"CYBERFORENSICS FOR IOT DEVICES:

DEMYSTIFYING DDOS ATTACKS WITH

EXPLAINABLE AI"

Submitted in partial fulfillment of the requirements for the degree of

INTEGRATED MTECH
in
SOFTWARE ENGINEERING

By
UPPALURU VINITHA REDDY
20MIS0388

Under the guidance of

Prof. MOHAN RAJ G
School of Computer Science Engineering and Information Systems
VIT, Vellore

Review 2

October, 2024
1. LITERATURE REVIEW

S.No Title Methodology Advantages Limitations

1. Analysis of Machine  offer real-time  complex to develop,

IoT Security learning (ML) threat detection requiring substantial
Challenges deep learning and improved expertise and
and Its (DL) models accuracy in computing
Solutions Techniques identifying resources.
Using like potential risks.  They rely heavily on
Artificial classification,  They automate large datasets,
Intelligence regression, responses, which may not
clustering reducing the always be available
need for human
intervention

2. Explainable (XAI)  Accurately ● Implementing the

AIBased combined identifies methodology
DDOS Attack with DDoS requires expertise in
attacks by
Identification autoencoders AI, anomaly
focusing on
Method for for DDoS the most detection, and
IoT Networks attack influential feature extraction,
detection infeatures, making it complex
ensuring
IoT networks. for nonexperts.
high
detection
accuracy.
 XAI provides
clear
explanations for
each detected
anomaly
3. Taxonomy of The  DDoS  They require
DDoS attacks methodology defense significant
and their involves mechanisms computational power
classifying can identify
defense and bandwidth,
DDoS attacks attack
mechanisms based on patterns which many IoT
 in IoT attack rate, early, devices lack.
IoT layers. preventing
largescale  Deploying DDoS
disruptions.
defense mechanisms
 They offer
at scale can be
protection
expensive.
across different
IoT layers
4. Demystifying Application of ● Development of ● Potential limitations
machine XAI an autonomous in generalizing
techniques for detection system
learning for IoT attacks results to all smart
understanding in smart cities
models of city scenarios
IoT attack
massive IoT behaviors, ● Utilization of
attack Explainable ● Oversampling
detection with Artificial techniques may
Intelligence
Explainable (XAI) for introduce noise or
AI for interpreting and affect model
sustainable visualizing performance,
attack behavior,
and secure
future smart
cities.
5. Explainable Proposes a ● XAI enhances  Integrating XAI
AI for Human high level trust by into existing IoT
providing systems requires
Centric human human
understandable sophisticated
Ethical IoT inclusive
explanations algorithms and
Systems Explainable design, making
AI (XAI) ● By explaining it harder to
framework for AI decisions, develop and
users
IoT systems (developers, end maintain such
to address users, systems.
ethical regulators) can
better
concerns like understand the
privacy, rationale behind
security, and AI driven
actions, leading
transparency to more
informed
decisions.
6. Detection and Application ● Focus on ● May not cover all
mitigation of of SNMP, security potential attack
IoT based access challenges and vectors or emerging
 attacks using control lists, threats in cloud threats.
SNMP and and moving assisted IoT
moving target target environments ● Effectiveness of
defense defense techniques may vary
techniques techniques ● Utilizes with different IoT
Detection techniques like and cloud
and SNMP, access configurations
mitigation control lists, and
strategies for moving target
DDoS and defense
false data
injection
attacks,
7. Critical Evaluation of ● Comprehensive ● Potential limitations
analysis of techniques coverage of in addressing
DDoS—An like botnet attack specific
detection,
emerging mechanisms, vulnerabilities or
signature
security threat based impacts, and unique IoT device
over IoT detection, and existing challenges
networks anomaly countermeasure
based s, Emphasis on
methods. protection at
various IoT
network levels
8. Review of Evaluation ● Detailed ● Focused on existing
network of analysis of literature, which
forensic components, components, may limit the scope
analysis methods, methods, and of newer techniques
optimization and performance or technologies
using deep performance parameters
learning parameters
against attacks in existing ● Identifies
on IoT literature, limitations and
devices findings of
current
approaches,
9. Semi Use of ● Provides a  May not include
supervised classificatio comprehensive the latest
learning based n and review of deep advancements or
 security to evaluation learning based emerging
detect and tables to forensic techniques in
mitigate organize techniques for deep learning
and IoT
intrusions in and assess IoT devices
forensics,
IoT network approaches
Highlights the
●
effectiveness of
deep learning in
network
forensics
10. A Review of  Comprehensive  Focuses on existing
comprehensiv various survey of IoT literature, may lack
e survey of attack types and IIoT attacks experimental
attacks on IoT/IIoT, validation, does not
without analysis of  emphasizes the provide new
physical hardware need for robust detection
access vulnerabiliti security mechanisms, future
targeting es and side solutions, work needed on
hardware effects, provides platform specific
vulnerabilities discussion insights into side effects and
in iot/iiot of detection existing detection impact.
devices, and mechanisms detection
their detection and their mechanisms
mechanisms effectivenes
s.

2. GAP IDENTIFICATION

Identify gaps and limitations observed in the existing systems, such as:
  Models struggle to handle emerging, unknown attack vectors.
 Scaling DDoS defenses is expensive for large IoT deployments.
 Integrating explainable AI (XAI) into IoT systems is complex and resource
intensive.
 Methods may not cover all potential or emerging IoT attacks.
 Security mechanisms may reduce IoT system performance or usability.

3. OBJECTIVE FRAMING

1. Developing a Framework for Predicting and Mitigating DDoS Attacks

 The primary objective is to create a comprehensive framework designed to predict
and mitigate DDoS attacks on IoT devices.
 This framework will be based on a detailed analysis of historical DDoS attacks to
identify patterns, root causes, and vulnerabilities specific to IoT ecosystems.

2. Identifying Causes and Vulnerabilities in IoT Systems

 A critical part of the research is identifying the vulnerabilities within IoT devices
and networks that make them prone to DDoS attacks.
 This knowledge will drive the development of more effective strategies for
detecting and preventing such attacks.

3. Developing an Explainable AI (XAI) Model

 The study will develop an Explainable AI (XAI) model that can explain the
reasoning behind the detection of potential DDoS attacks.
 The XAI model will focus on making complex AI driven security decisions clear
and interpretable, helping both technical and nontechnical users understand why a
certain attack or anomaly has been flagged.

4. Enhancing User Awareness and Education

  The research aims to increase user awareness of IoT security risks, with a focus on
understanding DDoS threats and defensive actions.
 Through enhanced education, users will be empowered to make informed decisions
and take proactive measures when potential attacks are detected.

5. Improving Accessibility to Cyber Forensics

 A key objective is to improve the accessibility of cyber forensics tools, particularly
for nontechnical users.
 The goal is to simplify the forensic processes and present clear, understandable
reports on detected threats, enabling users to act swiftly and effectively.

6. Facilitating Collaboration Between Technical and NonTechnical Stakeholders

 The project aims to bridge the gap between technical and nontechnical stakeholders
by developing security solutions that are both technically robust and easy to use.
 This collaboration ensures that the solutions can be implemented effectively across
various IoT environments.

7. Promoting Proactive Security Measures

 By integrating predictive models, XAI explanations, user education, and accessible
forensic tools, the research promotes proactive security measures.
 These efforts will contribute to a more resilient and secure IoT infrastructure that
can better withstand future DDoS attacks.

4. PROJECT PLAN

Phase 1: Planning and Research (2 weeks)

Start Date: 15 July 2024
End Date: 28 July 2024
Goal: Understand the problem domain, gather requirements, and conduct
preliminary research on DDoS attack detection, IoT vulnerabilities, and Explainable
AI (XAI) technologies to present clear information to nonexperts.

Tasks:
Literature Review:
 Research existing DDoS detection methods and machine learning (ML)
techniques used in IoT systems.
 Review academic papers on Explainable AI (XAI) for making complex ML
models interpretable to nonexpert users.

Requirement Analysis:
 Define key functional requirements such as realtime DDoS detection and
explainable insights for nonexpert users.
 Define nonfunctional requirements like scalability, accuracy, and ease of use.

Define Project Scope:

 Finalize the scope of the project (realtime DDoS detection and interpretation
using ML models and XAI) and identify technologies to be used (Python,
TensorFlow).

Resource Planning:
 Identify necessary hardware (GPUs) and ML frameworks (TensorFlow,
PyTorch) to be used in the project.

Deliverables:
Project Scope Document.
Requirement Specification Report.
List of hardware/software tools required.

Phase 2: Data Collection & Preprocessing (3 weeks)

Start Date: 29 July 2024
End Date: 18 August 2024
Goal: Gather DDoS attack data and preprocess it for training machine learning
models.

Tasks:
Data Collection:
 Curate a dataset of DDoS attack patterns targeting IoT devices.

Data Cleaning:
 Remove inconsistencies and standardize the dataset for effective training.

Feature Extraction:
 Extract key features (e.g., traffic anomalies, patterns) for use in ML models.

Deliverables:
Cleaned and preprocessed dataset.
Feature extraction report.

Phase 3: Model Development (4 weeks)

Start Date: 19 August 2024
End Date: 16 September 2024
Goal: Develop and train machine learning models to detect DDoS attacks, with
Explainable AI providing clear explanations.

Tasks:
Model Selection:
 Choose ML models suitable for DDoS detection (e.g., decision trees, neural
networks).
Model Training:
 Train the selected ML models on the preprocessed dataset to accurately
detect DDoS attacks.

Explainability Integration:
 Use Explainable AI techniques to provide clear, understandable insights
about the model’s decisionmaking process.

Deliverables:
Trained ML models with XAI capabilities.
Model performance report.

Phase 4: System Design & Integration (4 weeks)

Start Date: 17 September 2024
End Date: 14 October 2024
Goal: Design the system architecture, integrating ML models and XAI with a
userfriendly interface.

Tasks:
System Architecture Design:
 Design the overall architecture for data input, model execution, and output
interpretation.

FrontEnd Interface Development:

 Develop a userfriendly interface for nonexperts to view DDoS attack alerts
and explanations.

Deliverables:
Fully integrated system with DDoS detection and XAI explanations.
Userfriendly interface.
Phase 5: Testing & Evaluation (3 weeks)
Start Date: 15 October 2024
End Date: 31 October 2024
Goal: Test the system for performance, accuracy, and clarity of explanations
provided by the XAI.

Tasks:
Performance Testing:
Evaluate the model’s accuracy and realtime performance.

Explainability Evaluation:
Test the effectiveness of XAI in explaining attack details to nonexpert users.

Deliverables:
Testing report with performance metrics and feedback.

Phase 6: Documentation & Final Presentation (2 weeks)

Start Date: 1 November 2024
End Date: 15 November 2024
Goal: Complete documentation and prepare a presentation for project evaluation.

Tasks:
Project Documentation:
Provide detailed documentation, including technical reports and user manuals.

Final Presentation Preparation:

Summarize the project and demonstrate the system’s DDoS detection and XAI
explanation capabilities
5. DESIGN/ METHODOLOGY
5.1. DETAILED DESIGN
1.IoT Devices

The system begins by monitoring IoT devices, which are increasingly targeted by
cybercriminals due to their connectivity and typically weak security. These devices, when
compromised, to launch DDoS attacks, which overwhelm a network or service with
excessive traffic, rendering it inoperable.

2. Data Collection

The data generated by IoT devices is collected for further analysis. This includes network
traffic data, device logs, and any anomalies in communication patterns. Collecting this
data is essential to detecting abnormal traffic spikes, a common indicator of a DDoS
attack.

3. Data Preprocessing

The collected data is then preprocessed to remove noise and irrelevant information.
Preprocessing involves cleaning, normalizing, and formatting the data, ensuring that the
machine learning model can accurately analyze the incoming traffic for signs of a DDoS
attack.

4. Model Building

Machine learning models are developed to detect DDoS attack patterns within the IoT
device data. These models are trained using datasets that contain examples of both
normal traffic and DDoS attack scenarios. The models learn to identify abnormal traffic
volumes or unusual request patterns typical of a DDoS attack.

5. Attack Classification Result

After the data is processed through the model, the system classifies it to determine if a
DDoS attack is occurring. The classification result will indicate whether the incoming
traffic is normal or if it aligns with patterns typically associated with a DDoS attack, such
as a sudden surge in traffic volume targeting a specific service or device.

6. Explainable AI (XAI)

To enhance transparency, Explainable AI (XAI) techniques are applied to the

classification results. XAI provides human-readable insights into how the model detected
the DDoS attack. It explains the features and patterns the model considered—such as
traffic spikes, the number of requests, or the behavior of connected devices—that led to
the identification of a DDoS attack.
7. Attack Analysis
With the help of XAI, a detailed analysis of the detected DDoS attack is conducted. The
system examines how the attack occurred, including the volume of traffic involved,
which IoT devices were compromised, and how the attack overwhelmed the target
system. This in-depth analysis helps security teams understand the attack’s impact and
formulate countermeasures.

8. Data Repository

All classified DDoS attacks, along with their analysis and explanations, are stored in a
data repository. This repository allows for historical tracking of DDoS incidents, enabling
the system to refine its detection methods over time and providing security teams with
data for post-incident analysis.

9. Explanation Generation

This stage translates the technical explanation of the DDoS attack into a format that can
be easily understood by non-technical stakeholders. The system provides a clear and
concise explanation of the DDoS attack, including why it was classified as such, the
impact on the IoT devices, and potential mitigation strategies.

10. User Interface (UI)

The results and explanations are presented via a user interface, offering users a detailed
view of the detected DDoS attack. The UI allows for quick understanding of the attack’s
nature, severity, and suggested responses, ensuring that users can take appropriate action
to defend their systems from ongoing or future DDoS threats.

6.IMPLEMENTATION RESULTS
SIMPLE ANALYSIS OF DATA
EXPLORATORY DATA ANALYSIS
MODEL BUILDING

1.DECISION TREE

ROC CURVE
CONFUSION MATRIX
PRECISION- RECALL CURVE
2. KNN WITH PCA APPLIED
3. LOGISTIC REGRESSION