**Identifying Mobile Botnet DDoS attacks - IT17106702**
• Identify the IRC(Internet Relay Chat) traffic which will be extracted during a Mobile Botnet DDoS attack.
• Finding a reliable Machine Learning algorithm to train the model - Naïve Bayes
• Analyzing a proper data set with unique features of Mobile Botnet DDoS attack.
• Model Development.
This component is to identify the IRC(Internet Relay Chat) traffic beside normal traffic and figure out whether it is a Mobile Botnet attack or not. If there are any suspicious traffic, a notification should be given to the user. By identifying Mobile Botnet DDoS attack, the detection system can ensure the availability of a system for the legitimate users without any interruption. And also reduce financial and other losses of the industries and governments worldwide.
• A Mobile Botnet is a collection of compromised mobile devices distributed over the public internet.
• Evaluation of Mobile Botnet Attacks over PC Botnet Attacks.
• Mobile Botnet Attacks use slip-over techniques to pass through existing IDS and IPS.
Unique Features to identify the attack and train the model:
Generating IRC traffic via specific range of ports, generating simultaneous identical DNS requests, generating SMTP traffic / emails
The dataset, which is used to train the Mobile Botnet attack detection model is a combination of two datasets published by the University of Victoria, Canada. One dataset consists of only malicious data packets while the other contains normal data packets.
Data Set used : https://www.uvic.ca/engineering/ece/isot/datasets/
This component is implementing to filter out the normal internet traffic and identify the NTP Responses and identify whether it is a NTP Amplification attack or not. After identifying the Network traffic if there is any suspicious traffic a Notification should be given.
Data Set used : http://205.174.165.80/CICDataset/CICDDoS2019/Dataset/CSVs/
IT17111034 - U.C.S. Bandara
• Filter out the normal internet traffic and analyze the NTP Responses to detect whether it is an NTP Amplification attack or not.
• Finding a reliable Machine Learning algorithm to train the model - Support Vector (SVM)
• Analyzing a proper data set with unique features of NTP Amplification DDoS attack.
• Model Development.
This component is implementing to filter out the normal internet traffic and identify the NTP Responses and identify whether it is a NTP Amplification attack or not. After identifying the Network traffic if there is any suspicious traffic a Notification should be given.
• Attackers exploit publicly accessible Network Time Protocol (NTP) servers to overwhelm the targeted with User Datagram Protocol (UDP) traffic.
• Legitimate NTP servers are used by NTP Amplification attacks which are carried using NTP servers.
• Since network traffic arrives from legitimate servers, existing IDS cannot verify them at once.
Unique Features to identify the attack and train the model :
NTP server uses UDP protocol to send NTP requests, port 123 as source port, ports >1023 as destination ports
Dataset of the NTP Amplification attack is extracted from the Canadian Institute for Cyber Security, which provides many datasets on DDoS attacks. The dataset includes all the key features that are needed to identify the attack. However, the dataset also includes few irrelevant fields as well. When training the algorithm, the dataset has been updated by extracting the key features of the NTP Amplification attack.
Data Set used : http://205.174.165.80/CICDataset/CICDDoS2019/Dataset/CSVs/
**Identifying Slow Loris attacks - IT17124904**
IT17124904 - A.M.N. Eshan
• Filter out the normal internet traffic and analyze the .pcap files whether it is a Slow Loris attack or not.
• Finding a reliable Machine Learning algorithm to train the model - Linear Regression
• Analyzing a proper data set with unique features of Slowloris DDoS attack.
• Model Development.
This component is to identify the .pcap files and figure out whether it is a Slow Loris attack or not.is there any suspicious traffic, partial HTTP requests, a notification should be given to the user. Is that suspicious traffic is Slow Loris attack, system detect the attack type and ensure the availability of the systems for the legitimate users without any interruption.
• Slowloris is an Application layer DDoS attack which uses partial HTTP requests to open connections between a single computer and a targeted Web server.
• Leaves the ports and services unaffected but attacks the web server.
• Unlike bandwidth-consuming reflection-based DDoS attacks, it uses minimal bandwidth which is difficult to monitor and detect.
Unique Features to identify the attack and train the model:
Open connections for long period of time, sending multiple partial HTTP request headers.
The dataset, which is used to train the Slowloris detection module, is published by University of New Brunswick.
Data Set used : http://205.174.165.80/CICDataset/ISCX-SlowDos-2016/Dataset/
**Identifying Volumetric attacks - IT17114172**
Volumetric Distributed Denial of Service attack is one of the severe malicious attack which can be seen on Internet and it is responsible for more than half of all kinds of those attacks. This components are to detect volumetric attacks using machine learning and to make a safe environment for the users without DDoS disruption.
Data Set used : Extracted DDoS Flows from CSE-CIC-IDS2018- AWS, CICIDS2017, CIC DoS dataset(2016)
IT17114172 – A.U. Sudugala
• Filter out the normal internet traffic and analyze the .pcap files whether it is a Volumetric DDoS attack or not.
• Finding a reliable Machine Learning algorithm to train the model – Decision Tree
• Analyzing a proper data set with unique features of Volumetric DDoS attack.
• Model Development.
Volumetric DDoS attacks have been designed to overwhelm network capacity and centralized DDoS mitigation facilities with a high amount of network traffic. Volumetric attacks are usually launched against service providers or enterprise customers. Most of the time well-skilled attackers try to combine volumetric attacks with application-layer attacks which cause real damage. These attacks take the benefit of vulnerable services such as NTP, SSDP and DNS, flooding the
destinations with large reply packets and filling up the links which will result in infrastructure collapsing. Very high bandwidth (more than 50 Gb+) within seconds is one of the main signs of volumetric attacks and is immediately obvious to targeted connectivity providers. Because of that attackers randomize attack parameters and constantly monitor their attacks.
• Volumetric DDoS attacks have been designed to overwhelm network capacity and centralized DDoS mitigation facilities with a high amount of network traffic
• Responsible for more than half of all kinds of DDoS Attacks.
• Intruders randomize the attack parameters and monitor the attacks.
Unique Features to identify the attack and train the model :
Very high bandwidth (more than 50 Gb+) within seconds, large reply packets which fill up the links
Data Set used :
A customized data set is used to train the Volumetric attack detection model, consequently the development and the validation of WANHEDA detection system. Due to the lack of datasets which are built exclusively for DDoS in the public domain, authors have extracted DDoS flows from well-known public IDSs. They are CIS-DoS, CISIDS2017 and CSE-CIC-IDS2018. Here the detection system receives online network traffic samples and classifies them as normal or malicious.
