Research Topic : A Machine Learning Based DDoS Detection System
The main objective of the research is to provide an Intrusion Detection System which can detect the DDoS attacks using Machine Learning Algorithms by identifying the suspicious packets and sending
a notification about the activity to all the network connected authorities. Organizations will be able to provide secure communication and risk-free experience with a well-secured IoT environment
through the proposed system. Most of the networks and IoT devices are very difficult to maintain because of the lack of security issues and lack of knowledge on these devices. It is required to have a
proper mechanism to protect the network and interconnected IoT devices with no intruder disruptions. Along with it, there should be a mechanism to maintain the data privacy of the organization and the
employees. Most of the time organizations must pay a huge amount of money to hire an expert to configure the network and it takes more time to get the outcome. The proposed system ‘WANHEDA’
will be able to adapt to the network and do the needed configurations by itself. It will reduce the number of false alarms and increase the accuracy of the network by giving a profitable financial
benefit to the organizations.
Supervisor - Mr. Nuwan Kuruwitaarachchi
Co-Supervisor - Mr. Kavinga Yapa Abeywardena
**Main Research questions**
Member 1(Leader) - IT17114172 - A.U. Sudugala
Member 2 - IT17106702 - W.H.Chanuka
Member 3 - IT17124904 - A.M.N. Eshan
Member 4 - IT17111034 - U.C.S. Bandara
As the DDoS attacks are spreading all over the world many types of DDoS attacks are discovered. But there are some advanced DDoS attacks which didn’t have a proper way to detect and mitigate.
Acting against those Distributed Denial of Service (DDoS) attacks through the internet has become one of the major and fundamental problems. Redirecting all destination to a third party like DNS,
protecting DDoS as a service provider like Akamai and Cloudflare are some of the practical approaches to address DDoS attacks as they are capable of filtering mechanisms to drop attack traffic
before passing the normal traffic to the destination. Even though with such kinds of approaches available, as it requires no upgrades to the existing network infrastructure and able to handle very
massive attacks, recent industrial interviews boils the fact that this approach alone is not capable especially for wide scope organizations like Web Hosting organizations and governments which they
are unable to handover third-party security service providers to control over their network connections. Apart from that, they must depend on their ISPs to filter out suspicious attack traffic.
Project Description**
**Individual research question**
W.H Chanuka - IT17106702
This project proposed a solution that involves building an Intrusion Detection System to detect Distributed Denial of Service attacks using Machine Learning algorithms for a given network. Four most common and dangerous DDoS attacks and respectively four different machine learning algorithms are used to train the proposed system.
In modern world, most vexing cyber attacks to the industries are DDoS attacks. The brand new trend of the DDoS attacks is Mobile Botnet attack. Attacker(BotMaster) can send millions of
requests to a target using compromised mobile devices and it impacts the availability of the target. Because of the unavailability, legitimate users can’t access to the target. Therefore, target causes
financial losses. Beside this Botmaster can steal personal information of the target. The main reason that Mobile Botnet DDoS attacks become extremely dangerous is because, there is
not an effective detection and mitigation systems. The existing systems are capable of detecting common DDoS attacks[7], but Mobile Botnet attacks cannot be detected because it is new.
The solution helps to utilize the network in its full capacity and secure the interconnected devices while maintaining the user satisfaction by thwarting network disruptions. Also, the system is placed behind the firewall to get maximum productivity over the network and its connected devices in order to maintain high performance.
Due to the high cost in deploying new tools and resources to make the network fully secure and automated, detecting and mitigating the DDoS attacks are less efficient with the current procedures. Therefore, it leads to the implementation of a new system which is cost effective and efficient in identifying and mitigating DDoS attacks and easily configurable in a given network. From the beginning of this project factors such as the cost, resources and target audience should be taken into consideration.
Research Question
As DDoS attacks are spreading all over the world many types of DDoS attacks are discovered. However, there are advanced DDoS attacks which do not currently have a fool proof way to detect and mitigate. Actively repelling DDoS attacks has become one of the fundamental problems in modern networks.
As DDoS attacks are capable of filtering to drop attack traffic before passing the normal traffic to the destination, redirecting all destinations to a third-party DNS, such as Akamai and Cloudflare are some of the practical approaches used to mitigate this fundamental threat.
Even though with such kinds of approaches are available and requires no upgrades to the existing network infrastructure and able to handle very massive attacks, recent industrial interviews boils the fact that this approach alone is not capable especially for wide scope organizations such as web hosting organizations and governments as they are unable to handover the direct network control to a third-party security service. Hence, they must depend on their ISPs to filter out suspicious attack traffic.
U.C.S Bandara - IT17111034
**Research Objectives
As the DDoS attacks are spreading all over world many types of DDoS attacks are discovered. But there are some advanced DDoS attacks which didn’t have a proper way to detect and mitigate this
attack. NTP Amplification attack is also like that. Not only other countries Sri Lanka also have the threat from the NTP Amplification attack.
As NTP Amplification attack didn’t have a proper way to detect, I focus on how to detect it using ML as many literatures say that it can be detected through the ML based IDS
Main Objective :
**
Eshan A.M.N - IT17124904
The main objective of the research is to provide an Intrusion Detection System which can detect the DDoS attacks using Machine Learning Algorithms by identifying the suspicious packets, dropping them and sending a notification about the activity to all the network connected authorities. Organizations will be able to provide secure communication and risk-free experience with a well-secured IoT environment through the proposed system. Most of the networks and IoT devices are very difficult to maintain because of the lack of security issues and lack of knowledge on these devices. It is required to have a proper mechanism to protect the network and interconnected IoT devices with no intruder disruptions. Along with it, there should be a mechanism to maintain the data privacy of the organization and the employees. Most of the time organizations must pay a huge amount of money to hire an expert to configure the network and it takes more time to get the outcome.
Specific Objectives :
Distributed Denial of Service (DDoS) attacks are the most devastating attacks in the world right now. So, these attacks damage the most critical functions in internet community.
The main reason are as follows, We can saw many kinds of existing intrusion detection systems in the world. Like Snote,
OSSEC, Sagan. So, these systems can identify DDoS attacks after the attack happened. There is no suitable detection system for DDoS attacks to identify them before the packets reach to
the network. And also, existing intrusion detection systems are not capable of identifying next generation DDoS attacks.
So, we use four next generation attacks as the sample for the system and they are Volumetric DDoS attack, Mobile Botnet Attack, Slow Loris Attack and NTP Amplification Attack.
And also, there are many powerful firewalls to identify and filter malicious packets. But those firewalls can’t filter next generation DDoS attacks. So, we proposed this system as the solution for above mentioned problems.
To achieve the main objective, identifying NTP amplification attacks is very important. Here the main objective is to filters out the normal internet traffic and identify the NTP Responses and identify whether it is NTP Amplification attack or not. After identifying the Network traffic if there is any suspicious traffic a Notification should be given.
A.U.Sudugala - IT17114172
• Identifying Slow Loris attacks - IT17124904
In order to achieve the main objective this specific objective proposed a way to identify the .pcap files and figure out whether it is a Slow Loris attack or not.is there any suspicious traffic, partial HTTP requests, a notification should be given to the user. Is that suspicious traffic is Slow Loris attack, system detect the attack type and ensure the availability of the systems for the legitimate users without any interruption.
Acting against the Distributed Denial of Service (DDoS) attacks through the internet has become one of the major and fundamental problems. Redirecting all destination to
a third party like DNS, protecting DDoS as a service provider like Akamai and Cloudflare are some of the practical approaches to address DDoS attacks as they are
capable of filtering mechanisms to drop attack traffic before passing the normal traffic to the destination. Even though with such kinds of approaches available, as it requires
no upgrades to the existing network infrastructure and able to handle very massive attacks, recent industrial interviews boil the fact that this approach alone is not capable
especially for wide scope organizations like Web Hosting organizations and governments which they are unable to handover third-party security service providers
to control over their network connections. Apart from that, they must depend on their ISPs to filter out suspicious attack traffic. These issues have guided researchers to use autonomous solutions which can detect
and mitigate suspicious packets by the characteristics and behavior of the traffic. Due to the ability to consequently improve the detection of malicious traffic the machine
learning techniques which provide artificial intelligence-based solutions, are well known for offering the highest rate of flexibility in the classification process.
Finding the best among academic propositions and the industrial practice against DDoS is challenging.
Academic invests in techniques like Machine Learning and proposing to apply in the field of DDoS detection in Internet of Things,in
wireless sensors [10], in the field of cloud computing, in Software Defined Networking (SDN) and working on realistic datasets and result validation.
Apart from that, industry segments have invested in new models in their solutions like Network Function Virtualization (NFV) and SDN in order to have scientific discoveries and advanced network structures.
Even though, DDoS attacks related incidents still happen daily, convincing the fact that the problem is not yet solved properly.
• Identifying Mobile Botnet DDoS attacks - IT17106702
To achieve the main object, one specific objective is to identify the IRC (Internet Relay Chat) traffic beside normal traffic and figure out whether it is a Mobile Botnet DDoS attack or not. If there are any suspicious traffic, a notification should be given to the user. By identifying Mobile Botnet DDoS attack, the detection system can ensure the availability of a system for the legitimate users without any interruption. And reduce financial and other losses of the industries and governments worldwide.
**Individual Objectives**
• Identifying Volumetric attacks - IT17114172
To achieve the main object, another specific objective is to identify Volumetric attacks. This paper proposes a way to identifying very high bandwidth (more than 50 Gb+) requests received to the system.
W.H Chanuka - IT17106702
**Summary of Individual Components**
The main objective of the component is to identifying the IRC(Internet Relay Chat) traffic beside normal traffic and figure out whether it is a Mobile Botnet attack or not. If there are any suspicious
traffic, a notification should be given to the user. By identifying Mobile Botnet DDoS attack, the detection system can ensure the availability of a system for the legitimate users without any
interruption. And also reduce financial and other losses of the industries and governments worldwide.
U.C.S Bandara - IT17111034
**Identifying Mobile Botnet DDoS attacks **
The main objective of implementing my component is to filter out the normal internet traffic and identify the NTP Responses and identify whether it is a NTP Amplification attack or not. After
identifying the Network traffic, if there is any suspicious traffic a Notification should be given.
This component is to identify the IRC(Internet Relay Chat) traffic beside normal traffic and figure out whether it is a Mobile Botnet attack or not. If there are any suspicious traffic, a notification should be given to the user. By identifying Mobile Botnet DDoS attack, the detection system can ensure the availability of a system for the legitimate users without any interruption. And also reduce financial and other losses of the industries and governments worldwide.
Eshan A.M.N - IT17124904
**Identifying NTP Amplification attacks**
The main objective of the component is to identify the .pcap files and figure out whether it is a Slow Loris attack or not.is there any suspicious traffic, partial HTTP requests, a
notification should be given to the user. Is that suspicious traffic is Slow Loris attack, system detect the attack type and ensure the availability of the systems for the legitimate users without
any interruption.
The component is implementing to filter out the normal internet traffic and identify the NTP Responses and identify whether it is a NTP Amplification attack or not. After identifying the Network traffic if there is any suspicious traffic a Notification should be given.
A.U.Sudugala - IT17114172
**Identifying Slow Loris attacks**
Volumetric Distributed Denial of Service attack is one of the severe malicious attack which can be seen on Internet and it is responsible for more than half of all kinds of those attacks.
This proposal approach makes induction about how to detect volumetric attacks using machine learning and to make a safe environment for the users without DDoS disruption.
This component is to identify the .pcap files and figure out whether it is a Slow Loris attack or not.is there any suspicious traffic, partial HTTP requests, a notification should be given to the user. Is that suspicious traffic is Slow Loris attack, system detect the attack type and ensure the availability of the systems for the legitimate users without any interruption.
**Other necessary information**
**Identifying Volumetric attacks**
-----
Volumetric Distributed Denial of Service attack is one of the severe malicious attack which can be seen on Internet and it is responsible for more than half of all kinds of those attacks. This components are to detect volumetric attacks using machine learning and to make a safe environment for the users without DDoS disruption.
System Architecture
This is the System overview diagram.
According to the above diagram, first malicious traffic signatures should be obtained from the raw data and then added to the database. In order do this a dataset which is related to the NTP Amplification attack is used. Then by using the feature selection generation of the SDS will be done and afterwards the Machine Learning Algorithm is being trained. Then it is supplied to the system of traffic classification.
**Other Necessary Instructions to run the code:**
First, run the application.py to run the trained models
Then run the WANHEDA front end using `npm start` command in the visual studio code or command prompt
