Mitigating DDoS Attacks using Smart Detection Techniques

Abstract

There has, of late, been an increase in the frequency and severity of distributed denial-of-service (DDoS) attacks and their negative impacts on the availability of the Internet and Cloud services they target. This activity inevitably leads to a corresponding increase in the time and money that service providers have to commit to fending off these attacks. The hazard it poses in relation to the provision of services via the Internet is now acute. Much or all of the resources of a service delivery platform being attacked in this way are consumed and its bandwidth fully occupied — so that there are no resources remaining to perform the necessary and useful tasks of that platform. These attacks simulate natural traffic, and the malicious effects they have are difficult to detect until it is too late. Thus, the process of attack detection requires sophisticated methodology and algorithms. Machine Learning (ML) can provide a resolution to this issue. In this research we use three different algorithms: Random Forest, Naïve Bayes, and K-Nearest Neighbours; each of these is set the task of providing a suitable model for attack detection. A pre-collected, well-known dataset containing both normal and suspicious traffic is used with these different classification algorithms with a view to producing the best prediction model for selection. To ensure that we select the best prediction model we perform a validation of each by applying it to a test dataset. The results are then analysed via a confusion matrix which is used to determine which algorithm obtains the maximum prediction probability and the minimum false alarm rate. In fact, the Random Forest classifier was found to produce the best prediction model, with a 97 % accuracy rate. Thus it was found that a prediction model generated from a Random Forest classifier is well able to detect attack traffic, obtain the necessary information about any attacking botnets, and forward (via a notification) this information to the local firewall so that it can block suspicions traffic and so stop the distributed denial of service attack.