**Research Topic : A Machine Learning Based DDoS Detection System**
**Supervisor - Mr. Nuwan Kuruwitaarachchi**
**Co-Supervisor - Mr. Kavinga Yapa Abeywardena**
Member 1(Leader) - IT17114172 - A.U. Sudugala
Member 2 - IT17106702 - W.H.Chanuka
Member 3 - IT17124904 - A.M.N. Eshan
Member 4 - IT17111034 - U.C.S. Bandara
**Project Description**
This project proposed a solution that involves building an Intrusion Detection System to detect Distributed Denial of Service attacks using Machine Learning algorithms for a given network. Four most common and dangerous DDoS attacks and respectively four different machine learning algorithms are used to train the proposed system.
The solution helps to utilize the network in its full capacity and secure the interconnected devices while maintaining the user satisfaction by thwarting network disruptions. Also, the system is placed behind the firewall to get maximum productivity over the network and its connected devices in order to maintain high performance.
Due to the high cost in deploying new tools and resources to make the network fully secure and automated, detecting and mitigating the DDoS attacks are less efficient with the current procedures. Therefore, it leads to the implementation of a new system which is cost effective and efficient in identifying and mitigating DDoS attacks and easily configurable in a given network. From the beginning of this project factors such as the cost, resources and target audience should be taken into consideration.
Research Question
As DDoS attacks are spreading all over the world many types of DDoS attacks are discovered. However, there are advanced DDoS attacks which do not currently have a fool proof way to detect and mitigate. Actively repelling DDoS attacks has become one of the fundamental problems in modern networks.
As DDoS attacks are capable of filtering to drop attack traffic before passing the normal traffic to the destination, redirecting all destinations to a third-party DNS, such as Akamai and Cloudflare are some of the practical approaches used to mitigate this fundamental threat.
Even though with such kinds of approaches are available and requires no upgrades to the existing network infrastructure and able to handle very massive attacks, recent industrial interviews boils the fact that this approach alone is not capable especially for wide scope organizations such as web hosting organizations and governments as they are unable to handover the direct network control to a third-party security service. Hence, they must depend on their ISPs to filter out suspicious attack traffic.
**Research Problem**
As DDoS attacks are spreading all over the world many types of DDoS attacks are discovered. However, there are advanced DDoS attacks which do not currently have a fool proof way to detect and mitigate. Actively repelling DDoS attacks has become one of the fundamental problems in modern networks. As DDoS attacks are capable of filtering to drop attack traffic before passing the normal traffic to the destination, redirecting all destinations to a third-party DNS, such as Akamai and Cloudflare are some of the practical approaches used to mitigate this fundamental threat. Even though with such kinds of approaches are available and requires no upgrades to the existing network infrastructure and able to handle very massive attacks, recent industrial interviews boils the fact that this approach alone is not capable especially for wide scope organizations such as web hosting organizations and governments as they are unable to handover the direct network control to a third-party security service. Hence, they must depend on their ISPs to filter out suspicious attack traffic.
• Modern practical approaches like redirecting all destinations to a third party like DNS, protecting DDoS as a service provider like Akamai and Cloudflare are too expensive.
• This approach alone is not capable especially for wide scope organizations like Web Hosting organizations and governments which they are unable to handover third-party security service providers to control over their network connections.
• Advanced DDoS attacks do not currently have a fool proof way to detect and mitigate. They use various slip over techniques to pass from existing IDS & IPS.
**Research Objectives**
**Main Objective :**
The main objective of the research is to provide an Intrusion Detection System which can detect the DDoS attacks using Machine Learning Algorithms by identifying the suspicious packets, dropping them, and sending a notification about the activity to all the network connected authorities. Organizations will be able to provide secure communication and risk-free experience with a well-secured IoT environment through the proposed system. Most of the networks and IoT devices are very difficult to maintain because of the lack of security issues and lack of knowledge on these devices. It is required to have a proper mechanism to protect the network and interconnected IoT devices with no intruder disruptions. Along with it, there should be a mechanism to maintain the data privacy of the organization and the employees. Most of the time organizations must pay a huge amount of money to hire an expert to configure the network and it takes more time to get the outcome.
Specific Objectives :
• Identifying NTP Amplification attacks – (IT17111034) To achieve the main objective, identifying NTP amplification attacks is very important. Here the main objective is to filter out the normal internet traffic and identify the NTP Responses and identify whether it is NTP Amplification attack or not. After identifying the Network traffic if there is any suspicious traffic a Notification should be given.
• Identifying Slow Loris attacks – (IT17124904) In order to achieve the main objective this specific objective proposed a way to identify the .pcap files and figure out whether it is a Slow Loris attack or not.is there any suspicious traffic, partial HTTP requests, a notification should be given to the user. Is that suspicious traffic is Slow Loris attack, system detect the attack type and ensure the availability of the systems for the legitimate users without any interruption.
• Identifying Mobile Botnet DDoS attacks – (IT17106702) To achieve the main object, one specific objective is to identify the IRC (Internet Relay Chat) traffic beside normal traffic and figure out whether it is a Mobile Botnet DDoS attack or not. If there are any suspicious traffic, a notification should be given to the user. By identifying Mobile Botnet DDoS attack, the detection system can ensure the availability of a system for the legitimate users without any interruption. And reduce financial and other losses of the industries and governments worldwide.
• Identifying Volumetric attacks – (IT17114172) To achieve the main object, another specific objective is to identify Volumetric attacks. The model is trained to identify very high bandwidth (more than 50 Gb+) requests received to the system.
**Summary of Individual Components**
**IT17106702 – W.H Chanuka**
• Identify the IRC(Internet Relay Chat) traffic which will be extracted during a Mobile Botnet DDoS attack.
• Finding a reliable Machine Learning algorithm to train the model - Naïve Bayes
• Analyzing a proper data set with unique features of Mobile Botnet DDoS attack.
• Model Development.
This component is to identify the IRC(Internet Relay Chat) traffic beside normal traffic and figure out whether it is a Mobile Botnet attack or not. If there are any suspicious traffic, a notification should be given to the user. By identifying Mobile Botnet DDoS attack, the detection system can ensure the availability of a system for the legitimate users without any interruption. And also reduce financial and other losses of the industries and governments worldwide.
• A Mobile Botnet is a collection of compromised mobile devices distributed over the public internet.
• Evaluation of Mobile Botnet Attacks over PC Botnet Attacks.
• Mobile Botnet Attacks use slip-over techniques to pass through existing IDS and IPS.
Unique Features to identify the attack and train the model:
Generating IRC traffic via specific range of ports, generating simultaneous identical DNS requests, generating SMTP traffic / emails
The dataset, which is used to train the Mobile Botnet attack detection model is a combination of two datasets published by the University of Victoria, Canada. One dataset consists of only malicious data packets while the other contains normal data packets.
Data Set used : https://www.uvic.ca/engineering/ece/isot/datasets/
**IT17111034 - U.C.S. Bandara**
• Filter out the normal internet traffic and analyze the NTP Responses to detect whether it is an NTP Amplification attack or not.
• Finding a reliable Machine Learning algorithm to train the model - Support Vector (SVM)
• Analyzing a proper data set with unique features of NTP Amplification DDoS attack.
• Model Development.
This component is implementing to filter out the normal internet traffic and identify the NTP Responses and identify whether it is a NTP Amplification attack or not. After identifying the Network traffic if there is any suspicious traffic a Notification should be given.
• Attackers exploit publicly accessible Network Time Protocol (NTP) servers to overwhelm the targeted with User Datagram Protocol (UDP) traffic.
• Legitimate NTP servers are used by NTP Amplification attacks which are carried using NTP servers.
• Since network traffic arrives from legitimate servers, existing IDS cannot verify them at once.
Unique Features to identify the attack and train the model :
NTP server uses UDP protocol to send NTP requests, port 123 as source port, ports >1023 as destination ports
Dataset of the NTP Amplification attack is extracted from the Canadian Institute for Cyber Security, which provides many datasets on DDoS attacks. The dataset includes all the key features that are needed to identify the attack. However, the dataset also includes few irrelevant fields as well. When training the algorithm, the dataset has been updated by extracting the key features of the NTP Amplification attack.
Data Set used : http://205.174.165.80/CICDataset/CICDDoS2019/Dataset/CSVs/
**IT17124904 - A.M.N. Eshan**
• Filter out the normal internet traffic and analyze the .pcap files whether it is a Slow Loris attack or not.
• Finding a reliable Machine Learning algorithm to train the model - Linear Regression
• Analyzing a proper data set with unique features of Slowloris DDoS attack.
• Model Development.
This component is to identify the .pcap files and figure out whether it is a Slow Loris attack or not.is there any suspicious traffic, partial HTTP requests, a notification should be given to the user. Is that suspicious traffic is Slow Loris attack, system detect the attack type and ensure the availability of the systems for the legitimate users without any interruption.
• Slowloris is an Application layer DDoS attack which uses partial HTTP requests to open connections between a single computer and a targeted Web server.
• Leaves the ports and services unaffected but attacks the web server.
• Unlike bandwidth-consuming reflection-based DDoS attacks, it uses minimal bandwidth which is difficult to monitor and detect.
Unique Features to identify the attack and train the model:
Open connections for long period of time, sending multiple partial HTTP request headers.
The dataset, which is used to train the Slowloris detection module, is published by University of New Brunswick.
Data Set used : http://205.174.165.80/CICDataset/ISCX-SlowDos-2016/Dataset/
**IT17114172 – A.U. Sudugala**
• Filter out the normal internet traffic and analyze the .pcap files whether it is a Volumetric DDoS attack or not.
• Finding a reliable Machine Learning algorithm to train the model – Decision Tree
• Analyzing a proper data set with unique features of Volumetric DDoS attack.
• Model Development.
Volumetric DDoS attacks have been designed to overwhelm network capacity and centralized DDoS mitigation facilities with a high amount of network traffic. Volumetric attacks are usually launched against service providers or enterprise customers. Most of the time well-skilled attackers try to combine volumetric attacks with application-layer attacks which cause real damage. These attacks take the benefit of vulnerable services such as NTP, SSDP and DNS, flooding the
destinations with large reply packets and filling up the links which will result in infrastructure collapsing. Very high bandwidth (more than 50 Gb+) within seconds is one of the main signs of volumetric attacks and is immediately obvious to targeted connectivity providers. Because of that attackers randomize attack parameters and constantly monitor their attacks.
• Volumetric DDoS attacks have been designed to overwhelm network capacity and centralized DDoS mitigation facilities with a high amount of network traffic
• Responsible for more than half of all kinds of DDoS Attacks.
• Intruders randomize the attack parameters and monitor the attacks.
Unique Features to identify the attack and train the model :
Very high bandwidth (more than 50 Gb+) within seconds, large reply packets which fill up the links
Data Set used :
A customized data set is used to train the Volumetric attack detection model, consequently the development and the validation of WANHEDA detection system. Due to the lack of datasets which are built exclusively for DDoS in the public domain, authors have extracted DDoS flows from well-known public IDSs. They are CIS-DoS, CISIDS2017 and CSE-CIC-IDS2018. Here the detection system receives online network traffic samples and classifies them as normal or malicious.
According to the above diagram, first malicious traffic signatures should be obtained from the raw data and then added to the database. In order do this, datasets which are related to the NTP Amplification attacks, Mobile Botnet attacks, Slowloris attacks and Volumetric attacks are used. Then, by using the feature selection, generation of the SDS will be done and afterwards the Machine Learning Algorithm is being trained. Then it is supplied to the system of traffic classification.
As shown in the above figure admin dashboard is connected with the REST API and also it is connected to the client server. Once a request comes to the server it will be directed through the REST API. Therefore, it will detect whether it’s a malicious packet or not. If it is a malicious packet, the user will be alerted through the admin dashboard.
