DDoS Detection Using Hybrid Deep Neural Network Approaches
DDoS Detection Using Hybrid Deep Neural Network Approaches
Department of Mathematics and Computer Science Department of Mathematics and Computer Science
Mizoram University Mizoram University
Aizawl, India Aizawl, India
[email protected] [email protected]
Abstract—In this study, we provide Deep Neural Network rule-based detection. Even though IDS tools vary in their
(DNN) based approaches to detecting Distributed Denial-of- capabilities, they all have the ability to identify a variety of
Service (DDoS) attacks. In order to improve the DNN’s accuracy, threats.
the suggested approaches use two different hybrid DNN scenario
detections to demonstrate the possibilities. As training and testing When it comes to cybersecurity, deep learning has been
data, we use the publicly available Intrusion Detection datasets; shown to be useful for a variety of tasks, including the cat-
CIC-IDS2017 and CIC-DDoS2019. Experiments have shown that egorization of attacks and the detection of abnormal patterns
the presented approaches are 99.9% effective at detecting attacks. of behavior. In this work, we use Google’s TensorFlow, an
open-source deep-learning package. However, DNN is used
Keywords—DDoS, DNN, DCNNBiLSTM, DCNNGRU, Deep
Learning
herein. Although DNN is often regarded as a more efficient
alternative to Gated Recurrent Unit (GRU), it is often criticized
for its low complexity and poor accuracy. However, DNN
I. I NTRODUCTION
can potentially achieve high accuracy like GRU by being
Attacks from hackers have gotten more sophisticated and made more sophisticated. Due to the presence of potentially
destructive as information technology has evolved to become worthless features in the dataset, preprocessing may be used
more and more powerful. Point-to-point attacks are the foun- to eliminate them, improving deep learning’s detection power.
dation of the typical DoS attack model, in which the hacker A distributed denial of service (DDoS) attack is launched
uses a single, highly capable computer to launch an attack on when a hacker employs a network of infected computers, often
the victim. The original DoS attack has developed into what known as ”zombies.” To start a DDoS attack, hackers first
is known as a DDoS attack. Network services are rendered get control of a large number of victim hosts, where they
inoperable when volume traffic from several sources is used to then deploy the attack’s program and order them to begin the
overwhelm the target. DDoS are implemented at many network attack. Because DDoS attacks often target a huge number of
levels via the use of various protocols. Therefore, the ability to machines indirectly, anyone’s host might be targeted. DoS and
detect and stop DDoS attacks is crucial to maintaining network scan attacks, for example, account for as much as 35% of the
integrity. most common types of cyberattacks [1]. For this reason, we
The success of computer games, specifically AlphaGo, focus emphasis on identifying DDoS or DoS attacks in this
in defeating the world’s best human chess player, as well work.
as the success of very advanced artificial intelligence (AI) Since large amounts of data transfer (in bytes, packets, or
for any nonplayer-controlled characters, has made the term flows) are typical of DDoS attacks. Attacks like TCP/SYN
”deep learning” popular. Technology giants like Google and will have a major effect on the victim’s computer, particularly
Microsoft have used deep learning with great success in a cloud servers. There is a risk of permanent data loss in the
variety of their products. Natural language processing (NLP), event of a server disaster in the cloud because of the inability
biological information, pattern recognition; Image, Speech, to restore communication and services in the event of a crash.
emotion, etc., are just a few examples of how deep learning Therefore, it is crucial to design a method to identify DDoS
technology has been embedded in people’s daily lives, whether attacks.
or not they are aware of it. Here are the primary areas where this study has a significant
To safeguard networks from intrusions, the Intrusion Detec- impact.
tion System (IDS) plays a crucial role. An IDS is software that • To improve the reliability of identifying DDoS attacks in
constantly monitors network traffic and notifies administrators network traffic, we develop a DNN-based technique.
of any abnormalities. Since the open-source tools don’t all • When it comes to the accuracy of deep learning models,
adhere to the same rule to detect abnormalities, it’s crucial to we test to see whether DNN can improve.
comprehend the specifics of each attack type before compiling • When compared to other types of neural networks, the
IDS detection patterns with others such as signature and suggested approaches perform excellently.
2
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
of feature selection eliminates 8 irrelevant features. The first TABLE I: Related Study
result is a 99.97% detection rate for attack flows, and the Sl No Model Dataset Accuracy
second is a 94.57% success rate for categorizing those flows 1 CNN+LSTM [2] CIC-IDS2017 97.16%
into reflection-based attacks and exploitation-based attacks. KDD-CUP99 99.96%
2 DNN [4]
NSL-KDD 97.23%
For SDN, Elsayed et al. [12] suggested DDoSNet, an 3 DCNN-DSAE [6] - 98.53%
intrusion detection system for DDoS attacks. The technology CIC-IDS2017 98.92%
relies on a combination of deep learning and RNN with an 4 CNN-ELM [7]
InSDN 99.91%
autoencoder (AE). The CICDDoS2019 [10] dataset is utilized KDD-CUP99 99.96%
for both development and evaluation purposes. Due to the 5 DNN [8] NSL-KDD 98.12%
removal of unnecessary features after data preparation, only 77 UNSW-NB15 81.70%
KDD-CUP99 99.92%
features are collected, but no technique for selecting features is 6 WDTL
UNSW-NB15 94.22%
offered. The proposed method could achieve a 99% accuracy CIC-IDS2019-I 99.97%
rate in identifying both malicious and benign traffic patterns. 7 DNN [11]
CIC-IDS2019-II 94.57%
K. Yang et al. [13] proposed an Autoencoder termed AE- 8 DDoSNet [12] CIC-DDoS2019 99.0%
D3F to conquer the DDoS attacks. They used two public CIC-IDS2017
9 AE-D3F [13] 82.0%
MAWI
datasets; UNB CIC-IDS2017 [3] dataset and MAWI5 dataset. CAIDA 2008
The experimental result could achieve 82.00% accuracy rate 10 MP [14] 99.68%
BOUN DDoS
respectively. 11 ResNet [15] CIC-DDoS2019 87.0%
D. Erhan et al. [14] proposed a Matching Pursuit algorithm 12 Hybrid ML [21] NSL-KDD 99.86%
method to detect DDoS attacks. They used CAIDA 20086 13 kNN-RF-NB [16] - 98.5%
14 KSVD [20] - 89.0%
and BOUN DDoS7 dataset to train the proposed method. The
DCNNBiLSTM
experiment could achieve a 99.68% accuracy rate for a DDoS CIC-IDS2017
15 DCNNGRU 99.9%
attack. CIC-DDoS2019
(this study)
F. Hussain et al. [15] proposed a ResNet method to detect
the DoS and the DDoS attacks. They used CIC-DDoS2019
[10] dataset for training the method. The proposed method III. M ETHODOLOGY
could achieve an 87% accuracy rate for recognizing different A. Dataset and Preprocessing
types of DoS and DDoS attacks. S. Shanmuga Priya et al.
[16] proposed an ML-based method to detect DDoS attacks. Following the IDS Datasets survey provided by Hnamte
They used kNN, RF, and NB to classify DDoS attacks. The et al. [22], we use the two publicly available datasets; CIC-
proposed method could achieve a 98.5% accuracy rate for IDS20178 and CIC-DDoS20199 . These datasets reflect modern
recognizing different types of DoS and DDoS attacks. N.B. attack scenarios in real network traffic. CIC-IDS2017 contains
Singh et al. [17] proposed a Wide and Deep Transfer Learning a total of 225742 instances, including both attack and non-
(WDTL) stacked GRU framework. They used KDD-CUP99 attack data, which is then 85 network flow aspects, a label
and UNSW-BN15 datasets to train and validate the model. attribute. Since the data in the CIC-IDS2017 dataset is un-
The experiment could achieve 99.92% and 94.22% accuracy balanced, adjustments such as dropping unnecessary features
rates respectively. for this study are done, reducing the number of features to
81 features, and splitting the dataset into training data and
S. Leng et al. [18] proposed a hybrid DDoS attack detection
testing data. Table II represents the dropped features from the
termed DICOF to detect DDoS attacks. The hybrid adopts a
CIC-IDS2017 dataset.
GRU and an entropy-based method to quickly detect the DDoS
attack. T. Visetbunditkun et al. [19] proposed an Ensemble TABLE II: CIC-IDS2017 Dataset Dropped Features.
of Machine Learning methods to detect DDoS attacks. The
proposed method adopts the RFE algorithm to quickly detect Features Description
DDoS attack floods. They compare the performance of RFE Flow ID Unique Flow Identification allotted
with other well-known algorithms. E. Fenil et al. [20] proposed Source IP The source IP Address
a KSVD technique to detect DDoS attacks. The experiment Destination IP The destination IP Address
could achieve an 89% accuracy rate. S Nandi et al. [21]
proposed a hybrid technique to detect DDoS attacks. They
Timestamp The accessing date and time
used the NSL-KDD dataset for training the proposed method.
The experiment could achieve as high as 99.86% accuracy Similarly, CIC-DDoS2019 contains traffic data for DDoS
rate. attacks flow with the normal data flow. A total of 86 features
were developed for the CICDDoS2019 dataset [10] where the
5 MAWI http://mawi.wide.ad.jp/mawi/samplepoint-F/2019/ dataset was split into two groups; reflection and exploitation.
6 CAIDA 2008 https://www.caida.org/catalog/datasets/passive dataset/
7 BOUN DDoS https://ieee-dataport.org/open-access/bo%C4%9Fazi%C3% 8 CIC-IDS2017 https://www.unb.ca/cic/datasets/ids-2017.html
A7i-university-ddos-dataset 9 CIC-DDoS2019 https://www.unb.ca/cic/datasets/ddos-2019.html
3
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
Since the data in the CIC-DDoS2019 dataset is unbalanced,
adjustments such as dropping unnecessary features for this
study are done, reducing the number of features to 67 fea- #
tures, and splitting the dataset into training data and testing
data. Table III represents the dropped features from the CIC-
DDoS2019 dataset.
TABLE III: CIC-DDoS2019 Dataset Dropped Features. !"
$ %
' &
+ .
)
-
'
/
4
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
IV. R ESULT AND D ISCUSSION
We assessed the data set beforehand so that we could
proceed with the experiment. As there are two files to work
with in CIC-IDS2017 [3], they are combined before being
divided into a training set and a testing set. In contrast,
CIC-DDoS2019 [10] includes a total of 18 files, which are
combined before being divided into two: one for training and
one for testing.
Figure 1 depicts the experimental DNN model, and Table
IV lists the values of the model’s parameters; the model has
n input units, n hidden layers, 2n+1 hidden units, and n
output features. We trained the DCCNBiLSTM model for 30
epochs using a batch size of 128, a relu and sigmoid activation
function, a Categorical Cross Entropy as a loss function, and
Adam as the optimizer. Similarly, we trained the DCNNGRU
model using Adam as the optimizer, for 30 epochs, with a
batch size of 128, with relu and sigmoid as the activation
function, and a Categorical Cross Entropy as the loss function.
Figure 2 displays the results of the training and testing
(a) Model Accuracy Performance
done using the CIC-IDS2017 dataset with the DCNNBiLSTM
model. The testing with the given features could achieve
99.9% accuracy and 0.0035 loss rate. The accuracy perfor-
mance is illustrated in Figure 2a, whereas Figure 2b illustrates
the loss rate during the training and the testing phase. The
confusion matrix of the model’s performance is illustrated in
Figure 2c.
Figure 3 displays the results of the training and testing done
using the CIC-DDoS2019 dataset with the DCNNBiLSTM
model. The testing with the given features could achieve
99.95% accuracy and 0.0022 loss rate. The accuracy perfor-
mance is illustrated in Figure 3a, whereas Figure 3b illustrates
the loss rate during the training and the testing phase. The
confusion matrix of the model’s performance is illustrated in
Figure 3c.
Figure 4 displays the results of the training and testing done
using the CIC-IDS2017 dataset with the DCNNGRU model.
The testing with the given features could achieve 99.92%
(b) Model Loss Performance
accuracy and 0.0029 loss rate. The accuracy performance is
illustrated in Figure 4a, whereas Figure 4b illustrates the loss
rate during the training and the testing phase. The confusion
matrix of the model’s performance is illustrated in Figure 4c.
Figure 5 displays the results of the training and testing done
using the CIC-DDoS2019 dataset with the DCNNBiLSTM
model. The testing with the given features could achieve
99.93% accuracy and 0.0025 loss rate. The accuracy perfor-
mance is illustrated in Figure 5a, whereas Figure 5b illustrates
the loss rate during the training and the testing phase. The
confusion matrix of the model’s performance is illustrated in
Figure 5c.
Table V displays the overall proposed model performance
based on accuracy and loss rate.
V. C ONCLUSION
In this work, we suggest a DDoS detection method that
utilizes DNN in two methods to identify these malicious
intrusions. The suggested methods are interesting because they (c) Confusion Matrix
Fig. 2: Model: DCNNBiLSTM with CIC-IDS2017
5
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
(a) Model Accuracy Performance (a) Model Accuracy Performance
6
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
TABLE V: Performance of Proposed Models
Dataset Model Accuracy Loss
DCNNBiLSTM 99.90% 0.0035
CIC-IDS2017
DCNNGRU 99.92% 0.0029
DCNNBiLSTM 99.95% 0.0022
CIC-DDoS2019
DCNNGRU 99.93% 0.0025
7
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.
[11] A. E. Cil, K. Yildiz, and A. Buldu, “Detection of DDoS attacks with feed
forward based deep neural network model,” Expert Systems with Appli-
cations, vol. 169, p. 114520, 2021. doi: 10.1016/j.eswa.2020.114520.
[12] M. S. Elsayed, N.-A. Le-Khac, S. Dev, and A. D. Jurcut, “DDoS-
Net: A deep-learning model for detecting network attacks,” in 2020
IEEE 21st International Symposium on ”A World of Wireless, Mobile
and Multimedia Networks” (WoWMoM), pp. 391–396, 2020. doi:
10.1109/WoWMoM49955.2020.00072.
[13] K. Yang, J. Zhang, Y. Xu, and J. Chao, “DDoS attacks detec-
tion with AutoEncoder,” in NOMS 2020 - 2020 IEEE/IFIP Net-
work Operations and Management Symposium, pp. 1–9, 2020. doi:
10.1109/NOMS47738.2020.9110372.
[14] D. Erhan and E. Anarim, “Hybrid ddos detection framework using
matching pursuit algorithm,” IEEE Access, vol. 8, pp. 118912–118923,
2020. doi: 10.1109/ACCESS.2020.3005781.
[15] F. Hussain, S. G. Abbas, M. Husnain, U. U. Fayyaz, F. Shahzad, and
G. A. Shah, “IoT DoS and DDoS Attack Detection using ResNet,” in
2020 IEEE 23rd International Multitopic Conference (INMIC), pp. 1–6,
2020. doi: 10.1109/INMIC50486.2020.9318216.
[16] S. Priya, M. Sivaram, D. Yuvaraj, and A. Jayanthiladevi, “Machine
Learning based DDOS Detection,” in 2020 International Conference
on Emerging Smart Computing and Informatics (ESCI), pp. 234–237,
2020. doi: 10.1109/ESCI48226.2020.9167642.
[17] N. B. Singh, M. M. Singh, A. Sarkar, and J. K. Mandal, “A novel wide
& deep transfer learning stacked GRU framework for network intrusion
detection,” Journal of Information Security and Applications, vol. 61,
p. 102899, 2021. doi: 10.1016/j.jisa.2021.102899.
[18] S. Leng, Y. Xie, Y. Zhang, Y. Guo, L. Fang, and F. Li, “DICOF: A dis-
tributed and collaborative framework for hybrid DDoS attack detection,”
in 2022 IEEE Symposium on Computers and Communications (ISCC),
pp. 1–7, 2022. doi: 10.1109/ISCC55528.2022.9912872.
[19] T. Visetbunditkun and W. Srichavengsup, “DDoS Attack Detection
Using Ensemble Machine Learning Models with RFE Algorithm,” in
2022 7th International Conference on Business and Industrial Research
(ICBIR), pp. 269–273, 2022. doi: 10.1109/ICBIR54589.2022.9786423.
[20] E. Fenil and P. M. Kumar, “Towards a secure Software Defined Network
with adaptive mitigation of DDoS attacks by Machine Learning Ap-
proaches,” in 2022 International Conference on Advances in Computing,
Communication and Applied Informatics (ACCAI), pp. 1–13, 2022. doi:
10.1109/ACCAI53970.2022.9752607.
[21] S. Nandi, S. Phadikar, and K. Majumder, “Detection of ddos attack
and classification using a hybrid approach,” in 2020 Third ISEA Con-
ference on Security and Privacy (ISEA-ISAP), pp. 41–47, 2020. doi:
10.1109/ISEA-ISAP49340.2020.234999.
[22] V. Hnamte and J. Hussain, “An extensive survey on intrusion detec-
tion systems: Datasets and challenges for modern scenario,” in 2021
3rd International Conference on Electrical, Control and Instrumen-
tation Engineering (ICECIE), pp. 1–10, 2021. doi: 10.1109/ICE-
CIE52348.2021.9664737.
8
Authorized licensed use limited to: CHONGQING UNIVERSITY. Downloaded on December 28,2024 at 05:40:13 UTC from IEEE Xplore. Restrictions apply.