This article has been accepted for inclusion in a future issue of this journal.
Content is final as presented, with the exception of pagination.
IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
ML-DDoS: A Blockchain-Based Multilevel DDoS
Mitigation Mechanism for IoT Environments
Rana Faisal Hayat , Sana Aurangzeb , Muhammad Aleem , Gautam Srivastava , Senior Member, IEEE,
and Jerry Chun-Wei Lin , Senior Member, IEEE
Abstract—Distributed denial of service (DDoS) attacks as well as
botnet-based attacks are among the most important security vul-
nerabilities in Internet of Things (IoT) environments. Most of the
existing research approaches use centralized defense mechanisms
to prevent DDoS attacks in IoT environments. However, it is im-
portant to provide a reliable and scalable solution to prevent DDoS
attacks. Combining technologies such as distributed blockchain-
based mechanisms and smart contracts facilitates the construc-
tion of a trusted distributed framework that can defend against
DDoS attacks in IoT. In this article, we have proposed a multilevel
DDoS mitigation approach (ML-DDoS) to protect IoT devices and
other computing resources or machines using the blockchain-based
framework. The core concept of the proposed system is to use
a device-based verification mechanism using blockchain and ex-
clude malicious devices from IoT environments. The proposed
framework was developed using Hyperledger Caliper (a blockchain
benchmark tool) and its performance was evaluated using three
benchmark applications. Compared to the state of the art, the
results show that the proposed framework achieves up to 35%
improvement in throughput, up to 40% improvement in latency,
and up to 25% better utilization of CPU.
Index Terms—Artificial intelligence, attacks, blockchain,
cybersecurity, distributed denial of service (DDoS), Internet of
Things (IoT).
I. INTRODUCTION
NTERNET of Things (IoT) devices [1]–[3] represent
I Internet-enabled components and machines such as sensors,
smart-cameras, medical sensors, smart security systems, to name
just a few that may coordinate with each other or with more
capable computing resources (i.e., computing servers) for infor-
mation exchange, processing, and analysis-related services. For
Manuscript received December 30, 2021; revised March 15, 2022 and April
5, 2022; accepted April 22, 2022. Review of this manuscript was arranged by
Department Editor M.-Y. Chen. (Corresponding author: Jerry Chun-Wei Lin.)
Rana Faisal Hayat and Muhammad Aleem are with the National Univer-
sity of Computer and Emerging Sciences, Islamabad 44000, Pakistan (e-mail:
[email protected]; [email protected]).
Sana Aurangzeb is with the National University of Modern Languages,
Islamabad 44000, Pakistan (e-mail: [email protected]).
Gautam Srivastava is with the Department of Mathematics and Computer
Science, Brandon University, Brandon, MB R7A 6A9, Canada, and also with the
Research Center for Interneural Computing, China Medical University, Taichung
404, Taiwan (e-mail: [email protected]).
Jerry Chun-Wei Lin is with the Department of Computer Science, Electri-
cal Engineering, and Mathematical Sciences, Western Norway University of
Applied Sciences, 5063 Bergen, Norway (e-mail: [email protected]).
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TEM.2022.3170519.
Digital Object Identifier 10.1109/TEM.2022.3170519
0018-9391 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
1
example, in a health monitoring environment, different IoT de-
vices such as medical sensors are connected to the human body.
These medical sensors send vital human body signs to a central
device and ultimately a medical server machine deployed within
a hospital or in the cloud [4]. Today, millions of IoT devices and
the Internet of Medical Things (IoMT) are in operation, helping
transform the health care industry in a more intelligent way.
However, mainstream usage of IoT has posed serious security
challenges too [5].
In an IoT environment, distributed denial of service (DDoS)
attacks and botnet-based attacks are some of the main security
vulnerabilities. In 2016, a famous botnet attack occurred that
is often referred to as Mari botnet attack disrupting Internet-
based services and slowdowns in digital communications world-
wide [6]. The Internet services observed several other attacks too
followed by the Mari botnet attack, whereas in 2016 a large-scale
DDoS attack through closed-circuit television (CCTV) cameras
was faced by an Internet-hosting company, called OVH [7], in
which the cybercriminals hacked and use 145,607 cameras to
launch the DDoS attack [7], [8]. There are critical everyday
applications where IoT devices are used such as home secu-
rity, hospitals, transportation, industrial automation, industrial
monitoring, and control. Therefore, it is essential to secure IoT
environments from DDoS and botnet attacks [9]. IoT devices
are manufactured offshore by third-party organizations and de-
ployed by organizations such as hospitals, industries, and other
critical businesses along with other IT infrastructure. Device
tampering to create a bot for potential DDoS attacks using IoT
devices is a major security concern [9]. Several studies are then
proposed [6], [10], [11] to mitigate the DDoS attacks initiated
by IoT-based bots, and most of those approaches [12]–[15] often
employ centralized defense mechanisms to tackle DDoS attacks.
However, providing a reliable and efficient solution for the
mitigation of DDoS attacks is important. In this regard, emerging
technologies such as distributed blockchain-based mechanisms
and smart contracts facilitate building a trustable distributed
framework that could deal with DDoS attacks [10].
A blockchain is a peer-to-peer network of similar types
of nodes that provides persistence, decentralization, auditabil-
ity, and anonymity [16]. Blockchain technology provides a
fully decentralized architecture in which no third parties are
involved [17] and it can be deployed to provide transpar-
ent and secure communication between different parties [15].
Blockchain uses different consensus algorithms to establish a se-
cure and trustworthy environment among diverse nodes such as
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
Fig. 1. DDoS attack using IoT as a weapon.
Proof-Of-Work, Proof-Of-Stack, among others [6]. The consen-
sus algorithms define how a new node can enter the network and
how it can add a new block to the blockchain. The consensus
algorithms have two main classes such as proof and vote based
algorithms [18].
In Fig. 1, a typical attack scenario is shown where the botnet
is being used as the main tool for creating the DDoS attack
whereas, in Fig. 2, a typical IoT-based scenario is presented that
can be compromised through a malicious attack. As depicted
in Fig. 1, first, the attacker compromises the devices and sends
false requests to the target server [19]. Afterward, the attacker
compromises the resources of a server making it incapable to
communicate and interact with the attached IoT devices. Con-
sidering the operation critically of the IoT devices, especially
in Industry 4.0 (i.e., hospitals), these attacks must be managed
and mitigated appropriately to reduce the potential financial and
human life-related losses [20]. The following text presents some
of the prominent research efforts related to the mitigation of
DDoS attacks in the IoT environment.
In [6], the authors proposed a blockchain-based solution to
protect servers and mitigate DDoS attacks. In [21], the authors
presented a blockchain-based solution for mitigation of DDoS
attacks in IoT that is made up of the following four layers:
1) smart-home;
2) distributed blockchain;
3) cloud;
4) service layers.
In [22], the authors employed an SDN controller and machine
learning techniques to detect and mitigate both DoS and DDoS
attacks. In another work [23], the authors proposed a scheme
to identify the origin of DDoS attacks. The identity of the
attack origin (i.e., IoT device’s IP addresses) helps place better
mitigation measures to lesson future attack possibilities. In [24],
the authors discussed defence mechanisms related to only the
protocol-oriented attacks (focusing only on a single layer attack).
In some other related works [10], [25]–[27], the DDoS attack
mitigation has been investigated; however, an important aspect
related to compromising IoT devices to become botnet has not
been targeted (mostly the root cause of the DDoS attacks).
In [21], the authors discussed the mitigation-related approaches
for DDoS attacks based on third-party services. However, these
approaches could be less effective (to mitigate DDoS attacks)
if the third-party services are compromised. In another related
approach [28], the authors proposed an SDN-based mitigation
approach; however the single point of failure related to the
Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
SDN controller will be a major concern. In [18], the authors
discussed a firewall-based solution to mitigate the DDoS attack.
The major concerns about this approach [18] are related to the
compromise possibility of the firewall implementing protocol.
Moreover, the approach [18] does not discuss the protection of
the server becoming a bot. In summary, most of the authors
who have proposed approaches to mitigate DDoS attacks have
primarily not focused on preventing devices to become a bot.
Some other approaches [11], [19], [28], [29] investigated about
preventing IoT devices from becoming bots; however, most of
these approaches rely on the third-party services.
Considering the above-related approaches, it can be con-
cluded that a multilevel approach that could secure not only IoT
devices but also the interacting computing servers is essential.
Therefore, in this work, we propose a multilevel blockchain-
based DDoS mitigation approach called ML-DDoS. Moreover,
the proposed scheme provides a mechanism that could address
issues related to compromised devices. The main contributions
of the ML-DDoS approach are as follows.
1) In-depth scrutiny of the literature, we analyze the strengths
and weaknesses of the existing approaches.
2) We propose a blockchain-based multilevel DDoS mitiga-
tion approach and an authentication mechanism to protect
devices from becoming bots.
3) The transaction in the designed model sends a control
mechanism using the gas limit blockchain aspects and
blacklisting suspicious devices to disengage them from
the core IoT environment.
4) The performance evaluation of the proposed ML-DDoS
approach is based on a benchmark application and com-
pared with the other state-of-the-art approaches.
The rest of this article is organized as follows. Section II
presents an overview of ML-DDoS and blockchain. Section IV
describes state-of-the-art work by highlighting the existing de-
veloped approaches. Section V describes the proposed frame-
work with the research methodology. Section VI delineates
the experimental evaluation. Finally Section VII concludes this
article.
II. OVERVIEW AND BACKGROUND
IoT technology has emerged as a compelling area enabling a
global network of devices to interact with each other. In a cyber-
physical environment, the IoT infrastructure mostly contains a
series of distributed sensors. A research report [30] describes
that approximately 90 billion in IoT devices will be around the
world by the end of 2025. In Fig. 2, IoT devices are connected
through API, and those APIs are connected to the database. The
IoT devices sense the data and send it to the main database
through different APIs.
IoT devices can be categorized into three different groups,
the first is consumer IoT devices, the second is enterprise IoT
devices, and the third is industrial IoT devices. For example,
different IoT devices installed in a smart home environment and
different sensors installed for different purposes [31]. A typical
smart home may have one sensor installed at the garage front
and one installed in a car. If a car is in a front of a garage,
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
HAYAT et al.: ML-DDoS: A BLOCKCHAIN-BASED MULTILEVEL DDOS MITIGATION MECHANISM
Fig. 2. Typical IoT working scenario.
then the car sensor communicates with the garage sensor to
open it [18]. Consumer IoT devices are used to track an asset
and different industries use consumer IoT devices to track the
product’s supply chain. Today, many sensors are employed in
a typical smart-home such as smart fridges, smart home appli-
ances, smart-tv, security systems, etc. [14], [32].
Industrial IoT devices are used for industrial purposes that
can be operated without human interaction [14]. Everywhere,
the industrial IoT devices are operated without human interac-
tion whereas human-controlled IoT devices are monitored by
individuals. Therefore, a thermostat failure in a smart home is
not considered to be a major failure in comparison with industrial
thermostat failure, where a minor temperature change can cause
severe damage [31], [32]. The main market of IoT devices is
building automation, industrial automation, commercial trans-
portation, enterprise asset management, smart cars, test and
measurement, and energy grid [6]. Different IoT devices are
installed for different purposes, and then IoT devices commu-
nicate with other IoT devices through different communication
protocols [33]. The communication protocols are ZigBee, RFID,
PAN, LOPAN, etc. Today, wireless sensor networks (WSNs) are
used for patient monitoring. For instance, if a patient cannot go
to the hospital then the doctor attaches the sensors to the patient
body for monitoring heartbeat, blood pressure, etc. The sensors
link to the hospital server through different communication
protocols [13]. Generally, we can categorize the IoT devices
into three classes, [31] i.e., sensing, embedded processing, and
the communication-related devices.
Blockchain consists of a public ledger where all the nodes
are publicly visible and the last block is the hash of the other
nodes EthereumSmartContracts. For example, block-2s header
consists of block-1s hash, block-3s header consists of block-1s
and block-2s hashes, and so on (i.e., the last block will contain the
hash of all the other blockchain nodes [25]). Today, blockchain
is being used for asset management, in the financial sector, and
in other commercial companies. Blockchain is immutable and
Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
3
cannot be tempered by anyone. For example, any potential
change in one block will be invalidated by the other blocks (con-
taining the prechange hash of the tempered block) [11]. Recently,
the usage of the blockchain has increased many folds and many
businesses have employed this technology for their important
business processes. Blockchain uses a consensus algorithm to
reach a common agreement among peers, e.g., about the present
state of the distributed and decentralized ledger. Some of the
concrete objectives of a consensus algorithm are collabora-
tion, cooperation, and utilizing equal rights among all the nodes
of a blockchain [34]. Ethereum blockchain is a decentralized and
open-source technology based on the concepts of smart contracts
(i.e., transactions protocols or blockchain programs). The smart
contract employed by the Ethereum blockchain is the agreement
between two parties [11].
III. MOTIVATION
DDoS is a harmful attack that exhausts many resources by
attacking frequently on cloud servers and creates a devastating
problem [35]. However, a growing number of IoT devices en-
ables us to avoid ignoring the influence of large-scale DDoS
attacks from IoT devices [36]. As a result of the rapid devel-
opment of IoT devices, IoT security has become a hot topic
in recent years and security is considered one of the significant
issues. The existing solutions [20], [25], [27], [31], [32] consume
large time for detection and focus on IoT device protection
(i.e., prevention techniques to avoid devices to be compromised)
or secure servers to mitigate DDoS in the IoT environment.
Moreover, there are several approaches [10], [26], [37], [38]
that rely on third-party services to mitigate DDoS attacks. The
major motivation behind this work is to provide a reliable and
scalable solution for the prevention of DDoS attacks using the
blockchain-based framework to improve latency, and throughput
and utilize CPU consumption in a better way. Moreover, it
is essential to cope with DDoS attacks using a multilayered
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
approach, i.e., protecting and securing both edge IoT devices
and the related compute resources or servers. To address these
issues, this article presents a machine learning-based DDoS
mechanism to mitigate the abovementioned challenges for IoT
environments.
IV. RELATED WORK
Zhou et al. [10] discussed a fog computing-based approach
which detected and mitigated the DDoS attacks. The scheme
provided the depth analysis and checked the behavior of the
incoming packets using a three-layered architecture. The pro-
posed three-layered architecture was based on the field devices,
local servers, and Cloud servers. The proposed scheme provides
extra resources for firewalls and servers to protect the main
compute resources from DDoS attacks. The first layer, i.e.,
the field layer fetches information from the IoT devices and
forward it to the fog server layer. The field devices are based on
different controllers called remote terminal units and program
logic controllers (connected to the field devices). The device’s
information is then sent to a fog-server using those controllers.
Javaid et al. [9] proposed a blockchain-based solution to
mitigate DDoS attacks on computing servers. The environment
assumptions are based on several IoT devices connected to
the system, data sink devices, and data transmissions to the
main server through the gateway devices. The IoT devices send
data to the main server. In this assumed environment, authors
argued that the devices lack protection and are vulnerable to
becoming a bot, and thus, can initiate DDoS attacks. The au-
thors proposed a gas-limit-based constrained communication
(implemented via Ethereum blockchain that utilizes gas-limit for
sending transactions). Different IoT devices create a cluster and
send information to the main server using the gateway (which
is assumed to send data to the server in a secure way). In the
proposed scheme, the authors employ smart contracts based on
customized rules and conditions to govern communication. A
device does not involve in communication if the smart contract
rules are not abided by. Servers or miner machines receive data
and validate it using the smart contract agreements.
Yeh et al. [7], proposed SOChain, a decentralized DDoS data
exchange platform that uses blockchain technology to mitigate
trust and fairness issues with the DDoS_coin token. With the
increase of DDoS information, it earns more coins. To confirm
the authenticity of the uploaded data, Yeh et al. enlisted a content
verifier (which is incentivized by DDoS_coin) to investigate the
uploaded abnormal IP addresses. To minimize the management
effort, the entire mechanism is automatically executed in a smart
contract deployed on the blockchain system.
Ferrag et al. [39] presented DeepCoin, which is based on deep
learning and a blockchain-based energy framework for smart
grids. This blockchain-based system includes a reliable peer-to-
peer energy system based on a Byzantine fault tolerance algo-
rithm. The proposed system consists of five phases—namely,
the setup phase, agreement phase, creating a block stage and
consensus-making stage, and view change stage. DeepCoin is
based on an intrusion detection system (IDS), which uses recur-
rent neural networks to detect network attacks and fraudulent
Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
transactions in the blockchain-based energy network. However,
the proposed system can be integrated with edge computing,
where nodes can access optimal energy and use computing
services from an edge computing service provider.
Bhardwaj et al. [13] proposed architecture based on four
layers, the first layer is the smart home, and the second is the
distributed blockchain layer, the third is the cloud layer, and the
fourth is the service layer. A smart home consists of different
IoT devices that communicate with each other. Different sensors
such as room-heaters, security cameras, device controllers, etc.,
are connected to share and send information to the cloud layer.
A delay in communication in a smart-home environment could
be very critical. The second layer uses distributed blockchain to
distribute a ledger for providing data integrity. To approve any
transactions, the authors employed a separate entity to approve
and add to the blockchain (the disapproved transactions are
discarded and not added to the blockchain).
Hameed et al. [32] used the SDN controller and machine
learning techniques to detect and mitigate DoS and DDoS at-
tacks. The SDN-based security framework known as Soft-Things
detects the abnormal behavior of IoT devices. If IoT devices
behave abnormally, then the SDN framework does not send these
IoT devices’ information to the server. The machine learning
approach is used in the SDN controller to check the behavior of
IoT devices. The machine learning-based techniques analyze the
behavior of IoT devices. For example, if an existing IoT device
is allowed to send three packets per second, however, it sends a
lot of data such as 20–30 packets to the server, then the employed
ML models will detect the suspicious behavior of those devices
and deny further transactions.
Qaisar et al. [40] discussed that today many businesses es-
pecially the industry employ IoT and in case of an attack huge
business losses could occur, and possibly other critical events
related to human life could be observed too. The proposed
approach aims to identify the origin of the attack to mitigate and
save the environment from further attacks. The server maintains
a shared IP addresses list related to legitimate devices. A device
that is not part of this list is denied any communication or request
forwarding. The identification mechanism mainly uses an IP
matching scheme based on IPTraceback. Using this method,
the IP addresses of the malicious IoT device and other outside
communications are denied to protect the IoT environment.
Christopher et al. [15] discussed a machine learning-based
approach to detect DDoS attacks. The proposed approach uses
a traffic analysis scheme and with the help of ML models to
identify the malicious traffic. The proposed scheme targets a
specific DDoS attack type called DoSand attack. The core idea
employed by the authors is to train the ML models on message
packet lengths. The trained ML model uses the packet length
feature of the active communication to classify the potential
malicious communication by an intruder or the compromised
IoT device (such as a bot). Upon detection of malicious com-
munication, the concerned IoT devices are blocked to prevent
future communications.
Cusack et al. [14] discussed that SDN is the core tech-
nology to design and manage a new network more eas-
ily. The SDN layer has been used by the authors for the
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
HAYAT et al.: ML-DDoS: A BLOCKCHAIN-BASED MULTILEVEL DDOS MITIGATION MECHANISM
detection of DDoS attacks. In the proposed scheme, the con-
troller communication protocol is employed for information
exchange with the other peer controllers to defend from potential
DDoS attacks. The set of SDN controllers maintains lists of
the legitimate IoT devices (within their networks). Communi-
cation is allowed among the legitimate IoT devices (i.e., only
if the device’s IDs match with the existing lists). The authors
stated that the collective approach (employing multiple SDN
controllers for mitigation of DDoS attacks) results in a more
effective result to mitigate the DDoS attacks with the least
overhead. However, the approach has an assumption that the
SDN controller itself cannot be compromised which is not true
always.
Meneghello and Mattteo [28] proposed a state-full forwarding
mechanism to mitigate the DDoS attacks. The author established
a game model to analyze the objective of the attacker and the
detection aims of the defender. The proposed algorithm is used
to enhance the detection of the distributed low rate attacks and
subsequently employ corresponding mitigation mechanisms.
The scheme uses a malicious request table concept to check
for the incoming requests against that table. If any new request
matches with the existing entries of the malicious request table,
it is dropped and any potential future requests are blocked too.
The objective is to block a potential intruder device that can send
another malicious request to compromise some other device in
the IoT environment.
Khalid et al. [12] discussed that urban industries mostly
rely on IoT devices for many essential and critical operations.
Considering the Internet-based accessibility of the IoT devices,
it becomes very crucial to protect these devices to become bots.
The proposed scheme introduced an edge-oriented mechanism
along the SDN controllers to detect and mitigate DDoS attacks.
The SDN controllers maintain a list of devices. Moreover, the
typical lengths of the messages are also maintained in the SDN
controllers. Whenever a device sends a communication request,
the request is checked against both the device lists and potential
message lengths. The device is denied further communication
if detected as potentially malicious (considering the device lists
and message lengths).
DDoS attacks1 are one of the most serious threats in IoT
environments. Two IP lists such as black-list and white-list
are considered to prevent DDoS attacks and shared using the
blockchain mechanism. If a malicious packet comes from a
blacklisted IP address the packet is not sent to the server (i.e.,
only the white-list IP addresses are allowed to send packets
to the server). As all the legitimate devices are part of the
white list, the server can easily identify the outsiders and is
capable to prevent those from communicating with the other
devices.
Bhushan and Gupta [20] proposed a DDoS mitigation scheme
based on risk-based transfer algorithm is proposed. The applica-
tion scenario discussed in this work is related to a smart home.
The proposed technique utilizes third-party-based services to
mitigate DDoS attacks. The proposed scheme uses gateways
1 [Online]. Available: https://www.blockchain-council.org/blockchain/public
-vs-private-blockchain-a-comprehensive-comparison/
Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
5
routers equipped with risk-based transfer algorithm implemen-
tations. The third party employs certain parameters and analyzes
any incoming traffic before forwarding it to the smart home. If
the incoming traffic does not meet the specified parameters, the
transaction is blocked by a third party. One of the weaknesses
of this approach is the possibility of an information breach
by the third party (all transactions should route through that
entity).
Mohanta and Debasish [41] proposed an SDN-based
approach to detect and mitigate DDoS attacks in an industrial
IoT environment. The proposed solution comprises edge
computing, fog devices, and a cloud computing layer. At the
edge, different SDN-based IoT gateways are used while the fog
layer handles the computations of SDN controllers. Moreover,
for the detailed analysis and computation, the cloud layer is
employed. The cloud analyzes the transactions related data and
determines the possibilities of whether the transaction is valid
or not. The cloud-based analysis is enforced using the SDN
layer of the proposed architecture.
Bodkhe and Sudeep [37] presented two different types of
DDoS attack scenarios and their potential mitigation approaches
using software-defined network architecture. The first DDoS
attack mitigation scenario discussed is referred to as source-
based mitigation that employs multiple sources or devices for
detection and is followed by the mitigation approach. The second
DDoS attack scenario discussed is a network-wise attack (that
compromises a network of devices, etc.). To counter this attack
type, a network operating system is employed that could analyze
the traffic behavior or data transactions. The main motivation to
employ the network operating system is to eliminate the change
of single-point-of-failure possibility and provide a distributed
analysis and detection solution in the form of networked wide
services.
Zhou and Huang [38] presented a botnet attack prevention
mechanism using blockchain. This research focused on the as-
pects related to the IoT device compromise issue (a major cause
of botnet attacks in IoT). To address the involved challenges, a
blockchain-based supply-chain mechanism has been proposed.
The IoT devices are secured (ensuring their originality and
avoiding and tempering issues) the complete train starting from
the manufacturing to the supply is secured using the employed
blockchain models. The use of nontempered devices will greatly
reduce the chances of device comprise events and result in fewer
DDoS attacks.
In the above literature, it can be seen that most of the related
techniques [20], [25], [27], [31], [32] focus on IoT device
protection (i.e., prevention technique to avoid device to be
compromised) or secure servers to mitigate DDoS in the IoT
environment. Moreover, there are several approaches [10], [26],
[37], [38] that rely on third-party services to mitigate DDoS
attacks. However, it is essential to cope with DDoS attacks
using a multilayered approach, i.e., protecting and securing both
edge IoT devices and the related compute resources or servers.
Moreover, relying on third-party-based analysis privacy is one
of the major concerns. Furthermore, the existing approaches
mitigate the DDoS attack on only one side. Therefore, to cope
with the above-mentioned challenges, this work presents a
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

6 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT

TABLE I
SUMMARY OF THE RELATED WORK

blockchain-based multilevel approach for the mitigation of
DDoS attacks in IoT environments. Table I gives a brief sum-
mary of the related work summarized in this Section.
V. PROPOSED ML-DDOS APPROACH
This section presents the details about the proposed ML-
DDoS approach. The core concept of the proposed ML-DDoS
approach is based on the blockchain to avoid devices being
compromised (easily detectable if device-related data are kept on
the blockchain ledger). The proposed ML-DDoS aims to provide
mitigation at both the device and server levels. The DDoS
attacker may launch the attack in two ways—compromising a
device into a bot and launching an attack without creating a
bot. In the first type of attack, after compromising a legitimate
IoT device into a bot, the attacker bombards the server with

Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
HAYAT et al.: ML-DDoS: A BLOCKCHAIN-BASED MULTILEVEL DDOS MITIGATION MECHANISM
Fig. 3. Proposed blockchain-based multilevel DDoS (ML-DDoS) mitigation
approach.
a huge number of service requests to make it inaccessible or
unresponsive (for legitimate IoT devices). In the second type of
attack, the attacker exploits different IoT devices to send joining
requests to the server, once joined the network, the server is
burdened with a huge number of requests.
A. ML-DDoS System Architecture
Fig. 3 presents the system architecture of the proposed ML-
DDoS approach. The proposed solution is based on the following
three-layer architecture: 1) perception layer; 2) edge computing
layer; and 3) blockchain and storage layer. In the perception
layer, different IoT devices are employed which are connected
to the upper layer compute devices (i.e., IoT gateways in the
fog layer) to attain small-scale computing storage services. The
second layer related to edge computing consists of several IoT
gateways and edge computing devices. These devices are mainly
responsible for providing application execution logic and related
computing and storage services to the interacting IoT devices.
The third layer, i.e., blockchain and storage represent cloud
services for blockchain services and data storage.
For the implementation of the blockchain-based services,
we use Ethereum, a decentralized and open-source blockchain,
to develop smart contracts (i.e., transactions protocols or
blockchain programs). Our developed smart contracts contain
four lists, one for the trusted devices and the remaining for other
purposes (at the start as empty lists). The usage of blockchain
enables effective detection of any compromised device as the
ledger containing the valid hashes cannot be compromised or
changed (other entities do not validate the change).
For interacting with the server, a device is required to use
a signature message. At the time of the communication, the
message signature is validated along with the device present
Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
7
Fig. 4. Flowchart of multilevel DDoS mitigation in IoT.
in the trusted devices list. After the validation the device is
allowed to communicate, otherwise, all transactions are blocked
(added to the list of untrusted devices) and communication is
abandoned for the future. The signature messages are used as
an account id and therefore the communication of those devices
which do not have valid ids are not allowed to communicate. The
signature message-based denial of communication also prevents
communication between an IoT device and the potential intruder
device to save it from being compromised.
The cloud storage service stores information received from
the perception layer while the blockchain-based mechanism
prevents the outsider devices to establish a valid communica-
tion session with the compute servers. Therefore, to initiate a
DDoS attack in the IoT environment the intruder device or user
first has to compromise certain valid IoT device parts of the
network. The different mechanisms could be employed by the
attacker to compromise an IoT device and turn it into a bot.
The authentication messages could be validated (considering
the device id and signature) and only legitimate devices will
be allowed to communicate with the network. However, if the
intruder becomes successful in compromising an IoT device
(part of the network) a mitigation approach is employed by
our proposed solution. Each IoT device (part of our network)
is assigned a gas limit that prevents a compromised device
to bombard the servers with a huge number of messages (i.e.,
preventing possible DDoS attacks).
B. Proposed ML-DDoS Execution Flow
In Fig. 4, the complete execution flow of the proposed ML-
DDoS approach is depicted. First, we create four lists, named,
1) trusted device list, 2) untrusted device list, 3) signature
messages list, and 4) blacklisted device list. We use the Ethereum
blockchain to share these lists in the IoT environment and server.
The usage of blockchain provides the highest integrity levels so
that any intruder itself cannot modify a certain hash (related to
the devices’ IDs and authentication messages). The blockchain’s
ledger hash should be the same if the data have no modifications;
therefore any violation related to the integrity of the data is
readily determined.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

8 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT

At the start, a device sends a request to the server which

verifies if the id of the requesting device is valid (i.e., part of
the trusted list) or not. A requesting device is added to the
untrusted list if the id of the device does not match with the
legitimate device ids (part of the trusted list). After registration
of a device, it has to perform the next level of authentication
using the signature message (a unique and random data message
assigned to all the legitimate devices). The server considers
the forwarded signature message from the device and validates
the legitimacy of the device. A device failing to authenticate
using the message string is denied further communication and is
added to the untrusted device list. Once a device is added to the
untrusted list, it will be requiring special admin permissions to
become part of the IoT environment. The untrusted list is then
shared using the Ethereum blockchain.
Our proposed approach employs a mechanism that coun-
Fig. 5. Flowchart for trusted device request verification.
ters the two potential bot attack patterns. As discussed above,
the proposed ML-DDoS addresses the issues related to any
malicious or bot device becoming part of the IoT network and
also it takes care of the scenario where an existing legitimate
device could potentially compromise. In the second type of bot
attack (where an existing or legitimate device is being compro-
mised), the proposed approach (depicted in Fig. 4) shows that
each legitimate device part of the IoT network has a gas-limit
quota which it utilizes to send messages in the network. In the
Ethereum blockchain platform, the gas is a paying mechanism
that is deducted to conduct or execute a transaction. Therefore,
based on the potential transaction requirements (or responsibil-
ities of the IoT devices concerning their potential communica-
tions), the gas-limit mechanism helps avoid the DDoS launched
by a compromised device. Whenever the gas limit of a certain
device expires, the admin can top up the new gas points and
an IoT device continues its normal operation. Moreover, we
have set a certain time-span value (as per the device’s specific
transaction requirements). For example, consider an IoT device
related to temperature monitoring in an industrial environment. Fig. 6. Flowchart of authentication request verification.
A time span of 5 s as an interval could be set for this device (for
sending the message with temperature reading). However, if the
devices try to overload the server or other devices (to which it is
interacting) with a lot of messages (with temperature reading) signature message from the device and validates the legitimacy
that shows an abrupt behavior and should be tackled. Therefore, of the device. In case of failure in the authentication process, the
the compromised devices showing abrupt behavior, i.e., flooding device is made part of the untrusted list.
the IoT environment with a large number of messages to cause In Fig. 6, the flow of the events related to the authentication
a DDoS attack are detected and such devices are added to request made by a potential intruder device (not part of the IoT
the black-listed devices. These lists are then propagated in the environment) is depicted. The intended device first sends the
IoT environment using the blockchain. request to the server and in response server validates whether
In Fig. 5, we have depicted the step-by-step workings of the device has forwarded a valid authentication message string
the trusted device-related request verification method. All the or not. In addition to that, a device is checked for the valid id
legitimate devices are part of the trusted-list and these lists are (i.e., is part of the trusted devices or not). In case the device
shared using the Ethereum blockchain. is currently not in the trusted list (which will be the case for
As discussed earlier, a device first sends a request to the server this flow chart activities) and the authentication message also
which verifies whether the id of the requesting device is valid mismatches, then the device is added to the blacklisted devices
(i.e., part of the trusted list) or not. A requesting device is added and any future communication is blocked to/from that specific
to the untrusted list if the id of the device does not match with the device. Once a device becomes part of the blacklisted device
legitimate device ids (part of the trusted list) and it is not able to list, it can only be unblocked if the admin explicitly allows it
authenticate using the message data (the second authentication (i.e., removing it from the blacklisted list and allowing another
step (as discussed above). The server considers the forwarded request attempt to that device).

Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

HAYAT et al.: ML-DDoS: A BLOCKCHAIN-BASED MULTILEVEL DDOS MITIGATION MECHANISM 9

TABLE II
NOTATIONS USED IN ML-DDOS ALGORITHMS

C. Developed ML-DDoS Algorithm

For a multilevel approach, it is necessary to be able to secure
not only the IoT devices but also the corresponding interacting
computing servers. Therefore, in this article, we propose a
multilevel blockchain-based DDoS mitigation approach called
ML-DDoS. For the detailed working of the proposed ML-DDoS
approach, we have presented Algorithm 1. Notations used in
the remainder of the paper are summarized in Table II. Before
discussing the detailed steps of the algorithms, first, we present
the set of algorithmic notations (depicted in Table II) used in the
algorithms.
In Algorithm 1 (lines 1–2) device i is in tl , if a device is not
part of our IoT environment and it attempts to connect to the
network the server first verifies it using the device id lists or not.
If it is already a part of the trusted list (i.e., tl ), it is validated,
otherwise a nontrusted device label is returned. If the device has
a valid id (i.e., it has an id less than the total valid available
devices), the corresponding signature message is extracted for
that device as shown in Algorithm 1 (lines 3–4). Next, the device
will send an authentication request to the server. The signature
level authentication ensures that the device is not only part of
the network but also a trusted device. If the signature does not
match with the signature list, the device is added to the untrusted
list (i.e., ul ) (lines 5–6, Algorithm 1). As a case study, we have
assumed a time limit of the employed IoT devices equal to 5
s (configurable according to the needs and nature of the IoT
devices). The time-interval represents a message cycle-time from
an IoT device to the server. It helps to analyze an abrupt behav-
ior that a potential bot employs (i.e., sending many messages network and it sends a request for verification to potentially
irrespective of the set cycle time of the devices). In that case, the become part of the IoT network, the procedure depicted in
potential bot is detected first the transaction is declared invalid Algorithm 2 is employed. If the device sends a request, the
(Algorithm 1, line 8) and added to the blacklisted devices (i.e., signature of the request is checked. If the signature message is
bl ) as shown in Algorithm 1 (line 9). Next (see Algorithm 1, valid, then the valid status is returned and the device is allowed
line 10), the data packets related to the blacklisted device are to communicate within the IoT network otherwise it is denied
dropped from the network. Also, the updated blacklist is shared from the communication (Algorithm 2, lines 4–5).
in the IoT network (Algorithm 1, line 11). The proposed ML-DDoS is designed to mitigate the DDoS
As mentioned earlier, the proposed approach is based on a attacks at both device and server levels. The core concept of
blockchain-based multilevel DDoS mitigation approach and the the proposed scheme is to use a device-based verification mech-
authentication mechanism is important to protect devices that anism using blockchain and to remove the malicious devices
become bots. For this purpose, in Algorithm 2, the verification of from the IoT environment as early as possible. Therefore, in
the device, i.e., whether it is trusted or blacklisted, is performed. Algorithm 3, we discuss a valid or trusted device request verifi-
In Algorithm 2, we discuss a request verification method for the cation mechanism. As discussed earlier, the signature messages
untrusted devices. If the device is currently not part of the IoT are added for each interacting device in the proposed ML-DDoS

Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
10
TABLE III
SIMULATION SETUP
approach. The addition of the signature (in the encrypted form)
is depicted in Algorithm 3, line 1. A trusted device sends a
request to the server for communication purposes. Next, it
encrypts the signature message to be sent to the server. After
receiving the encrypted signature at the server, it is decrypted
(Algorithm 3, line 5). The decrypted message is matched with
the stored signatures (Algorithm 3, lines 8–11). If the signature
is valid the device is labelled trusted and valid and is allowed
full communication (as per the assigned gas-limit).
VI. EXPERIMENTAL EVALUATION AND DISCUSSION
This section describes the experimental setup including soft-
ware/hardware configurations, benchmark heuristics (employed
for experimental evaluation), and topology used to evaluate the
system throughput, latency, and resource usage.
A. Experimental Setup
A new simulation framework, the Hyperledger caliper [6],
[47] was chosen for the blockchain environment as a simulation
platform. Hyperledger fully supports the Ethereum blockchain-
based platform. The smart contract of the Ethereum blockchain
is linked with the Hyperledger caliper and the transactions are
carried out to produce the results (reported in the next section).
In addition, platforms such as Truffle, Hyperledger Caliper,
Ganache, and Matamask can be used for implementation.
Table III details the employed simulation setup.
B. Benchmark Heuristics
Following benchmark heuristics are employed for the com-
parison and evaluation.
Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
1) Physically unclonable function (PUF) approach [6]:
The physically unclonable function (PUF) is the technique
that assigns the unique identity to every IoT device. The
authentication framework checks the unique identity of the
IoT devices, if the unique identity of any device does not
match the device is detached from the IoT environment.
2) IoT-DDoS approach [9]: The IoT-DDoS technique sets the
gas limit of every IoT device in the Ethereum blockchain.
The device is prohibited from sending the data messages
if it exceeds the allocated gas limit.
3) IoT-botnet approach [17]: The IoT botnet technique sets
the authentication request limit and heartbeat message is
transferred every 40 s. A device is blocked if it exceeds the
request limit (set for that device) and denied any further
communication.
4) DDoS-collaborative approach [46]: The DDoS-
collaborative technique uses the Ethereum blockchain
and creates a smart contract. A list of IoT devices’ IP
addresses is prepared and shared using the blockchain. In
case an attacker sends a request and the corresponding
IP address does not match with the available list of IP
addresses then the device is blocked and denied any
further communication.
5) Deep learning-based DDoS approach [45]: This technique
employs the machine-learning-based trained models to
classify any incoming request as legitimate or not.
C. Performance Parameters
The experimental evaluation of the proposed ML-DDoS ap-
proach and the other state-of-the-art has been performed using
the following performance parameters.
1) Throughput [18]: How much data per unit time can be
transferred using the ML-DDoS approach? We have cre-
ated a use case in Hyperledger Caliper2 , sent different
transactions, and measured the attained throughput ac-
cordingly.
2) Latency [18]: The latency is the delay in the communica-
tion in the network. Latency is the total amount of time in
a network when data can be captured, processed, send, or
received at the destination IoT device or server. We employ
different transactions to perform the related operations and
measure the involved latencies.
3) CPU utilization [10]: CPU utilization technique is the
amount of work handled by the CPU as per its capacity.
The more the task is compute-intensive the more it will
utilize the CPU time. This aspect has also been measured
to see the compute intensity of the involved tasks in the
proposed and the other related techniques.
D. ML-DDoS Approach Evaluation Using Botnet-Based
Scenario
In this experiment, we have used the scenario where a po-
tential botnet is detected and the DDoS attack is mitigated ac-
cordingly. Considering these detection and mitigation processes
2 [Online]. Available: https://www.hyperledger.org/use/caliper
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

HAYAT et al.: ML-DDoS: A BLOCKCHAIN-BASED MULTILEVEL DDOS MITIGATION MECHANISM 11

Fig. 7. Maximum latency for legitimate device and when a botnet is detected.
Fig. 8. Minimum latency for legitimate device and when a botnet is detected.

the related performance parameters have been gauged. The two

specific situations experimented on are the following: 1) when a
legitimate IoT device performs the involved transaction; and 2)
when a device has been compromised and activates and performs
the related transactions.
In the throughput analysis, it was observed that the device
whether it is legitimate or has been compromised as a bot reflects
a similar activity (just before launching the DDoS attack) in
terms of transaction processing or throughput. If the attack has
been launched the throughput related to transaction count in the
bot-based scenario increases drastically. However, our proposed
scheme ML-DDoS proactively detects the botnets (or the com-
promised devices); therefore, the DDoS scenario is avoided that Fig. 9. Average latency for legitimate device and when a botnet is detected.
resulting in normal throughput along with decreased latency
and CPU utilization (because the devices are being detected
promptly and then blacklisted). The other related experiments
considering the latency aspect have been presented below.
In Fig. 7, the latency data have been presented that was
calculated before the device was compromised and after it
became a bot (i.e., the scenario where the device became a
bot and subsequently handled or managed by our ML-DDoS
approach). In the employed scenario, we here set an example
interval equal to 5 s for each device (it may be different for each
device in a specific IoT environment considering per device
functionality and responsibility). For example, if an attacker
creates a bot in our network and sends additional messages
Fig. 10. Maximum CPU utilization for the legitimate device, when a botnet
to initiate a DoS attack. We counter this using the gas-limit is detected.
aspect (discussed in the methodology) to limit its transactions
and subsequently detect it as a bot and disengage it from the IoT
network. The latency effect in the IoT environment is visible Similarly, Fig. 9 shows the average calculated delay in the
in Fig. 7. As soon as the devices which are detected bot are network. The figure shows that the average measured latencies
disengaged from communicating with the server the other IoT increase, for example, in normal IoT operations compared to the
device (i.e., blacklisted) the latency also reduces (because of low other scenarios (i.e., presence of bots), which are subsequently
message density in the network). handled by the proposed ML-DDoS approach. The delay in-
Fig. 8 shows the minimum involved latencies when there creases when there are more devices and decreases when there
is a normal IoT working and when there are compromised are only a few (blacklisted and removed from the environment).
devices (i.e., bots) that are subsequently handled by the proposed In Figs. 10 and 11, maximum and average CPU utilization
ML-DDoS approach. The delay increases with more devices and results are shown, respectively. These figures depict the at-
decreases when there are few. As shown in Fig. 8, the minimum tained average and maximum CPU utilization when there is a
delay decreases in the scenario there are bots or compromised de- normal IoT working as compared to the scenario when there
vices. These results validate the fact that the proposed ML-DDoS are compromised devices (i.e., bots) which are subsequently
approach effectively counters the bot devices by blacklisting handled by the proposed ML-DDoS approach. In case of a
them and disengaging from the core IoT environment. device compromise-related attack, the CPU utilization (i.e.,

Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

12 IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT

Fig. 11. Average CPU utilization for legitimate device, when a botnet is Fig. 13. Comparison of latency minimum.
detected.

Fig. 14. Comparison of latency average.

Fig. 12. Comparison of throughput.

server compute time and the other device activities related to

the compute operations will decrease). These results show the
effective bot countering mechanism by the proposed ML-DDoS
approach that proactively detects the bots (or the compromised
devices) and blacklists those devices (disengages them from the
main IoT environment) resulting in lower overall transaction
processing at the server and other device levels.

E. Comparative Analysis of ML-DDoS Approach

This section presents the comparative result analysis of
the proposed ML-DDoS approach as compared to the other
state-of-the-art such as PUF [6], IoT-DDoS [9], IoT-botnet
[17], collaborative-DDoS [46], and deep learning-DDoS [45].
The abovementioned schemes have been compared with our pro-
posed approach using throughput, latency, and CPU utilization
performance in the event of a bot-based scenario. (See Fig. 11,
Fig. 12, Fig. 13, Fig. 14, and Fig. 15).
Fig. 12 shows the results in terms of throughput achieved
in our proposed approach and the other related schemes when
the attacker compromises a device or creates bots within the
IoT environment. The transaction initiation granularity (per
unit time) employed in this experiment is 2, 4, 8, 12, 16,
20, and 24. The results depicted in Fig. 12 shows that our
scheme results in higher overall throughput i.e., 15%, 24%, 21%,
37%, 40%, 40%, and 41% better as compared to the PUF [6],
IoT-DDoS [9], IoT-botnet [17], collaborative-DDoS [46], and
deep learning-DDoS [45] approaches. The network protected by
Fig. 15. Comparison of latency maximum.
ML-DDoS approach results in more safer environment and legit-
imate processing continues with a higher number of transactions
processing per unit time.
Fig. 13 shows the results related to the attained latencies
for our proposed approach and the other related schemes af-
ter the attacker creates bots and certain the DDoS mitigation
approaches come to the action. These results have been tested
for different transaction initiation granularity (per unit time) i.e.,
2, 4, 8, 12, 16, 20, and 24. The results depicted in Fig. 13 shows
that our scheme results in more effective to disengage the bot
devices (both at server and device levels) resulting in filtration
of DDoS traffic from the network. The results show that our
proposed approach results in 45%, 51%, 36%, 23%, 19%, 22%,
and 22% lower minimum latency as compared to the PUF [6],

Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
HAYAT et al.: ML-DDoS: A BLOCKCHAIN-BASED MULTILEVEL DDOS MITIGATION MECHANISM
TABLE IV
COMPARATIVE ANALYSIS OF ML-DDOS APPROACH WITH OTHER
STATE-OF-THE-ART APPROACHES
IoT-DDoS [9], IoT-botnet [17], collaborative- DDoS [46], and
deep learning-DDoS [45] approaches.
Fig. 15 shows the results related to the attained maximum la-
tencies for our proposed approach and the other related schemes
after the attackers create bots and certain the DDoS mitigation
approaches take action. The results depicted in Fig. 15 show
that our scheme results are more effective to disengage the bot
devices (both at server and device levels) resulting in filtration
of DDoS traffic from the network. The results show that our
proposed approach results in 44%, 47%, 35%, 26%, 16%, 17%,
and 27% lower maximum-latency as compared to the PUF [6],
IoT-DDoS [9], IoT-botnet [17], collaborative- DDoS [46], and
deep learning-DDoS [45] approaches.
F. Results Analysis
The proposed ML-DDoS was developed to mitigate DDoS
attacks both on-device and on server. The core concept em-
ployed by the proposed scheme is to use a device-ids-related
verification mechanism using blockchain and disengage the
malicious devices from the IoT environment at the earliest. We
have assigned the unique id to devices and set the gas limit
of every device. We have set the gas limit of every device
dynamically if the gas of the devices gets low then the admin
can renew the gas of those devices. For a fixed time interval
(e.g., 5 s for our simulations) the IoT devices send transactions.
If the attacker creates a bot in the IoT network and the attacker
tries to send more transactions within the allocated time. In that
case, the proposed ML-DDoS approach blocks the compromised
devices and proactively disengages those devices from the IoT
network. The experimental evaluation shows that the latency
( minimum, average, and maximum) reduces drastically once the
devices have been compromised and the proposed ML-DDoS
approach takes control related to the mitigation steps. The core
mechanism that results in proactive engagement and isolation
of the compromised devices or bots is related to the gas-limit
aspect that helps limit the transactions and subsequently helps
to disengage the bot device from the IoT network. The latency
effect in the IoT environment is visible to all of the latency-
related results. As soon as the devices which are detected bot
are disengaged from communicating with the server the other
IoT device (i.e., blacklisted) the latency also reduces (because
of low message density in the network). Table IV shows the
overall comparison of the ML-DDoS approach with other state-
of-the-art approaches, which clearly shows that our proposed
approach achieves maximum throughput with minimum latency
Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
13
and minimal usage of CPU compared to other state-of-the-art
approaches.
VII. CONCLUSION
Due to the increasing use of the and the ease of imple-
menting IoT networks, these networks are expanding every
day. Therefore, security was considered a necessity to ensure
safe and secure communication between devices. To overcome
such challenges, we had presented a ML-DDoS to protect IoT
devices and other computing resources or machines using the
blockchain-based framework. The core concept of the proposed
scheme was to use a device-based verification mechanism using
blockchain and separate the malicious devices (i.e., bots) from
IoT environments. The proposed framework was developed
using Hyperledger Caliper (a blockchain benchmarking tool)
and its performance was evaluated using three benchmark appli-
cations. The presented ML-DDoS approach used the Ethereum
blockchain with the smart contract to replace the centralized
architecture with a decentralized architecture. If the device was
registered in our network, the administrator could verify the
authenticity of the interacting devices (i.e., each device had a
unique ID, which was also verifiable). All the tempered and
compromised IoT devices are either excluded from the registry
or proactively detected by the ML-DDoS framework. We had
analyzed the performance of ML-DDoS framework compared
to the state-of-the-art approaches that showed effective results
in disabling the compromised device, resulting in low network
latency, high throughput (of the legitimate devices), etc.
For future work, it is possible to further reduce power con-
sumption and cyberattacks on IoT devices. In addition, we will
consider other types of attacks such as internal and external
attacks by dynamically adjusting the nodes to overcome the
security issues and improve the security and flexibility of our
model.
REFERENCES
[1] J. C. W. Lin, G. Srivastava, Y. Zhang, Y. Djenouri, and M. Aloqaily,
“Privacy-preserving multiobjective sanitization model in 6G IoT environ-
ments,” IEEE Internet Things, vol. 8, pp. 5340–5349, Apr. 2021.
[2] C. F. Cheng, Y. C. Chen, and J. C. W. Lin, “A carrier-based sensor
deployment algorithm for perception layer in the IoT architecture,” IEEE
Sensors, vol. 20, no. 17, pp. 10295–10305, Sep. 2020.
[3] J. H. Syu, M. E. Wu, G. Srivastava, C. F. Chao, and J. C. W. Lin, “An
IoT-based hedge system for solar power generation,” IEEE Internet Things,
vol. 8, no. 13, pp. 10347–10355, Jul. 2021.
[4] Q. Yan, W. Huang, X. Luo, Q. Gong, and F. R. Yu, “A multi-level
DDoS mitigation framework for the industrial Internet of Things,” IEEE
Commun. Mag., vol. 56, no. 2, pp. 30–36, Feb. 2018.
[5] R. Akkaoui, “Blockchain for the management of Internet of Things devices
in the medical industry,” IEEE Trans. Eng. Manage., to be published.
doi: 10.1109/TEM.2021.3097117.
[6] D. M. Mendez Mena and B. Yang, “Blockchain-based whitelisting for
consumer IoT devices and home networks,” in Proc. Annu. SIG Conf. Inf.
Technol. Educ., 2018, pp. 7–12.
[7] L.-Y. Yeh, P. J. Lu, S.-H. Huang, and J.-L. Huang, “Sochain: A
privacy-preserving DDoS data exchange service over SOC consortium
blockchain,” IEEE Trans. Eng. Manage., vol. 67, no. 4, pp. 1487–1500,
Nov. 2020.
[8] R. Millman, “OVH suffers 1.1 Tbps DDoS attack,” News, SC Magazine
UK, 2016.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
14
[9] U. Javaid, A. K. Siang, M. N. Aman, and B. Sikdar, “Mitigating IoT device
based DDoS attacks using blockchain,” in Proc. Workshop Cryptocurren-
cies Blockchains Distrib. Syst., 2018, pp. 71–76.
[10] L. Zhou, H. Guo, and G. Deng, “A fog computing based approach to DDoS
mitigation in IIoT systems,” Comput. Secur., vol. 85, pp. 51–62, 2019.
[11] R. Vishwakarma and A. K. Jain, “A survey of DDoS attacking techniques
and defence mechanisms in the IoT network,” Telecommun. Syst., vol. 73,
no. 1, pp. 3–25, 2020.
[12] U. Khalid, M. Asim, T. Baker, P. C. K. Hung, M. A. Tariq, and L.
Rafferty, “A decentralized lightweight blockchain-based authentication
mechanism for IoT systems,” Cluster Comput., vol. 23, pp. 2067–2087,
2020.
[13] K. Bhardwaj, J. C. Miranda, and A. Gavrilovska, “Towards IoT-DDOS
prevention using edge computing,” in Proc. USENIX Workshop Hot Topics
Edge Comput., pp. 1–7, 2018.
[14] B. Cusack, Z. Tian, and A. K. Kyaw, “Identifying DoS and DDoS attack
origin: IP traceback methods comparison and evaluation for IoT,” in Proc.
Interoperability, Saf. Secur. Internet Things, 2016, pp. 127–138.
[15] C. D. McDermott, F. Majdani, and A. V. Petrovski, “Botnet detection in
the Internet of Things using deep learning approaches,” Proc. Int. Joint
Conf. Neural Netw., vol. 1, pp. 1–8, 2019.
[16] S. S. Bhunia and M. Gurusamy, “Dynamic attack detection and mitigation
in IoT using SDN,” in Proc. Int. Telecommun. Netw. Appl. Conf., 2017,
pp. 1–6.
[17] Z. Ahmed, S. M. Danish, H. K. Qureshi, and M. Lestas, “Protecting IoTs
from Mirai botnet attacks using blockchains,” in Proc. IEEE Int. Workshop
Comput. Aided Model. Des. Commun. Links Netw., 2019, pp. 1–6.
[18] R. Doshi, N. Apthorpe, and N. Feamster, “Machine learning DDoS de-
tection for consumer Internet of Things devices,” in Proc. IEEE Secur.
Privacy Workshops, 2018, pp. 29–35.
[19] S. Singh, I.-H. Ra, W. Meng, M. Kaur, and G. H. Cho, “SH-blockCC: A
secure and efficient Internet of Things smart home architecture based on
cloud computing and blockchain technology,” Int. J. Distrib. Sensor Netw.,
vol. 15, no. 4, pp. 1–18, 2019.
[20] K. Bhushan and B. B. Gupta, “Distributed denial of service (DDoS) attack
mitigation in software defined network (SDN)-based cloud computing
environment,” J. Ambient Intell. Humanized Comput., vol. 10, no. 5,
pp. 1985–1997, 2019.
[21] T. T. A. Dinh, R. Liu, M. Zhang, G. Chen, B. C. Ooi, and J. Wang,
“Untangling blockchain: A data processing view of blockchain sys-
tems,” IEEE Trans. Knowl. Data Eng., vol. 30, no. 7, pp. 1366–1385,
Jul. 2018.
[22] F. Loi, A. Sivanathan, H. Habibi Gharakheili, A. Radford, and V.
Sivaraman, “Systematically evaluating security and privacy for consumer
IoT devices,” in Proc. Workshop Internet Things Secur. Privacy, 2018,
pp. 1–6.
[23] A. K. Simpson, F. Roesner, and T. Kohno, “Securing vulnerable home
IoT devices with an in-hub security manager,” in Proc. IEEE Int. Conf.
Pervasive Comput. Commun. Workshops, 2017, pp. 551–556.
[24] S. Nandan Mohanty et al., “An efficient lightweight integrated blockchain
(ELIB) model for IoT security and privacy,” Future Gener. Comput. Syst.,
vol. 102, pp. 1027–1037, 2020.
[25] K. Ali and S. Askar, “Security issues and vulnerability of IoT devices,”
Int. J. Sci. Bus., vol. 5, no. 3, pp. 101–115, 2021.
[26] F. Meneghello, M. Calore, D. Zucchetto, M. Polese, and A. Zanella,
“Iot: Internet of threats? A survey of practical security vulnerabilities in
real IoT devices,” IEEE Internet Things, vol. 6, no. 5, pp. 8182–8201,
Oct. 2019.
[27] J. Wurm and Y. Jin, “Security analysis on consumer and industrial IoT
devices,” in Proc. Asia and South Pacific Des. Autom. Conf., 2016,
pp. 519–524.
Authorized licensed use limited to: Sri Sai Ram Engineering College. Downloaded on March 24,2023 at 10:31:19 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON ENGINEERING MANAGEMENT
[28] M. Daniel and O. Benedict, “Blockchain mechanisms for IoT security,”
Internet Things, vol. 1/2, pp. 1–13, 2018.
[29] J. C. Davis and D. Brittany, “Vulnerability studies and security postures
of IoT devices: A smart home case study,” IEEE Internet Things, vol. 7,
no. 10, pp. 10102–10110, Oct. 2020.
[30] “Iot trend watch—IHS markit,” (2018). Accessed Nov. 1, 2021. [Online].
Available: https://cdn.ihs.com/www/pdf/iot-trend-watch-ebook.pdf
[31] P. Cui and U. Guin, “Countering botnet of things using blockchain-
based authenticity framework,” in Proc. IEEE Comput. Soc. Annu. Symp.
VLSI, 2019, pp. 598–603.
[32] S. Hameed and H. A. Khan, “SDN based collaborative scheme for miti-
gation of DDoS attacks,” Future Internet, vol. 10, no. 3, 2018, Art. no. 23.
[33] G. Liu, W. Quan, N. Cheng, H. Zhang, and S. Yu, “Efficient DDoS attacks
mitigation for stateful forwarding in Internet of Things,” J. Netw. Comput.
Appl., vol. 130, pp. 1–13, 2019.
[34] M. E. Ahmed and H. Kim, “DDoS attack mitigation in Internet of Things
using software defined networking,” in Proc. IEEE Int. Conf. Big Data
Comput. Service Appl., 2017, pp. 271–276.
[35] V. VM, “ProSD-edgeIoT: Protected cluster assisted SDWSN for tetrad
edge-IoT by collaborative DDoS detection and mitigation,” Cyber-
Physical Syst., vol. 1, pp. 1–30, 2021.
[36] Y.-W. Chen, J.-P. Sheu, Y.-C. Kuo, and N. VanCuong, “Design and im-
plementation of IoT DDoS attacks detection system based on machine
learning,” in Proc. Eur. Conf. Netw. Commun., 2020, pp. 122–127.
[37] U. Bodkhe et al., “Blockchain for industry 4.0: A comprehensive review,”
IEEE Access, vol. 8, pp. 79764–79800, 2020.
[38] Q. Zhou, H. Huang, Z. Zheng, and J. Bian, “Solutions to scalability of
blockchain: A survey,” IEEE Access, vol. 8, pp. 16440–16455, 2020.
[39] M. A. Ferrag and L. Maglaras, “Deepcoin: A novel deep learning and
blockchain-based energy exchange framework for smart grids,” IEEE
Trans. Eng. Manage., vol. 67, no. 4, pp. 1285–1297, Nov. 2019.
[40] A. B. Qaisar Shafi, “DDos botnet prevention using blockchain in software
defined Internet of Things,” in Proc. Int. Bhurban Conf. Appl. Sci. Technol.,
2019, pp. 624–628.
[41] B. K. Mohanta, D. Jena, S. Ramasubbareddy, M. Daneshmand, and
A. H. Gandomi, “Addressing security and privacy issues of IoT us-
ing blockchain technology,” IEEE Internet Things J., vol. 8, no. 2,
pp. 881–888, Jan. 2021.
[42] A. Gaurav, B. B. Gupta, and P. K. Panigrahi, “A novel approach for DDoS
attacks detection in COVID-19 scenario for small entrepreneurs,” Technol.
Forecasting Social Change, vol. 177, 2022, Art. no. 121554.
[43] S. Kautish, A. Reyana, and A. Vidyarthi, “SDMTA: Attack de-
tection and mitigation mechanism for DDoS vulnerabilities in hy-
brid cloud environment,” IEEE Trans. Ind. Inform., to be published.
doi: 10.1109/TII.2022.3146290.
[44] R. Doriguzzi-Corin, S. Millar, S. Scott-Hayward, J. Martinez-del Rincon,
and D. Siracusa, “Lucid: A practical, lightweight deep learning solution
for DDoS attack detection,” IEEE Trans. Netw. Service Manage., vol. 17,
no. 2, pp. 876–889, Jun. 2020.
[45] M. Essaid, D. Kim, S. H. Maeng, S. Park, and H. T. Ju, “A collaborative
DDoS mitigation solution based on ethereum smart contract and RNN-
LSTM,” in Proc. Asia-Pacific Netw. Operations Manage. Symp., 2019,
pp. 1–6.
[46] B. Rodrigues, T. Bocek, A. Lareida, D. Hausheer, S. Rafati, and B. Stiller,
“A blockchain-based architecture for collaborative DDoS mitigation with
smart contracts,” in Proc. IFIP Int. Conf. Auton. Infrastruct., Manage.
Secur., 2017, pp. 16–29.
[47] S. Tanwar, K. Parekh, and R. Evans, “Blockchain-based electronic health-
care record system for healthcare 4.0 applications,” J. Inf. Secur. Appl.,
vol. 50, 2020, Art. no. 102407.