Abstract
Distributed denial of service (DDoS) attacks are an enormous threat, mainly because of the extension they can reach, the ease of deployment, the losses that it can cause, and the effort it can take to detect and stop this type of attack. Machine learning techniques have been and are widely used to prevent DDoS attacks. As a matter of fact, many gigantic intrusion detection systems (IDS) have been proudly utilising machine learning techniques to help the conventional signature detection system by adding another layer of “intelligent” thinking. This chapter provides a context of the techniques used for detecting DDoS attacks using machine learning, and in demonstrating why the merge of these concepts have huge potential for the defence of a given system. To that matter, some studies that use machine learning approaches for DDoS detection are analysed. Finally, this chapter provides a high-level view of the types of DDoS attacks that are considered a threat, the machine learning approaches to detect these attacks, and why these approaches are cohesive.
TopIntroduction
Nowadays, most enterprises depend on the use of technologies, particularly, networked technologies. Not only is this a great opportunity for organisations to leverage and enhance their business, but also for threat agents to achieve their goals by damaging these systems. In order to ensure the security of network services it is essential that, at the very least, the 3 pillars of information security (CIA triad) - integrity, confidentiality and availability -, are met.
This chapter will focus on the availability pillar of the CIA triad and its biggest threat, the Distributed Denial of Service (DDoS) attacks. The way this attack operates is by flooding the target with malicious traffic, depleting its bandwidth and/or computing resources in order to create total unavailability or some disruption of a network asset. One of the hardest tasks for an Intrusion Detection System (IDS) is to mitigate a DDoS. This type of attack has some peculiarities, among other characteristics described in the next section: (i) the DDoS might be originate from thousands of legitimate devices; (ii) the requests may not contain any malicious content; (iii) the attacker can exploit a vulnerability in the attacked service but also in an external service to conduct the attack.
Unlike the vast majority of attacks, where only one malicious request is needed for it to be successful, a DDoS generally requires multiple requests, so, it might be possible to identify patterns shared by malicious packets. This characteristic is key and allows the use of machine learning for the purposes of identifying recurrent patterns in a DDoS. The aim of this chapter is to demonstrate that the use of machine learning for DDoS detection has great potentialities, but it is also intended to demonstrate how this can be done, introducing important concepts for the creation of a model capable of predicting DDoS requests.
To accomplish our propose, this chapter was designed as follows: the Background section is intended to provide a context to this subject by explaining how modern DDoS attacks work, to briefly introduce what machine learning is, and how it can be applied to detect DDoS attacks. In Literature Review section, in order to have an overview of what is currently being done regarding this matter, some studies that use machine learning approaches for DDoS detection are surveyed. The Results Disussion section, summarise and discuss the details and procedures of the surveyed articles such as: the types of DDoS attacks used, the machine learning approaches to detect these attacks, and why these approaches are cohesive. Also in this section, we present a high-level detection model based on machine learning that we consider effective. Finally, The Conclusion section makes a retrospective of the whole chapter, and draw conclusions about the use of machine learning for DDoS attack detection and the role it is going to play out in the future.
Key Terms in this Chapter
Decision Trees: Supervised method used for classification and regression problems, that simulates a tree diagram and in which the branches represent choices with associated costs, results, or probabilities.
KNN: K-Nearest Neighbours. Supervised method used for classification and regression problems, that attempts to determine what group a data point is in by looking at the data points around it.
CNN: Convolution Neural Network. Supervised method used for classification and regression problems, a class of neural networks that specializes in processing data that is organized as a grid, such as an image.
Random Forests: Supervised method used for classification and regression problems, that builds decision trees on different samples and takes their average in case of regression and majority vote for classification.
LSTM: Long Short-Term Memory Neural Network. Supervised method used for classification and regression problems, a type of RNN that is mainly used for learning sequential data prediction problems by discarding information which is not required for further prediction and by holding required information for that matter.
K-Means: Unsupervised method used for classification and regression problems, that groups data by assigning all data points to the closest clusters, then determining the cluster means.
SVM: Support Vector Machines. Supervised method used for classification and regression problems, that determine which category a new data point belongs in by outputting a map of the sorted data with the margins between the two as far apart as possible.
Naïve Bayes: Supervised method used for classification and regression problems, which utilizes Bayes' theorem with the assumption that attributes are conditionally independent for the purposes of object classification.
DNN: Deep Neural Networks. Supervised method used for classification and regression problems, built to simulate the activity of the human brain by feeding input data through several layers of simulated neural connections.
RNN: Recursive Neural Network. Supervised method used for classification and regression problems, a class of neural networks that applies the same set of weights recursively over a structured input.