Article Preview
Top1. Introduction
A Denial of Service (DoS) attack is an attack in which an attacker consumes a target server resource to prevent the target server from providing services. The server can blacklist the attacker's address for protection. However, Distributed Denial of Service(DDoS) attacks use tens of thousands or even millions of devices to implement DoS attacks at the same time, making it difficult to defend them effectively. The attacker utilizes the Botnet to infect and control the massive smart devices, and sends malicious commands through the Command and Control (CnC) server. The network composed of the massive smart devices is called a botnet. However, with the rapid development of the Internet of Things (IoT) technology in recent years, a large number of IoT smart devices have made the threat of DDoS attacks more serious. DDoS attackers are using IoT botnets to cause more serious social destruction(Hilton, 2016).
The most representative IoT botnet is the Mirai botnet. Since limited processing resources of IoT devices, only one controlled terminal of the Mirai botnet does not generate a large amount of traffic, it only sends a small number of packets to the attack target server. Therefore, it cannot be judged from a single device that the traffic is normal traffic or attack traffic. However, since the number of the controlled terminal can be massive, the simultaneous transmission of a small number of data packets to a certain target will also lead to the exhaustion of the target resources, then achieving the DDoS attack effect. In October 2016, the hacker used the Mirai botnet to conduct a large-scale DDoS attack on Dyn, a US Internet Domain Name System (DNS) provider. With attack traffic of up to 1.2 Tbit/s, resulting in a large number of website domains including Twitter, Facebook, Paypal, GitHub, and The Wall Street Journal unable to be resolved correctly, massive users can not access the website. The Mirai botnet consists of tens of thousands of IoT devices, including smart cameras that are everywhere.
The main reason why the IoT devices are frequently attacked is that its basic core network is a traditional Internet, but it is more complexity than the traditional Internet structure. The perception layer of the IoT is composed of a large number of sensor nodes. Due to their characteristics, these nodes have a limited processing capacity, lack of security functions, default factory Settings unchanged by users, weak authentication technology and difficulty in software update. As a result, it is vulnerable to attack and easy to cause a chain reaction, causing serious social harm.
In practical applications, the security problem of the IoT is always a barrier to its development. How to effectively solve its security problems under the specific working mode and operating environment of the IoT is the focus of the current IoT security research and prerequisites for widespread use. Therefore, how to quickly identify intrusions in the IoT environment has become one of the urgent problems in the field of network security.
According to the DDoS attack principle, we propose a DDoS attack traffic detection method based on machine-learning. For the complex traffic of the IoT, different levels of feature selection and statistical analysis are carried out at the packet-level, flow-level and second-level. The machine-learning framework such as Scikit-learn python library(Scikit Learn, 2017) and TensorFlow deep-learning framework(TensorFlow, 2017) are utilized to model the traffic and evaluate the effect of the obtained model. Finally, the model is further optimized by adjusting the parameter structure.
Analysis from above, DDoS attack is a serious threat to the IoT and the related application. How to simulate and detect the DDoS attack traffic in IoT is a challenge to current network security research.
The structure of this article is as follows: section 1 introduces the research background and significance, section 2 introduces related work, section 3 introduces the construction and collection of a traffic generation platform, and section 4 introduces the modeling process of abnormal flow detection using machine learning algorithms. section 5 shows the experimental results and analysis, and section 6 draws conclusions and discusses future work.