Detecting DDoS Attacks Using Polyscale Analysis and Deep Learning

Introduction

A smart grid is an innovative electricity delivery system that uses a bidirectional communication network to connect the power providers’ control systems and the consumers’ smart meters (Yan, Qian, Sharif, & Tipper, 2013), (Beigi Mohammadi, Mišić, Mišić, & Khazaei, 2014). The purposes of the smart grid are (i) to increase the availability and the reliability of electricity, (ii) to control the system in real-time, (iii) to deliver power to users in a safe and secure infrastructure, (iv) to save energy, and (v) to reduce costs. However, hackers can attack the smart grid’s cyber layer, which consequently can affect its physical domain. These attacks can disrupt the smart grid’s benefits. A distributed denial of service (DDoS) attack is a common type of cyber-attack, which delays or blocks the communication in the smart grid, thus causing power outages (Asri & Pranggono, 2015). Cyber space infections can have serious impacts on the real world. A smart grid infrastructure and the supervisory control and data acquisition (SCADA) systems, used in power generation, water management and oil pipelines are examples of physical systems that are disrupted by cyber space infections (Nazir, Patel & Patel, 2017), (Asri & Pranggono, 2015). When the operation of physical devices is altered by the attack, the standard cybersecurity problem becomes a cyber-physical security problem. Since the impact of the alteration may also affect the society in a city, or a region, or even a country, the problem escalates to a cyber-physical-social security. Such security systems should be treated using cognitive informatics and cognitive computing (Wang, 2002), (Kinsner, 2012).

Identifying normal burst-data behaviors of a network and the abnormal burst-data behaviors caused by DDoS attacks is very challenging. Both classes of network traffic have similar intrinsic characteristics. They are both stochastic time-series signals, non-periodic, broadband, self-affine, and multi-fractal. Therefore, to differentiate the two classes of traffic, distinguishing features must be extracted. Furthermore, the attack patterns are almost always changing and the new attack patterns and behaviors must be detected in the smart grid, which is also a frequently-changing environment. Therefore, a learning method that can detect new attack patterns and behaviors in frequently changing environments must be used (Beqiri, 2009). A deep learning algorithm is a good candidate to learn and classify normal behaviors from anomalous behaviors in such an environment (Goodfellow, Bengio & Courville, 2016).

This paper reports on the improvement of an anomaly detection method that was developed previously by Ghanbari, Kinsner, & Ferens (2017). The original detection method had two steps: (i) the pre-processing step that used a discrete wavelet transform (DWT) and (ii) the processing step that used a convolutional neural network (CNN). To improve the detection rate of the original method, in this study we added a full version of the variance fractal dimension trajectory (VFDTv2) to extract features from the non-pure fractal data that rely on long-range dependence as proposed originally by Kinsner (2007, 2012, 2015). The VFDTv2 was adjusted to consider all points including the boundary points of a dataset not just the marginal points. Moreover, the variance equation of the data series was adjusted to consider all points. In addition, the pre-processing step was used to extract more distinguishing features. Also, we added a support vector machine (SVM) as a post-processing step.