Skip to main content
SpringerLink
Log in

ML-Based DDoS Detection and Identification Using Native Cloud Telemetry Macroscopic Monitoring

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

The detection and identification of Distributed Denial-of-Service (DDoS) attacks remains a challenge in cloud/edge/fog computing environments. It usually requires network middleboxes, such as deep packet inspectors (DPI), for detection task mostly. But clouds and fogs have native powerful telemetry systems that are not yet fully exploited for DDoS detection; and provide so much information that could aid attack identification tasks as well. Machine Learning (ML) algorithms can help one diving into the richness of cloud’s native data collection services, which have a multitude of metrics from both physical and virtual hosts. This paper evaluates the use of ML algorithms over datasets collected from a experimental testbed based on OpenStack. Controlled attack scenarios were used to investigate the ability of ML for tasks such as detecting and identifying SYN_Flood and GET_Flood DDoS attacks mixed, in different proportions, with legitimate clients. kNN and Random Forest ML algorithms were trained and tested, and for evaluation the metrics accuracy, recall, precision, and F1-score were used. Our experiments presented about 87% of accuracy in the detection of SYN_Flood and GET_Flood DDoS attacks, whereas Snort IDS mostly fails to detect the latter attack by processing the corresponding packet traces. Also, the detection of PING_Flood DDoS attack was tested without training as an initial evaluation towards the generalization of the proposal.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. CloudFlare Web page. https://www.cloudflare.com/ddos.

  2. Zenedge Web page. https://www.zenedge.com/.

  3. Akamai Web page. https://www.akamai.com/us/en/products/security/.

  4. https://www.joedog.org/siege-home/.

  5. https://linux.die.net/man/8/hping3.

  6. https://github.com/jseidl/GoldenEye.

  7. The list of all monitored features from Ceilometer is available at https://docs.openstack.org/ceilometer/rocky/admin/telemetry-measurements.html

  8. Available: https://scikit-learn.org/stable/modules/generated/sklearn.feature_selection.SelectKBest.html.

  9. https://jhenriquecorrea.github.io/datasets/.

  10. https://www.snort.org/.

  11. Available: https://scikit-learn.org/stable/

  12. https://aws.amazon.com/cloudwatch/.

  13. https://cloud.google.com/monitoring/api/metrics_gcp.

References

  1. Verisign: what is a ddos attack? https://blog.verisign.com/security/ddos-protection/q2-2018-ddos-trends-report-52-percent-of-attacks-employed-multiple-attack-types/, (2018). Accessed 11 March 2019

  2. Arkko, J.: Centralised architectures in internet infrastructure. Internet-Draft draft-arkko-arch-infrastructure-centralisation-00, Internet Engineering Task Force, (2019). Work in Progress

  3. Bhardwaj, K., Miranda, J.C., Gavrilovska, A.: Towards iot-ddos prevention using edge computing. In: USENIX Workshop on Hot Topics in Edge Computing (HotEdge 18). USENIX Association, Boston (2018)

  4. Doshi, R., Apthorpe, N., Feamster, N.: Machine learning ddos detection for consumer internet of things devices. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 29–35 (2018)

  5. SNORT Team Project. Snort users manual (2020)

  6. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)

    Article  Google Scholar 

  7. Gupta, B.B., Badve, O.P.: Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Comput. Appl. 28(12), 3655–3682 (2017)

    Article  Google Scholar 

  8. Ramanathan, S., Mirkovic, J., Yu, M., Zhang, Y.: Senss against volumetric DDoS attacks. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC ’18, pp. 266–277. Association for Computing Machinery, New York (2018)

  9. Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: 24th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 15), pp. 817–832 (2015)

  10. Fung, C.J., McCormick, B.: Vguard: a distributed denial of service attack mitigation method using network function virtualization. In: 2015 11th International Conference on Network and Service Management (CNSM), pp. 64–70. IEEE (2015)

  11. Jakaria, A.H.M., Yang, W., Rashidi, B., Fung, C., Rahman, M.A.: Vfence: a defense against distributed denial of service attacks using network function virtualization. In: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 431–436. IEEE (2016)

  12. Alharbi, T., Aljuhani, A., Liu, H.: Holistic DDoS mitigation using NFV. In: 2017 IEEE 7th Annual Computing and Communication Workshop and Conference (CCWC), pp. 1–4 (2017)

  13. Sahay, R., Blanc, G., Zhang, Z., Debar, H.: Aroma: an SDN based autonomic DDoS mitigation framework. Comput. Secur. 70, 482–499 (2017)

    Article  Google Scholar 

  14. Dantas, Y.G., Nigam, V., Fonseca, I.E.: A selective defense for application layer DDoS attacks. In: 2014 IEEE Joint Intelligence and Security Informatics Conference, pp. 75–82 (2014)

  15. Corrêa, J.H.G.M., Sousa Junior, E.A., Fonseca, I.E., Nigam, V., Ribeiro, M.R.N., Villaça, R.S.: Selectivity and autoscaling as complementary defenses for DDoS protection to cloud services. In: 2019 IEEE 8th International Conference on Cloud Networking (CloudNet), pp. 1–3 (2019)

  16. Boutaba, R., Salahuddin, M.A., Limam, N., Ayoubi, S., Shahriar, N., Estrada-Solano, F., Caicedo, O.M.: A comprehensive survey on machine learning for networking: evolution, applications and research opportunities. JISA 9(1), 16 (2018)

    Google Scholar 

  17. Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016)

    Article  Google Scholar 

  18. Somani, G., Gaur, M.S., Sanghi, D., Conti, M., Buyya, R.: DDoS attacks in cloud computing: issues, taxonomy, and future directions. Comput. Commun. 107, 30–48 (2017)

    Article  Google Scholar 

  19. Shameli-Sendi, A., Pourzandi, M., Fekih-Ahmed, M., Cheriet, M.: Taxonomy of distributed denial of service mitigation approaches for cloud computing. J. Netw. Comput. Appl. 58, 165–179 (2015)

    Article  Google Scholar 

  20. Boero, L., Marchese, M., Zappatore, S.: Support vector machine meets software defined networking in ids domain. In: 2017 29th International Teletraffic Congress (ITC 29), vol. 3, pp. 25–30 (2017)

  21. Suresh, M., Anitha, R.: Evaluating machine learning algorithms for detecting DDoS attacks. In: International Conference on Network Security and Applications, pp. 441–452. Springer (2011)

  22. Zekri, M., Kafhali, S.E., Aboutabit, N., Saadi, Y.: DDoS attack detection using machine learning techniques in cloud computing environments. In: 2017 3rd International Conference of Cloud Computing Technologies and Applications (CloudTech), pp. 1–7 (2017)

  23. He, Z., Zhang, T., Lee, R.B.: Machine learning based ddos attack detection from source side in cloud. In: 2017 IEEE 4th International CSCloud, pp. 114–120 (2017)

  24. Phan, T.V., Park, M.: Efficient distributed denial-of-service attack defense in SDN-based cloud. IEEE Access 7, 18701–18714 (2019)

    Article  Google Scholar 

  25. Özçelik, M., Chalabianloo, N., Gür, G.: Software-defined edge defense against IoT-based DDoS. In: 2017 IEEE International Conference on Computer and Information Technology (CIT), pp. 308–313 (2017)

  26. Miao, R., Potharaju, R., Yu, M., Jain, N.: The dark menace: characterizing network-based attacks in the cloud. In: Proceedings of the 2015 Internet Measurement Conference, IMC ’15, pp. 169–182. Association for Computing Machinery, New York (2015)

  27. Solanas, M., Hernandez-Castro, J., Dutta, D.: Detecting fraudulent activity in a cloud using privacy-friendly data aggregates. arXiv preprint arXiv:1411.6721 (2014)

  28. Nichols, N., Greaves, M., Smith, W., LaMothe, R., Longoni, G., Teuton, J.: Identification of program signatures from cloud computing system telemetry data. In: 2016 IEEE SSCI, pp. 1–5 (2016)

  29. Jyothi, V., Wang, X., Addepalli, S. K., Karri, R.: Brain: behavior based adaptive intrusion detection in networks: Using hardware performance counters to detect ddos attacks. In: 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID), pp. 587–588 (2016)

  30. Azmandian, F., Kaeli, D.R., Dy, J.G., Aslam, J.A.: Securing virtual execution environments through machine learning-based intrusion detection. In: 2015 IEEE 25th International Workshop on Machine Learning for Signal Processing (MLSP), pp. 1–6 (2015)

  31. Kupreev, Oleg, B., E., Gutnikov, A.: DDoS attacks in q3 2019. https://securelist.com/ddos-report-q3-2019/94958/ (2019). Accessed 30 Jan 2020

  32. Amjad, A., Alyas, T., Farooq, U., Tariq, M.: Detection and mitigation of DDoS attack in cloud computing using machine learning algorithm. EAI Endors. Trans. Scalable Inf. Syst. 6(23), 159834 (2019)

    Google Scholar 

  33. OpenStack Documentation. Openstack docs: Ceilometer. https://docs.openstack.org/ceilometer/rocky (2019). Accessed 11 June 2019

  34. Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification, vol. 2. Wiley, New York (2001). ISBN: 978-0-471-05669-0

  35. Bill Buchanan. Snort analyser. Accessed 10 April 2019

  36. Ruhl and johnjg12. Snort rule to detect http flood. Accessed Oct April 2019

Download references

Acknowledgements

This work was financed in part by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior—Brazil (Capes)—Finance Code 001. It also received funding from Conselho Nacional de Desenvolvimento Científico e Tecnológico—Brazil (CNPq) (grant agreements 432787/2016-0, and 428311/2018-0) and Fundação de Amparo à Pesquisa e Inovação do Espírito Santo (Fapes) (Grant Agreements 94/2017, 269/2019 and 582/2019).

Author information

Authors and Affiliations

  1. Graduate Program on Informatics (PPGI), Federal University of Espírito Santo (Ufes), Vitória, ES, Brazil

    João Henrique Corrêa & Rodolfo S. Villaça

  2. Graduate Program on Electrical Engineering (PPGEE), Federal University of Espírito Santo (Ufes), Vitória, ES, Brazil

    Patrick M. Ciarelli & Moises R. N. Ribeiro

Authors
  1. João Henrique Corrêa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Patrick M. Ciarelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Moises R. N. Ribeiro
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rodolfo S. Villaça
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to João Henrique Corrêa.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Corrêa, J.H., Ciarelli, P.M., Ribeiro, M.R.N. et al. ML-Based DDoS Detection and Identification Using Native Cloud Telemetry Macroscopic Monitoring. J Netw Syst Manage 29, 13 (2021). https://doi.org/10.1007/s10922-020-09578-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10922-020-09578-1

Keywords

Search

Navigation