DDoS Attack Detection Using Deep Learning
DDoS Attack Detection Using Deep Learning
Corresponding Author:
Pongpisit Wuttidittachotti
Data Communication and Networking
King Mongkut's University of Technology North Bangkok
1518 Pracharat 1 Road, Wongsawang, Bang Sue District, Bangkok 10800, Thailand
Email: [email protected]
1. INTRODUCTION
Nowadays, the Internet has become an integral part of our daily lives. It makes communication
easier. The internet of things (IoT) is becoming more widely used both in everyday life and in the industry.
IoT devices are small and able to communicate with each other without requiring a human being during
communication [1], [2]. It can apply to a variety of systems such as smart home, smart farm, smart factory,
increasing IoT devices. It is predicted that by 2030, there would be 125 billion IoT devices connected to the
internet [3]. This would likely put all such devices at risk of being used in DDoS attacks because IoT devices
cannot support the complex security structure given it’s limited resources as in processors or backup
memory, thus making these devices especially vulnerable. If this vulnerability is not fixed, there is a chance
of it being attacked and compromised as IoT devices for use in DDoS attacks [4], [5].
DDoS attacks have been around for a long time. The first occurred on July 22, 1999, when a
computer at the University of Minnesota, containing a dangerous script named Trin00, attacked 114 other
computers [6], [7]. On October 21, 2016, Dyn, a DNS service provider, was attacked, causing Twitter,
GitHub, Playstation Network, and other websites to be unavailable for a while. The IT security company said
the attack linked to the Mirai IoT DDoS Botnet [8], [9], and on February 28, 2018, GitHub was hit by a 1.35
Tbps DDoS attack with 126.9 million packages per second [10]. Aside from being unable to be of service
after being attacked it can also cause financial damage. Kaspersky Lab reports estimated average damage to
medium-sized businesses (SMBs) are $120K, and to large companies are $2 million per attack [11].
Threats arising from the growing number of IoT devices and new DDoS attack techniques have
resulted in the detection and blocking of attacks with deep learning (DL). DL is useful in finding
relationships between the prominent features of the dataset that distinguish between "normal" and "abnormal"
and can predict the likelihood if new attacks would occur in the future by learning from existing examples
[12], [13]. Nowadays, DL is very popular due to its efficiency and non-linear multi-layer processing,
including Python, with support libraries allowing us to create artificial neural networks more quickly than in
the past [14].
Unal et al. presented DDoS attacks on the network with deep learning, using NSL-KDD datasets to
show their IDS performance. The dataset consists of 23 different attacks with 41 features. They have
reviewed the literature to reduce it to only 24 features related to DDoS attacks. The accuracy is 98.8% [15].
Diro and Chilamkurti, also presented a distributed attack detection in IoT with deep learning using the same
dataset but using apache spark techniques to help train the modelling process and securing an accuracy of 96-
99%. However, the dataset used is the old dataset and therefore it may not predict new attacks that could
occur [16].
Doshi et al. used machine learning to detect DDoS in the IoT using data collected from real IoT
devices. They simulated the Botnet attack environment using five algorithms to measure performance: KN,
LSVM, DT, RF, NN. From the results, the neural network had 98.9% accuracy with the dataset they created
[17].
In this research, we use the dataset of CICDDoS2019, which is the dataset of DDoS attack, and uses
the classification algorithm of deep learning, learning from the dataset order to find a suitable neural network
structure that can differentiate between standard data and attack data. Authors have organized this
presentation into the following sections: Introduction - Research Method - Results and Discussion –
Conclusion.
1.3. Deep neural network (DNN) and long short-term memory (LSTM)
A deep neural network is a network for multi-layered inference based on logistic regression models
with two-dimensional input. All the neural networks consist of an input layer, an output layer, and one or
many hidden layers. If there are many hidden layers, we will call them deep neural networks. LSTMs are
caused by using RNNs to improve the vanishing gradient and exploding gradient problems by creating an
architecture that can remember information for a long time. From the above structure, DNN and LSTM can
correlate each data including the use of supervised learning techniques to assist in the training process,
allowing DDoS to be detected more efficiently [21], [22].
2. RESEARCH METHOD
The operation overview in Figure 1 shows the divided process in 5 steps. Starting with the first step,
after we get the datasets, they are not immediately available. Therefore, we need to proceed to the next step.
The second step is the data preparation process. We will do data cleaning, feature selection, and feature
engineering to prepare the data for this step. Then we will split the datasets into three sets in the third step to
creating a set of training data, validation data and testing data for use in the training process. After that, we
will go through the fourth step about designing a deep neural network structure. In this step of the process,
the training data and validation data will be used. The tuning of the hyperparameters is done in conjunction
with the validation process to determine the optimal structure. Once the structure is optimized for the
datasets, the fifth step is to evaluate the designed models' measurement using testing data to measure the
results.
2.1. Dataset
In this paper, we use the CICDDoS2019 dataset of the “Developing Realistic Distributed Denial of
Service (DDoS) Attack Dataset and Taxonomy” research. They have improved the existing dataset and have
presented a new taxonomy for DDoS attacks, including bug fixes including new classification based on flows
network. It also has features for detecting different types of DDoS attacks with a consistent weight [23].
Int J Artif Intell, Vol. 10, No. 2, June 2021: 382 – 388
Int J Artif Intell ISSN: 2252-8938 385
accurate. Therefore, adjust the number of layers to suit our dataset. 5) Hidden units, the number of nodes in
the hidden layer must be optimized, and there is enough to learn the complexity of the data. 6) Dropout is a
technique that is used to drop connections between nodes randomly. It can be done during model training
since some nodes may coincide and also helps to reduce overfitting occurrences [25].
2.5. Evaluation
We can measure the effectiveness of the deep learning model that we will use to detect DDoS
attacks by using indicators from the standard matrix as follows: 1) Accuracy is the model's overall accuracy.
2) Precision is the probability that the model will predict the correct attack. 3) The recall is the probability
that the model can detect attacks from the total number of attacks. 4) F-Measure or F1-Score is a harmonic
mean between precision and recall. The formulas for calculating values are in the bottom equation.
Accuracy = (TP+TN)/(TP+TN+FP+FN)
Precision = TP/(TP+FP)
Recall = TP/(TP+FN)
F-Measure = 2((Precision*Recall)/(Precision+Recall))
Where TP, TN, FP, and FN stand for true positives, true negatives, false positives, and false
negatives, respectively. This step will help us find the best model for the dataset we choose to use, as well as
how well the selected model will work in the future.
As for the characteristics as shown in Figure 4, choose to use the attributes according to the research
of the dataset due to the better detection performance compared to the experiments that we experimented
with selecting the characteristics ourselves. The datasets that we choose to use are the Syn, UDP, and UDP-
Lag attack datasets. Each dataset divided into Training data (60%), validation data (10%), and test data
(10%), respectively, and we feed the training data into our deep network models.
From Table 1, is to determine the hyperparameter and optimizer we use RAdam instead of Adam
because it is more smooth in the training process by setting total_steps = 5,000, warmup_proportion = 0.1,
min_lr = 0.001, and set the number of Epochs as ten because after this model it can no longer reduce losses.
The results of the DNN and LSTM tests achieved almost the same performance, but LSTM was able to
capture Syn Flood, and UDP Flood attacks a little better. DNN detected slightly better UDP-Lag attacks. In
the attack detection tests as shown in Tables 2 and 3, it can see that the DNN shows the F1 score or F-
Measure at .9995-.9997, and the accuracy is .9993-.9995. LSTM, the effectiveness of F1-Score or F-Measure
is .9994-.9998, and the accuracy is .9990-.9997 for all three types of DDoS classification.
Int J Artif Intell, Vol. 10, No. 2, June 2021: 382 – 388
Int J Artif Intell ISSN: 2252-8938 387
4. CONCLUSION
In this article, we propose deep learning based DDoS detection methods using the DNN and LSTM
algorithms. We designed the deep neural network structure that is appropriate for the classification of attacks
in the CICDDoS2019 dataset by the results of the three attack detection experiments. The types of Syn Flood,
UDP Flood, and UDP-Lag can distinguish "normal" and "abnormal" data from each other, with an average
accuracy of 99.90-99.97%. For future work, we plan to increase the variety of learning to compare with the
DNN and LSTM algorithms, as well as to bring models to test with the rest of the attack types such as DNS,
NetBIOS, SNMP, to compare the performance of the model. We can include different kinds of dataset
attacks to increase the challenge of detecting attacks and using the model created for testing in the real world.
ACKNOWLEDGEMENTS
Thank you to Mr. Bhaskar Laha, Faculty of Information Technology and Digital Innovation, King
Mongkut's University of Technology North Bangkok, for English editing.
REFERENCES
[1] T. Yousuf, R. Mahmoud, F. Aloul, and I. Zualkernan, “Internet of Things (IoT) Security: Current Status,
Challenges and Countermeasures”, International Journal for Information Security Research (IJISR), vol. 5, no. 4,
December 2015, https://doi.org/10.1109/ICITST.2015.7412116.
[2] O. Bello and S. Zeadally, “Intelligent Device-to-Device Communication in the Internet of Things,” in IEEE
Systems Journal, vol. 10, no. 3, pp. 1172-1182, Sept. 2016, https://doi.org/10.1109/JSYST.2014.2298837.
[3] M. Miettinen and A. Sadeghi, “Keynote: Internet of Things or Threats? On Building Trust in IoT,” 2018
International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS), Turin, pp. 1-9,
2018, doi: 10.1109/CODESISSS.2018.8525931.
[4] M. Abomhara and G. M. Kien, “Cyber security and the internet of things: Vulnerabilities, threats, intruders and
attacks,” in Journal of Cyber Security and Mobility, vol. 4, no 1, pp. 65-88, Jan 2015,
https://doi.org/10.13052/jcsm2245-1439.414.
[5] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari and M. Ayyash, “Internet of Things: A Survey on
Enabling Technologies, Protocols, and Applications,” in IEEE Communications Surveys & Tutorials, vol. 17, no. 4,
pp. 2347-2376, Fourthquarter 2015, https://doi.org/10.1109/COMST.2015.2444095.
[6] “The first DDoS attack was 20 years ago,” Emerging Technology from the arXiv. [Online]. Available:
https://www.technologyreview.com/s/613331/the-first-ddos-attack-was-20-years-ago-this-is-what-weve-learned-
since/
[7] X. Yuan, C. Li and X. Li, “DeepDefense: Identifying DDoS Attack via Deep Learning,” 2017 IEEE International
Conference on Smart Computing (SMARTCOMP), Hong Kong, pp. 1-8, 2017,
https://doi.org/10.1109/SMARTCOMP.2017.7946998.
[8] J. Smith-perrone and J. Sims, “Securing cloud, SDN and large data network environments from emerging DDoS
attacks,” 2017 7th International Conference on Cloud Computing, Data Science & Engineering - Confluence,
Noida, pp. 466-469, 2017, doi: 10.1109/CONFLUENCE.2017.7943196.
[9] Abhishta, R. V. Rijswijk-Deij, and L. J. M. Nieuwenhuis, “Measuring the impact of a successful DDoS attack on
the customer behaviour of managed DNS service providers,” ACM SIGCOMM Computer Communication Review,
vol. 48, no. 5, 70-76, January 2019, https://doi.org/10.1145/3310165.3310175.
[10] H. K. Hyder and C. Lung, “Closed-Loop DDoS Mitigation System in Software Defined Networks,” 2018 IEEE
Conference on Dependable and Secure Computing (DSC), Kaohsiung, Taiwan, pp. 1-6, 2018, doi:
10.1109/DESEC.2018.8625125.
[11] “DDoS Breach Costs Rise to over $2M for Enterprises finds Kaspersky Lab Report,” Woburn, MA. [Online].
Available:https://usa.kaspersky.com/about/press-releases/2018_ddos-breach-costs-rise-to-over-2m-for-enterprises-
finds-kaspersky-lab-report/.
[12] Y. Xin et al., “Machine Learning and Deep Learning Methods for Cybersecurity,” in IEEE Access, vol. 6, pp.
35365-35381, 2018, https://doi.org/10.1109/ACCESS.2018.2836950.
[13] Y. Imamverdiyev and F. Abdullayeva, “Deep Learning Method for Denial of Service Attack Detection Based on
Restricted Boltzmann Machine,” Big Data, vol. 6, no. 2, pp. 159-169, 2018, https://doi.org/10.1089/big.2018.0023.
[14] Y. LeCun, Y. Bengio, and G. Hinton, Deep learning. Nature 521, 436–444, 2015,
https://doi.org/10.1038/nature14539.
[15] A. S. Unal and M. Hacibeyoglu, “Detection of DDOS Attacks in Network Traffic Using Deep Learning,”
International Conference on Advanced Technologies, Computer Engineering and Science (ICATCES18).
http://indexive.com/Paper/157/detection-of-ddos-attacks-in-network-traffic-using-deep-learning.
[16] A. A. Diro and N. Chilamkurti, “Distributed attack detection scheme using deep learning approach for Internet of
Things,” Future Generation Computer Systems, vol. 82, May 2018, pp. 761-768, 2017,
https://doi.org/10.1016/j.future.2017.08.043.
[17] R. Doshi, N. Apthorpe and N. Feamster, “Machine Learning DDoS Detection for Consumer Internet of Things
Devices,” 2018 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, pp. 29-35, 2018,
https://doi.org/10.1109/SPW.2018.00013.
BIOGRAPHIES OF AUTHORS
Mr. Thapanarath Khempetch was born in Suphan Buri, in 1991. He received a Bachelor of
Engineering Program in Computer Engineering from the Faculty of Engineering, Kasetsart
University, in 2016. At present, He is studying for a Master of Science in Data Communication
and Networking, King Mongkut’s University of Technology North Bangkok, in 2018.
Dr. Pongpisit Wuttidittachotti is currently an associate professor and head of the Department
of Data Communication and Networking at the Faculty of Information Technology and Digital
Innovation, King Mongkut’s University of Technology North Bangkok (KMUTNB), Thailand.
He received his Ph.D. in Networks, Telecommunications, Systems and Architectures from
INPT-ENSEEIHT, in France. He received an outstanding employee award in social service at
the university level in 2019, an outstanding employee award at the faculty level and the
university level in 2020. He owns more than 30 recognized certifications, for example, CISSP,
CISM, CISA, CRISC, CGEIT, IRCA ISO/IEC 27001:2013 Lead Auditor, COBIT 5 Foundation,
COBIT 2019 Foundation, COBIT 2019 Design & Implementation, Data Protection Officer
(DPO) etc. So far, Wuttidittachotti has over ten years of working experience covering software
development, network, security, audit, risk management, IT governance, and standard, and
compliance. His expertise has shown out as a member of the ISACA Bangkok Chapter
committee since 2015, and an Accredited Trainer - COBIT® 2019 Foundation for ISACA
Bangkok Chapter. He has conducted and published many research articles continually in
information security and related topics.
Int J Artif Intell, Vol. 10, No. 2, June 2021: 382 – 388