Post Views: 982

DDoS Attacks Detection in Cloud Computing Environment

Abstract

Cloud computing is a revolution in IT technology that provides scalable, virtualized on-demand resources to the end-users with greater flexibility, less maintenance, and reduced infrastructure cost. Attacks as DDoS are one of the most frequent ones that inflict serious damage and affect cloud performance. In a DDoS attack, the attacker usually uses innocent compromised computers by taking advantage of known or unknown bugs and vulnerabilities to send a large number of packets from these already-captured zombies to a server. This may occupy a major portion of the network bandwidth of the victim cloud infrastructures or consume much of the server’s time. Thus, in this work, we designed a DDoS detection system based on the decision tree, naïve Bayes, and logistic regression algorithm to mitigate the DDoS threat. This algorithm, coupled with detection techniques, generates a decision tree to perform automatic, effective detection of DDoS attacks for flooding attacks. The evaluation result shows that for the real dataset, a decision tree can achieve significant performance improvement in terms of accuracy, sensitivity, precision, and F-score compared to the several existing DDoS attacks detection methods.

1. Introduction

Cloud computing is defined as a form of Internet-based computing that provides support such as network memory, bandwidth, data processing, and user applications with a shared pool of resources. One of the major problems with this technology today is that the number of businesses that can completely take up the cloud is limited. DDoS is an offensive response that causes severe cloud connection issues. Initially coined in the sense of the system by Gligor, the term Denial of Service has been commonly used since then. A DDoS attack that involves more than one system to coordinate the targeting of a user is called a DDoS attack. The main aim of this study is to use machine learning methods to detect attacks on DDoS. There is nothing new in the literature regarding the identification of threats using machine-learning algorithms. Network traffic from the baseline profile is learned by anomaly detection techniques and deviations that significantly deviate from the baseline profile are identified. When detecting DDos, new and unknown attacks can be detected (zero-day). The flow of data from the attack is erratic. This makes it easy to start DDoS attacks, prevent them, track them, etc. DDoS attacks were also one of the main network security threats. Machine Learning is an industry in which technology instruments can be used for independent analyses of Big Data. Machine learning has a serious impact on most industries and firms within them. Getting to this stage of progress in machine learning is going through a variety of significant milestones.

A form of DoS attack is a DDoS attack in which an attacker uses an authenticated user IP address to attack a specific victim. The main purpose of the assailants is to confuse assets to refuse services to their recipients. To do so, attackers may use a wide variety of techniques including faulty requests to flood the network. The DDoS attack is transmitted such that the attacker uses several machines to execute a service attack denial. DDoS attacks pose a major threat to the Internet and various defense-related methods were suggested. Recently, a study aimed at estimating the direct cost of the one DDoS assault revealed that IoT computer users whose computers were trapped in the attack would spend $323,973.75 overpower and increased bandwidth usage on system owners. Detailed research on DDoS attacks is urgent, and DDoS attacks have become a popular issue in the research field as a very important part. There are presently several DDoS detection statistical approaches, such as network traffic statistical detection features. A machine learning model is used to determine the flow scale, the client access differences and the temporal behavior as functions, and the distinction between standard network and the unusual control server detection system. The time association between traffic information is not considered by the DDoS attacks learning algorithms. Secondly, we eliminate all the features that apply to ensure that any mode of attack can be covered by a single scenario algorithm. Four variables, such as the flood, Sluggish attack, flow time, and Web Attack features, are included in the functionality.

A Denial of Service attack is an initiative by an attacker to render network services by disrupting the host of the service unresponsive to its legitimate users. A DoS attack originating from multiple sources is a distributed denial of service (DDoS) attack. In general, DoS attacks are initiated using an Internet connection from one computer or virtual machines, while DDoS attacks are initiated from several different compromised computers, virtual machines, to overwhelm victims’ networks. The infected computers are also referred to operate remotely under the control of one or more of the bot-masters and attack groups of bots. Bots can be either malicious users who are preparing for an attack or legitimate users who are infected. The attackers directly transfer the packets to the target victim’s computer during the direct network attack. An indirect attack, however, which is also called the attacker’s amplification or reflection attack, uses a reflector server and the attacker spoofs the IP of the source. The IP packet is sent to the reflector server by the attacker and the reflector server then sends the response to the target. For Example, if the attacker sends 1Mb/s, the attacker may use amplification for the number of the packets and/or the bandwidth and the reflector may send more amount of packets than what it receives to the target victim. In a reflection attack, it is possible to amplify the payload to 4,670 times meaning that if the attacker sends a packet stream of 1Gb/s to the reflector server/s, the reflector will reply to the victim with the payload of over 4,670 times of the actual payload. The following steps are performed for DDoS attack detection such as load the data, preprocess the data, classify the data and apply feature subset selection. This study’s aim is to recognize unknown attacks, scan for anomalies traffic behavior, protocol behavior, application behavior, design and implementation of a DDoS attack detection system based on the machine learning model using the Random Forest algorithm. The RF algorithm is modified in such a way that it uses weighted voting instead of standard majority voting for attack prediction and Compare, analyzes, and validates the proposed detection and mitigation techniques with the approaches found in the literature.

2. What is DDoS attack detection

Several techniques have been used to detect DDoS attacks by classifying the network traffic. The purpose of traffic classification is to increase QoS, network security and improve network resource management. The classification can be either through the unidirectional flow of traffic or the bidirectional flow of traffic. The unidirectional flow is the flow of the network packet from a host to a server that contains five-tuple which includes source IP and port, destination IP and port, and transport layer protocol. While bidirectional flow considers traffics packet sent and received between hosts. Pattern detection is a mechanism that detects attacks by knowing the signature of known attacks. Pattern detections systems are most like virus detection systems. Snort is one of the detection systems that identify attacks by attack signatures. However, Payload Inspection and Machine learning-based traffic classification are the two effective approaches for DDoS detection. Attackers are exploiting the weakness of different protocols in different layers to launch a DDoS attack. Attackers use the Ping Scan technique to discover possible victims and the most known Ping Scans are the UPD, TCP SYNIn the case of TCP, scan effectively against a stateless firewall that doesn’t reject unsolicited ACK packets. Distributed Denial-of-Service (DDoS) attacks can easily affect the client-side of any system. Many attacks are based on personal goals or on behalf of other malicious entities who aim to disrupt the services of specific companies or people in return for an amount of money by performing a DoS or DDoS attack. As an amplified type of DoS attacks, DDoS attacks where attackers direct Hundreds or even thousands of compromised hosts called zombies to one destination.

3. Result and Conclusion

In this study, we have proposed four algorithms for DDoS attack detection. These four algorithms are based on machine learning algorithms such as logistic regression, decision tree, lasso regression, and random forest algorithm. DDoS Attack Detection is a large area of cloud computing research that aims to make the Cloud a stable and trusted network for the distribution of future cloud computing. The Random Forest Algorithm has been used to detect irregular traffic flow. The Random Forest Classifier Model has a high average classification accuracy relative to the other Logistic Regression classifier algorithm. Machine learning algorithms have been used to detect DDoS attacks between TCP flow data. Machine learning methods and algorithms have been predicted. From the achieved results, we have estimated that the Random Forest classifier algorithm is used to detect DDoS attacks and produced more appropriate results compared to other machine learning algorithms. At last, it is concluded that the random forest algorithm is more capable and suitable for DDoS attack detection. Random forest algorithm works well with overfit data. It is predicting the highest accuracy with 100% in comparison to other algorithms such as logistic regression, decision tree, and lasso algorithm.