m_n(X_n)$}

8: end for

9: Step 3: Learn a second level classifier

10: Learn a new classifier m’based on newly constructed dataset

11: return M = $=m^{\prime }{(m}_1\left(X_1\right),m_2\left(X_2\right),\dots ,m_n\left(X_n\right))$

This algorithm describes the construction process of the stacked model, accepting the training dataset df as input and generating an integrated classifier mi as output. First, according to the training dataset df, multiple base classifiers B are iteratively trained from 1 to K. The core of this step is to establish classifiers at each basic level.

Next, use the prediction results of these base classifiers to create a new dataset. For each sample Xi, we use all base classifiers to make predictions and generate a vector Xi’ = [m1(Xi), m2(Xi), …, mnK(Xi)] consisting of predicted values, thus forming a new dataset {(Xi’,Yi)}. Then, based on this newly constructed dataset, train the second-layer classifier m’, that is, the meta-classifier, to complete the learning of high-level patterns. Finally, the whole process returns an integrated classifier M, marking the completion of stacking model training.

In the stacking model, we considered a variety of classifiers: support vector classifier (SVC), K-nearest neighbor (KNN), random forest (RF), logistic regression (LR), and XGBoost (XGB). SVC is good at handling nonlinear data and maps features to a higher dimensional space through kernel techniques to solve complex classification problems, but its performance is highly dependent on the choice of parameters. KNN is an instance-based learning method that does not require a traditional training phase, is suitable for multi-class problems, but its main challenges are high computational cost and large storage space requirements. RF can handle high-dimensional data well and has strong resistance to overfitting. LR is a simple and effective classification tool that is suitable for classification tasks, but due to its linear nature, it is prone to underfitting, resulting in low classification accuracy. XGB introduces an approximation algorithm that optimizes the enumeration process of all possible split points for each feature in the traditional gradient boosting decision tree, making it more efficient and flexible. Although XGB has no obvious weaknesses, it can also be sensitive to noise, so regularization techniques may be needed to avoid overfitting.

Each of these classifiers has unique advantages and is used in the pre-training phase. According to the results shown in Figure 3, we selected XGB as the meta-classifier due to its excellent performance in the initial training phase, while the other classifiers were used as base classifiers. Under the stacking framework, the prediction results of the base classifiers are provided as input to the meta-classifier, which combines information from different base classifiers, thereby using these preliminarily processed data to further enhance the overall performance of the model.

Figure 4 shows the stacked model architecture used in this experiment. In the first layer, we trained each base classifier and used a five-fold cross-validation method to measure the generalization performance of the model. With cross-validation, the original training data is split into five subsets of similar size, called “folds”. In each round of iteration, one of the subsets is designated as the validation set, and the remaining four subsets are combined as training data for model training. After each iteration, we use the validation set of that round to test and evaluate the performance of the model.

4.4. Experiment Setup

The implementation and evaluation of the proposed method were run on a laptop with a Core i7 2.7 GHz CPU and 16 GB RAM, running Python 3.6 on Windows 11.

4.5. LDDOS Detection Method Based on Behavioral Characteristics and Stacking

Figure 5 shows the model of our method, in which CICIOT-2023 is combined with the analysis of DDoS attack behavior to obtain behavior-based features to better detect LDDoS attacks. Not all selected features contribute, and chi-square filtering and mutual information methods are further used to screen out features with greater correlation; based on the selected features, the original data is divided into a training dataset and a test dataset and trained using a stacking model. In this process, the training data is first trained on each basic classifier, and the generalization ability of the model is evaluated using five-fold cross-validation.

After their training is completed, a validation set based on this classification is generated, which is used to train the meta-classifier. Finally, after the training is completed, the stacking model uses the test set to generate prediction samples, and the test samples and prediction samples are used for evaluation to calculate indicators such as accuracy, precision, recall, and F1 score.

4.6. Evaluation Metrics

In machine learning classification tasks, a confusion matrix is often used as an evaluation tool, as shown in Figure 6. It aids in comprehending how classification models perform across various classes. Segmenting the model’s outcomes into accurate (True) and inaccurate (False) groupings allows for a more profound insight into the model’s efficacy. This categorization hinges on evaluating the alignment between the model’s forecasts and the genuine classifications, in other words, the accuracy of the model’s categorical predictions. We can calculate a series of performance indicators, such as accuracy, precision, recall, and F1 score.

• True Positive (TP): The model correctly predicts a sample that is actually a positive class as a positive class.
• False Negative (FN): The model incorrectly predicts a sample that is a positive class as a negative class.
• False Positive (FP): The model incorrectly predicts a sample that is a negative class as a positive class.
• True Negative (TN): The model correctly predicts a sample that is a negative class as a negative class.

The confusion matrix forms the foundation for appraising the efficacy of classification models. It can help us calculate a variety of important performance indicators to quantify the performance of the model in different categories. Here, there are many evaluation indicators calculated using the confusion matrix:

• Accuracy: The correctness ratio reflects the fraction of instances that the model has categorized accurately in relation to the overall sample size, detailed in Equation (4).

  $$Accuracy={\displaystyle \frac{TP+TN}{TP+TN+FP+FN}}$$

  (4)
• Precision: The precision metric reveals the percentage of instances that the model has labeled as positive and are indeed positive, with the computational approach outlined in Equation (5).

  $$Precision={\displaystyle \frac{TP}{TP+FP}}$$

  (5)
• Recall: Recall, also known as True Positive Rate (TPR) or sensitivity, refers to the proportion of samples that the model can correctly predict as positive among all positive samples. It is calculated as follows (6):

  $$Recall={\displaystyle \frac{TP}{TP+FN}}$$

  (6)
• F1-score: The F1 score is the harmonic mean of precision and recall, which combines the performance of both and is calculated as follows (7):

  $$F1={\displaystyle \frac{2\times (Precision\times Recall)}{Precision+Recall}}$$

  (7)

5. Results and Discussion

The results shown in

Table 4. Performance of each classification model.

	Accuracy	Precision	Recall	F-Score
RF	0.946	0.948	0.947	0.948
SVM	0.68	0.735	0.677	0.642
KNN	0.833	0.835	0.835	0.834
LR	0.658	0.654	0.656	0.629
XGB	0.953	0.955	0.954	0.954
Classical Stacking model	0.395	0.35	0.386	0.347
Proposed model of the method	0.959	0.96	0.96	0.96

are obtained by detecting all attack types based on the CICIOT dataset test set. This allows the overall performance of the evaluation model to be derived. Figure 6 shows the detection results of the model after selecting benign traffic and LDDoS traffic from the test set. This is used to evaluate the model’s ability to detect and identify these two types of traffic.

After training each model with the processed data of the selected feature set, the results shown in Table 4 are obtained. The results here are the results of detecting all types of attacks in the dataset, which can comprehensively demonstrate the overall detection performance of the model. Figure 6 shows the detection results of benign traffic and LDDoS alone. It can be seen that although other models recognize most of the attacks in the dataset compared to the model proposed in this paper, the recognition rate of benign traffic and LDDoS alone is not as high as the model proposed in this paper, among which the accuracy of random forest RF reached 0.94, the precision reached 0.94, the recall rate was 0.94, and the F1 score was 0.94; in the evaluation of support vector machine SVM, the accuracy reached 0.68, the precision reached 0.73, the recall rate was 0.67, and the F1 score was 0.64; the accuracy, precision, recall rate, and F1 score of K Nearest Neighbors (KNN) all reached 0.83; the accuracy, precision, and recall rate of the logistic regression algorithm LR all reached 0.65, and the F1 score was 0.62;

The accuracy, precision, recall, and F1 score of XGBoost all reached 0.95; while the classification effect of the traditional integrated algorithm model was not very good, with an accuracy of 0.39, a precision of 0.35, a recall of 0.38, and a F1 score of 0.34; the model in the method proposed in this article has an accuracy of 0.95, a precision, a recall and an F1 score of 0.96, which is the best performance among these classification algorithms.

Figure 7 shows the detection of benign traffic (BenignTraffic) and low-speed DDoS attack traffic (DDoS-SlowLoris) by the model trained based on the behavioral feature dataset. The recognition rates of random forest RF for benign traffic and low-speed attack traffic are 0.78 and 0.98, respectively, and the recognition rates of support vector machine SVM for benign traffic and low-speed attack traffic are 0.72 and 0.29. The recognition rates of K Nearest Neighbors (KNN) for benign traffic and low-speed attack traffic are 0.48 and 0.87. The recognition rates of logistic regression algorithm LR for benign traffic and low-speed attack traffic are 0.51 and 0.44. The recognition rates of XGBoost for benign traffic and low-speed attack traffic are 0.81 and 0.89, while the recognition rates of traditional integrated algorithm model for benign traffic and low-speed attack traffic are 0.73 and 0.96. The recognition rates of the model in the method proposed in this paper for benign traffic and low-speed attack traffic are 0.87 and 0.99.

The DDoS detection model based on behavioral features and stacking achieved satisfactory results in identifying LDDoS attacks. It distinguished the two very well. The recognition rate of 0.87 in identifying benign traffic may be due to the lack of processing of discrete points in the training dataset. However, this also reflects that the behavior of benign traffic is not fixed. Compared with LDDoS attacks, we have captured its behavioral characteristics very well and identified it very well based on the behavioral characteristics.

Figure 8 is the confusion matrix of the model, which does not include attack types with too few samples. Because the stacking model needs to encode the classification, we provide

Table 5. Confusion matrix encoding corresponding types.

BenignTraffic	0	DDoS-UDP_Fragmentation	12
DDoS-ACK_Fragmentation	1	DNS_Spoofing	13
DDoS-HTTP_Flood	2	DoS-SYN_Flood	14
DDoS-ICMP_Flood	3	DoS-TCP_Flood	15
DDoS-ICMP_Fragmentation	4	DoS-UDP_Flood	16
DDoS-PSHACK_Flood	5	MITM-ArpSpoofing	17
DDoS-RSTFINFlood	6	Mirai-greeth_flood	18
DDoS-SYN_Flood	7	Mirai-greip_flood	19
DDoS-SlowLoris	8	Mirai-udpplain	20
DDoS-SynonymousIP_Flood	9	Recon-HostDiscovery	21
DDoS-TCP_Flood	10	Recon-OSScan	22
DDoS-UDP_Flood	11	Recon-PortScan	23
		VulnerabilityScan	24

to show the attack types corresponding to the encoding in the confusion matrix. In Figure 8, 0 represents benign traffic, and 8 represents DDoS-SlowLoris. The model can distinguish LDDoS from benign traffic very well. Among them, 99% of the test cases of LDDoS can be correctly identified, and 1% of the cases are identified as DDoS-ACK_Fragmentation numbered 1. This may be related to the dataset; the overall performance is also very good, and the recognition of other types of attacks also has good performance. The recognition ability of the model in numbers 13, 17, 21, 22, and 23 needs to be improved.

We continue to compare our method with other methods. We selected four methods to study LDDoS, namely MF-Adaboost [6], BP neural network [32], PSD [33], and Two-step’s clustering Analysis [34]. These methods only aim at the detection rate obtained by LDDoS traffic detection. Two step’s clustering analysis does not give the number of true (TP) and false negatives (FN). We assume that these values are 0 (that is, the model performs perfectly in these aspects), and the accuracy of the reasoning is calculated.

Table 6. Comparison results.

Method	Detection Rate
MF-Adaboost	0.9706
BP neural network	0.9668
PSD	0.951
Two-step’s clustering Analysis	0.9817
Proposed Model of The Method	0.99

shows that this method is superior to other methods in detection accuracy. The proposed method exhibits excellent performance in detecting LDDoS attack targets, proving its ability to effectively detect LDDoS attacks.

6. Conclusions and Future Research Directions

This paper proposes a DDoS detection method based on behavioral features and stacking mechanisms. This method analyzes the attack behavior pattern of LDDoS, proposes interactive features based on the behavior pattern for the identification of low-speed attacks, and then uses the mechanism of the stacking model to improve the recognition effect. The model proposed in the method has good superiority in the latest intrusion attack dataset CIC-IOT2023, with an accuracy of 0.96, a precision of 0.96, a recall rate of 0.96, and an F1 score of 0.96. Compared with other low-speed studies, it better distinguishes normal traffic from low-speed attack traffic, and the recognition rate of LDDoS reaches 99%. Experimental results show that the method proposed in this paper is feasible in terms of the accuracy of LDDoS attack detection. In the future, the model will be further improved to improve performance and experimental evaluation will be carried out on more datasets.