Distributed Denial of Service Attack Detection Algorithm Based on Two-Channel Feature Fusion

doi:10.3969/j.issn.1671-1122.2023.07.009

Abstract

Abstract:

With the rapid development of the Internet of things, the number of devices accessing the network is increasing rapidly, so the distributed denial of service (DDoS) attacks often have the characteristics of various attack methods and rapid changes. To deal with mixed and variable DDoS attacks with large traffic, the existing detection methods based on statistical analysis rely too much on artificially setting thresholds, while the anomaly detection methods based on machine learning have the problems of high false positive rate and high false negative rate. Therefore, this paper proposed a two-channel feature fusion detection model based on convolutional neural network (CNN) and attention mechanism, which was DCFD-CA. The model inputted the statistical feature samples into the local feature extraction channel based on CNN and the global feature extraction channel based on the attention mechanism respectively, and used the difference of the two model structures to achieve different effects. The former could abstract the relationship between local feature values, and the latter could assign more weight to important features. In order to fuse the functions of the two models, the abstract features output by each channel were normalized, and then the feature data of two different channels was fused by stacking, and finally the three-layer neural network was used for detection and classification. Conducting experiments on the public datasets CICIDS2017-DDoS, CICIDS2018-DDoS and CICDDoS2019, the F1 scores of the DCFD-CA model are 0.9863, 0.9996 and 0.9998 respectively, which are better than SAE-MLP, composite DNN models.

Key words: DDoS attack, attention mechanism, convolutional neural network, anomaly detection, deep learning

CLC Number:

TP309

JIANG Yingzhao, CHEN Lei, YAN Qiao. Distributed Denial of Service Attack Detection Algorithm Based on Two-Channel Feature Fusion[J]. Netinfo Security, 2023, 23(7): 86-97.

Figures/Tables 14

References 27

[1]	YOACHIMIK O. Mitigating a 754 Million PPS DDoS Attack Automatically[EB/OL]. (2020-07-09) [2022-05-16]. https://blog.cloudflare.com/mitigating-a-754-million-pps-ddos-attack-automatically.
[2]	VIJ A, PASHA S. Azure DDoS Protection-2021 Q3 and Q4 DDoS Attack Trends[EB/OL]. (2022-01-25) [2022-05-16]. https://azure.microsoft.com/zh-cn/blog/azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends.
[3]	Tencent Cloud T-Sec DDoS Protection Team, Green Alliance Technology Threat Intelligence Team. 2021 Global DDoS Threat Report[EB/OL]. (2022-01-26) [2022-05-16]. https://cloud.tencent.com/developer/article/1936949.
	腾讯云T-Sec DDoS防护团队, 绿盟科技威胁情报团队. 2021年全球DDoS威胁报告[EB/OL]. (2022-01-26) [2022-05-16]. https://cloud.tencent.com/developer/article/1936949.
[4]	Wangsu Science&Technology. China Internet Security Report for the First Half of 2021[EB/OL]. (2021-11-23) [2022-05-16]. https://www.vzkoo.com/document/992eef6bb162171fd39d55876bf3f19b.html.
	网宿科技. 2021年上半年中国互联网安全报告[EB/OL]. (2021-11-23) [2022-05-16]. https://www.vzkoo.com/document/992eef6bb162171fd39d55876bf3f19b.html.
[5]	LIU Ying, ZHI Ting, SHEN Ming, et al. Software-Defined DDoS Detection with Information Entropy Analysis and Optimized Deep Learning[J]. Future Generation Computer Systems, 2022(129): 99-114.
[6]	LIU Zhen, HU Changzhen, SHAN Chun. Riemannian Manifold on Stream Data: Fourier Transform and Entropy-Based DDoS Attacks Detection Method[J]. Computers & Security, 2021(109): 102392-102407.
[7]	KOAY A, CHEN A, WELCH I, et al. A New Multi Classifier System Using Entropy-Based Features in DDoS Attack Detection[C]// IEEE. 2018 International Conference on Information Networking (ICOIN). New York: IEEE, 2018: 162-167.
[8]	IDHAMMAD M, AFDEL K, BELOUCH M. Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest[J]. Security and Communication Networks, 2018(2): 1-13.
[9]	YE Jin, CHENG Xiangyang, ZHU Jian, et al. A DDoS Attack Detection Method Based on SVM in Software Defined Network[EB/OL]. (2018-01-01) [2022-05-16]. https://dl.acm.org/doi/10.1155/2018/9804061.
[10]	TUAN N N, HUNG P H, NGHIA N D, et al. A DDoS Attack Mitigation Scheme in ISP Networks Using Machine Learning Based on SDN[J]. Electronics, 2020, 9(3): 413-432. doi: 10.3390/electronics9030413 URL
[11]	DE-MIRANDA V R, INÁCIO P R M, MAGONI D, et al. Detection of Reduction-of-Quality DDoS Attacks Using Fuzzy Logic and Machine Learning Algorithms[J]. Computer Networks, 2021(186): 107792-107811.
[12]	MIN Erxue, CHEN Wei, LONG Jun, et al. TR-IDS: Anomaly-Based Intrusion Detection Through Text-Convolutional Neural Network and Random Forest[EB/OL]. (2018-12-16) [2023-01-13]. https://dl.acm.org/doi/10.1155/2018/4943509.
[13]	CHOLLET F. Xception: Deep Learning with Depthwise Separable Convolutions[C]// IEEE. 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR). New York: IEEE, 2017: 1251-1258.
[14]	GIRSHICK R. Fast R-CNN[C]// IEEE. Proceedings of the IEEE International Conference on Computer Vision. New York: IEEE, 2015: 1440-1448.
[15]	REN A, LI Zhe, DING Caiwen, et al. SC-DCNN: Highly-Scalable Deep Convolutional Neural Network Using Stochastic Computing[J]. ACM SIGPLAN Notices, 2017, 52(4): 405-418. doi: 10.1145/3093336.3037746 URL
[16]	SHAHRIAR M H, HAQUE N I, RAHMAN M A, et al. G-IDS: Generative Adversarial Networks Assisted Intrusion Detection System[C]// IEEE. 2020 IEEE 44th Annual Computers, Software, and Applications Conference (COMPSAC). New York: IEEE, 2020: 376-385.
[17]	AHUJA N, SINGAL G, MUKHOPADHYAY D. DLSDN: Deep Learning for DDoS Attack Detection in Software Defined Networking[C]// IEEE. 2021 11th International Conference on Cloud Computing, Data Science & Engineering (Confluence). New York: IEEE, 2021: 683-688.
[18]	YANG Kun, ZHANG Junjie, XU Yang, et al. DDoS Attacks Detection with Autoencoder[C]// IEEE. NOMS 2020-2020 IEEE/IFIP Network Operations and Management Symposium. New York: IEEE, 2020: 1-9.
[19]	SALAHUDDIN M A, BARI M F, ALAMEDDINE H A, et al. Time-Based Anomaly Detection Using Autoencoder[C]// IEEE. 2020 16th International Conference on Network and Service Management (CNSM). New York: IEEE, 2020: 1-9.
[20]	AMAIZU G C, NWAKANMA C I, BHARDWAJ S, et al. Composite and Efficient DDoS Attack Detection Framework for B5G Networks[J]. Computer Networks, 2021(188): 107871-107881.
[21]	MA Li, CHAI Ying, CUI Lei, et al. A Deep Learning-Based DDoS Detection Framework for Internet of Things[C]// IEEE. ICC 2020-2020 IEEE International Conference on Communications (ICC). New York: IEEE, 2020: 1-6.
[22]	DORIGUZZI-CORIN R, MILLAR S, SCOTT-HAYWARD S, et al. LUCID: A Practical, Lightweight Deep Learning Solution for DDoS Attack Detection[J]. IEEE Transactions on Network and Service Management, 2020, 17(2): 876-889. doi: 10.1109/TNSM.4275028 URL
[23]	LASHKARI A H, DRAPER-GIL G, MAMUN M S I, et al. Characterization of Tor Traffic Using Timebased Features[C]// SciTePress. Proceedings of the 3rd International Conference on Information Systems Security and Privacy. San Francisco: SciTePress, 2017: 253-262.
[24]	HE Kaiming, ZHANG Xiangyu, REN Shaoqing, et al. Deep Residual Learning for Image Recognition[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2016: 770-778.
[25]	VASWANI A, SHAZEER N, PARMAR N, et al. Attention Is All You Need[EB/OL]. (2017-06-12) [2023-01-17]. https://arxiv.org/abs/1706.03762.
[26]	SHARAFALDIN I, LASHKARI A H, GHORBANI A A. Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization[J]. ICISSP, 2018(1): 108-116.
[27]	SHARAFALDIN I, LASHKARI A H, HAKAK S, et al. Developing Realistic Distributed Denial of Service (DDoS) Attack Dataset and Taxonomy[C]// IEEE. 2019 International Carnahan Conference on Security Technology (ICCST). New York: IEEE, 2019: 1-8.

类别	训练集的数量/个	验证集的数量/个	测试集的数量/个
benign	1591168	454619	227310
DoS Hulk	161751	46215	23107
DDoS	89619	25605	12803
DoS GoldenEye	7205	2059	1029
DoS Slowloris	4057	1159	580
DoS Slowhttptest	3849	1100	550

类别	训练集的数量/个	验证集的数量/个	测试集的数量/个
benign	6423367	1835248	917624
DDoS attack-HOIC	480208	137202	68602
DDoS attacks-LOIC-HTTP	403334	115238	57619
DoS attacks-Hulk	323338	92382	46192
DoS attacks-SlowHTTPTest	97923	27978	13989
DoS attacks-GoldenEye	29056	8302	4150
DoS attacks-Slowloris	7693	2198	1099
DDoS attack-LOIC-UDP	1211	346	173

类别	训练集的数量/个	验证集的数量/个	测试集的数量/个
benign	159216	45490	22746
ntp	219545	62727	31364
dns	219545	62727	31364
ldap	219545	62727	31364
mssql	219545	62727	31364
netbios	219545	62727	31364
snmp	219545	62727	31364
ssdp	219545	62727	31364
udp	219545	62727	31364
udplag	219545	62727	31364
syn	219545	62727	31364
tftp	219545	62727	31364

模型	Accuracy	FPR	Precision	Recall
SAE-MLP^[17]	0.9388	0.0134	0.8910	0.6542
Composite DNN^[20]	0.9875	0.0030	0.9814	0.9306
ResNet	0.9829	0.0064	0.9602	0.9191
Attention	0.9483	0.0001	0.9994	0.6398
DCFD-CA	0.9961	0.0030	0.9822	0.9905

模型	Accuracy	FPR	Precision	Recall
SAE-MLP^[17]	0.9328	0.1489	0.9263	0.9755
Composite DNN^[20]	0.9720	0.0436	0.9930	0.9802
ResNet	0.9939	0.0154	0.9920	0.9987
Attention	0.9824	0.0415	0.9787	0.9948
DCFD-CA	0.9995	0.0010	0.9995	0.9998