**4. Discussion**

In this study, the ns-3 simulation tool was used to identify botnet C&Cs for countering DDoS attacks and to examine the success probability of DDoS attacks along different attack paths for tracing attack sources in a distributed network. The following situation was simulated: an attacker uses a fake IP address to conduct DDoS attacks and analyses the success probability of the attack source. The applicability of the proposed LS-PSO–IPTBK model was examined using two botnet examples.

For security concerns in academic networks, simulations were performed using the ns-3 software with the BRITE framework on a personal computer with a 2.7-GHz Intel Dual-Core computer processing unit equipped with 4 GB of DDR3 RAM running on Debian 10.9.0 Stable. The simulation of the network security is a cost-effective method for evaluating, testing, and selecting a suitable algorithm. In the simulations, defenders could examine all of the routing options for DDoS attacks and evaluate the basic performance of IPTBK algorithms.

#### *4.1. Case Study I: Network Performance Analysis for DDoS Attacks (32 Nodes)*

The first example considers the profiles of DDoS attacks on Internet of Things (IoT) devices on a cloud server. A network intrusion detection system was constructed using the following three processes: (1) data pre-processing, (2) attack path reconstruction, and (3) model validation. The workflow of security analysis is illustrated in Figure 4.

#### Step 1: Data preprocessing

#### 4.1.1. Creation of the Network Topology

The ns-3 software was deployed with the BRITE framework to generate 32 nodes with integer position coordinates over a rectangular area of 300 × 300, as displayed in Figure 6. As depicted in Figure 6, the simulated network topology consisted of two local area networks (LANs). Simulated hosts and routers were configured using a BriteTopologyHelper class. Furthermore, each of the four LANs had six host nodes, one switch node, one router node, and the relay nodes of the Internet. The attack sites were compromised IoT devices (host 1–host 5 in LAN 1). The switch node was designated as Switch 1. The victim was an online game server (host 11) in LAN 2 (host 6–host 10). We used the Python package networkx to construct the network topology. Each pair of adjacent nodes was an edge that was assigned a weight or cost in all paths. The function attribute res\_cost(x,y) was used to indicate the bandwidth and QoS of a path.

**Figure 6.** Simulated network topology specified by the BRITE framework (number of nodes = 32).

The routing cost of each route in the network topology must be set to decide the next hop path by using the command res\_cost = array ([*<sup>x</sup>*, *y*], weight = *x*). The lower the routing cost of a path, the higher the priority of a packet on it. A high-priority packet can traverse a low-cost path with a relatively small delay.

Step 1.2: Data pre-processing for DDoS threats

Attack Paths Were Constructed Using the Following Two-Step Procedure

Step 1.2.1: Attack on the victim

In this step, the attack nodes 1, 6, and 11 (IP addresses of 192.168.1.1, 192.168.1.2, and 192.168.1.3, respectively) launched a series of low-rate DDoS attacks by using UDP floods against the online game server (host 17) in LAN 4. The victim (IP address of 192.168.4.3) listened by default on port 8008. Three cycles of attacks were conducted in 60 s to generate routing information on the victim node for conducting IPTBK, as illustrated in Figure 7.


**Figure 7.** Packet information in a series of low-rate DDoS attacks launched from nodes 1, 6, and 11.

A total of 2685 attack packets ( *m* = 2685) were sent to host 17 by using UDP floods. The average packet quantity of the visited node was the basis for updating the number of particles and assisting particle swarms to trace the sources of attacks by reconstructing the routes (Figure 8).

**Figure 8.** Four attack paths for DDoS attacks from nodes 1, 6, and 11 (number of nodes = 32). Step1.2.2:Datacollection

We used Wireshark to collect the samples of network traffic flows from port 8008 of the victim for periodically collecting the routing information of DDoS attacks from routers, as displayed in Figures 9 and 10. The traffic flows were recorded in the Pcap format. After collecting the attack flow packets, scavetool was used to convert the recorded files to the comma-separated values format to the comma-separated values (CSV) format for the reconstruction of attack paths.


**Figure 9.** Routing information collected from port 8008 using Wireshark.


**Figure 10.** Routing information summarized from the victim.

In practice, the defender uses the *traceroute* command to periodically validate the routing information of DDoS attacks from routers and decide the route from a given source by collecting the sequence of hops the packet traversed, as shown in Figure 11.


**Figure 11.** Using traceroute to validate the routing information of DDoS attacks.

#### Step 2: Route construction

The routing information generated in Step 1.2.2 was used as the input dataset of the PSO model. The main characteristics of the LS-PSO model were as follows: (1) the particle population was set equal to the number of packets collected related to DDoS attacks; (2) the number of generations was set to 500, and the route-searching rules were updated for each generation; (3) the initial value of *w*i (weighting factor) was 0.8; (4) c1 and c2 were set as 2.0 in Equation (4); and (5) the number of subswarms was 4. For the first particle swarm generated R was set to 5000 particles, and each subswarm had 20 particles (S = 20). Moreover, each particle was run for 500 iterations (n = 500).

#### 4.1.2. Dynamic Routing Costs of All the Routes

Considering the factors of traffic dynamics, including the bandwidth, traffic delay, and QoS requirements in the network transmission, we set different weights (i.e., cost) for each route in the network topology, and decided the next hop path by using the command res\_cost = array ([*<sup>x</sup>*, *y*], *w* = *x*) for paths *r1*–*r6*–*r8* and *r1*–*r4*–*r7*–*r8*. Figure 12 indicates that all paths had different routing costs and weights. The higher the routing cost, the lower

the routing priority. The larger the weight (*w*), the larger the bandwidth. Moreover, the shorter the routing distance for a path, the higher the QoS.


**Figure 12.** Dynamic routing cost settings for paths *r1*–*r6*–*r8* and *r1*–*r4*–*r7*–*r8.*.

As presented in Table 2, the simulated system comprised eight simple routes between *n*1, *n*6, and *n*11 (the attack nodes) and *n*17 (the victim). This information was obtained using the all\_simple\_paths application programming interface call in the networkx suite of ns-3.

**Table 2.** Set of simple routes between the attack nodes and the victim (*n*11).


Using the A\* search algorithm.

To verify the optimal path of DDoS attacks, the shortest route between the attack nodes and the victim was determined using A\* algorithm [16]. The A\* algorithm is an improved version of Dijkstra's algorithm. The A\* algorithm can be used to identify the shortest path between any two end nodes in a search space. We compared the performance of the A\* and LS-PSO algorithms for solving the IPTBK problem. First, we used the A\* algorithm in the networkx suite to examine the situation in which *n*1, *n*6, and *n*11 attacked *n*17. By using this algorithm, the following paths in Table 3 were identified as having the lowest costs.

**Table 3.** Set of the shortest routes between the attack nodes and the victim (*n*11).


Using the LS-PSO algorithm.

We used the LS-PSO algorithm to analyse the possible attack path for the attack case *n*1 → *n*17. By reconstructing the attack path for this case, we applied the subgroup searching strategy to obtain the optimal solution. Particles travelled around all the paths and back to the attack origins according to the local and global updating rules presented in Equations (5)–(10). After 500 generations had been executed, the results revealed two possible attack paths for conducting model performance analysis.

Route 1: ['*<sup>n</sup>*1 , '*sw*1, '*r*1, '*r*6, '*r*8, '*sw4*, '*n*17] Route 2: ['*<sup>n</sup>*1 , '*sw*1, '*r*1, '*r*4, '*r*7, '*r*8, '*sw*4, '*n*17]

Similarly, the following paths were obtained for the attack cases *n*6 → *n*17 and *n*11 → *n*17.

Route 3: ['*<sup>n</sup>*6 , '*sw*2, '*r*2, '*r*6, '*r*8, '*sw4*, '*n*17] Route 4: ['*<sup>n</sup>*11 , '*sw*3, '*r5*, '*r*4, '*r*7, '*r*8, '*sw*4, '*n*17] Route 5: ['*<sup>n</sup>*11 , '*sw3*, '*r5*, '*r*4, '*r1*, '*r6*, '*r*8, '*sw*4, '*n*17]

Step 3: Model validation phase

After 500 generations had been executed, the coverage rate of the attack path in the experimental case was calculated using Equation (10) (Table 4). The first three paths presented in Table 4 were selected as the possible attack paths for the experimental case, in which the minimum support threshold was *t* = 3%. As presented in Table 4, the LS-PSO– IPTBK model exhibited an accuracy of 99.07% ( *m* = 2685) for static traffic; thus, the error rate was 0.93% for the network topology (number of nodes = 32).


**Table 4.** Possible paths of DDoS attacks (number of nodes = 32).

#### *4.2. Case study II: Network Performance Analysis for DDoS Attacks (64 Nodes)*

In the second experiment, a series of DDoS attacks were conducted in a simulated network topology (number of nodes = 64) using ns-3 with BRITE to evaluate the convergence performance of the proposed model. As shown in Figure 13, the simulated network topology consists of eight local area networks (LANs). In the following, the attack nodes, including *n*1, *n*11, *n*21, *n*31, and *n*36, launched a series of low-rate DDoS attacks using UDP floods against the node17 (port 8008) in LAN4. Six cycles of attacks were conducted in 60 s and a total of 4526 attack packets ( *m* = 4526) were sent to host 17 using UDP floods, as illustrated in Figure 14.

**Figure 13.** Simulated network topology specified by the BRITE framework (number of nodes = 64).

**Figure 14.** Six attack paths for Distributed Denial-Of-Service (DDoS) attacks from nodes 1, 11, 21, 31, and 36.

Similar to the first experiment, we used the LS-PSO algorithm to analyse the possible attack path for the test case (*<sup>n</sup>*1 → *n*17), (*<sup>n</sup>*11 → *n*17), (*<sup>n</sup>*21 → *n*17), (*<sup>n</sup>*31 → *n*17), and (*<sup>n</sup>*36 → *n*17). The coverage rate of the attack path in the experimental case was calculated using Equation (10), and the experiment results for the five cases are listed in Table 5.



Table 5 indicates the LS-PSO accuracy considering that the static traffic was 95.05% (*m* = 4526) and that the error rate was 4.95% for the network topology (number of nodes = 32). The effect of the network size on the number of packets required to construct the attack path was also investigated. Table 6 shows the accuracy and execution time for a test set of routing algorithms with different topology sizes. The experimental results indicate that the execution time of PSO algorithm is higher than that of the LS-PSO algorithm due to the global optimal position that is exploited using the regrouping strategy in the LS-PSO algorithm. Furthermore, the experimental results indicate that the traceback error decreased as the size of the testing data increased.

**Table 6.** Traceback accuracy vs. execution time of DDoS attacks using the proposed algorithm with A\* and PSO algorithm.


Obviously, the accuracy of the proposed algorithm is higher than those of the A\* and the PSO algorithm. Two experimental results demonstrated that the traceback error increased with an increase in the size of the network topology (*ns*) for the LS-PSO algorithm. The overall accuracy rate for the two test cases was 97.06%.

#### *4.3. Case Study III: Network Performance Analysis for DDoS Attacks with Different Subswarms (64 Nodes)*

In practice, the LS-PSO algorithm needs to determine the best number of subswarms. The effect of the search strategy with different numbers of subswarm particles (*ns* = 2, 4, and 8) on the number of packets required to construct the attack path in a medium-scale network topology was also investigated. For similar test runs, a series of DDoS attacks was conducted on two simulated network topologies (number of nodes = 32 and 64) to evaluate the convergence performance of the proposed model (Figures 10 and 12). In the experiment, the attacker flooded the victim with packets originating from the attack nodes.

A total of 4526 attack packets were sent in irregular bursts within 120 s to conges<sup>t</sup> the link. Table 7 presents the coverage percentage achieved with the proposed model in the experiment. The results presented in Table 7 indicate that the accuracy of the LS-PSO algorithm was 97.96% when the number of swarms was 2 ( *R* = 5000, *S* = 20, and 500 generations); thus, the corresponding error rate was 2.04%. Moreover, the accuracy of the aforementioned algorithm was 98.29% and 97.60% when using four and eight swarms, respectively. The experimental results indicated that the LS-PSO scheme achieved a higher accuracy for medium-scale networks when using four-swarm than when using two-swarm or eight-swarm.


**Table 7.** Experimental results obtained with different numbers of subswarms.
