DDoS Attack Simulation and Machine Learning-Based Detection Approach in Internet of Things Experimental Environment

DDoS Attack Simulation and Machine Learning-Based Detection Approach in Internet of Things Experimental Environment

Hongsong Chen, Caixia Meng, Jingjiu Chen
Copyright: © 2021 |Pages: 18
DOI: 10.4018/IJISP.2021070101
(Individual Articles)
No Current Special Offers


Aiming at the problem of DDoS attack detection in internet of things (IoT) environment, statistical and machine-learning algorithms are proposed to model and analyze the network traffic of DDoS attack. Docker-based virtualization platform is designed and configured to collect IoT network traffic data. Then the packet-level, flow-level, and second-level network traffic datasets are generated, and the importance of features in different traffic datasets are sorted. By SKlearn and TensorFlow machine-learning software framework, different machine learning algorithms are researched and compared. In packet-level DDoS attack detection, KNN algorithm achieves the best results; the accuracy is 92.8%. In flow-level DDoS attack detection, the voting algorithm achieves the best results; the accuracy is 99.8%. In second-level DDoS attack detection, the RNN algorithm behaves best results; the accuracy is 97.1%. The DDoS attack detection method combined with statistical analysis and machine-learning can effectively detect large-scale DDoS attacks on the internet of things simulation experimental environment.
Article Preview

1. Introduction

A Denial of Service (DoS) attack is an attack in which an attacker consumes a target server resource to prevent the target server from providing services. The server can blacklist the attacker's address for protection. However, Distributed Denial of Service(DDoS) attacks use tens of thousands or even millions of devices to implement DoS attacks at the same time, making it difficult to defend them effectively. The attacker utilizes the Botnet to infect and control the massive smart devices, and sends malicious commands through the Command and Control (CnC) server. The network composed of the massive smart devices is called a botnet. However, with the rapid development of the Internet of Things (IoT) technology in recent years, a large number of IoT smart devices have made the threat of DDoS attacks more serious. DDoS attackers are using IoT botnets to cause more serious social destruction(Hilton, 2016).

The most representative IoT botnet is the Mirai botnet. Since limited processing resources of IoT devices, only one controlled terminal of the Mirai botnet does not generate a large amount of traffic, it only sends a small number of packets to the attack target server. Therefore, it cannot be judged from a single device that the traffic is normal traffic or attack traffic. However, since the number of the controlled terminal can be massive, the simultaneous transmission of a small number of data packets to a certain target will also lead to the exhaustion of the target resources, then achieving the DDoS attack effect. In October 2016, the hacker used the Mirai botnet to conduct a large-scale DDoS attack on Dyn, a US Internet Domain Name System (DNS) provider. With attack traffic of up to 1.2 Tbit/s, resulting in a large number of website domains including Twitter, Facebook, Paypal, GitHub, and The Wall Street Journal unable to be resolved correctly, massive users can not access the website. The Mirai botnet consists of tens of thousands of IoT devices, including smart cameras that are everywhere.

The main reason why the IoT devices are frequently attacked is that its basic core network is a traditional Internet, but it is more complexity than the traditional Internet structure. The perception layer of the IoT is composed of a large number of sensor nodes. Due to their characteristics, these nodes have a limited processing capacity, lack of security functions, default factory Settings unchanged by users, weak authentication technology and difficulty in software update. As a result, it is vulnerable to attack and easy to cause a chain reaction, causing serious social harm.

In practical applications, the security problem of the IoT is always a barrier to its development. How to effectively solve its security problems under the specific working mode and operating environment of the IoT is the focus of the current IoT security research and prerequisites for widespread use. Therefore, how to quickly identify intrusions in the IoT environment has become one of the urgent problems in the field of network security.

According to the DDoS attack principle, we propose a DDoS attack traffic detection method based on machine-learning. For the complex traffic of the IoT, different levels of feature selection and statistical analysis are carried out at the packet-level, flow-level and second-level. The machine-learning framework such as Scikit-learn python library(Scikit Learn, 2017) and TensorFlow deep-learning framework(TensorFlow, 2017) are utilized to model the traffic and evaluate the effect of the obtained model. Finally, the model is further optimized by adjusting the parameter structure.

Analysis from above, DDoS attack is a serious threat to the IoT and the related application. How to simulate and detect the DDoS attack traffic in IoT is a challenge to current network security research.

The structure of this article is as follows: section 1 introduces the research background and significance, section 2 introduces related work, section 3 introduces the construction and collection of a traffic generation platform, and section 4 introduces the modeling process of abnormal flow detection using machine learning algorithms. section 5 shows the experimental results and analysis, and section 6 draws conclusions and discusses future work.

Complete Article List

Search this Journal:
Volume 18: 1 Issue (2024)
Volume 17: 1 Issue (2023)
Volume 16: 4 Issues (2022): 2 Released, 2 Forthcoming
Volume 15: 4 Issues (2021)
Volume 14: 4 Issues (2020)
Volume 13: 4 Issues (2019)
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing