Abstract
The detection and identification of Distributed Denial-of-Service (DDoS) attacks remains a challenge in cloud/edge/fog computing environments. It usually requires network middleboxes, such as deep packet inspectors (DPI), for detection task mostly. But clouds and fogs have native powerful telemetry systems that are not yet fully exploited for DDoS detection; and provide so much information that could aid attack identification tasks as well. Machine Learning (ML) algorithms can help one diving into the richness of cloud’s native data collection services, which have a multitude of metrics from both physical and virtual hosts. This paper evaluates the use of ML algorithms over datasets collected from a experimental testbed based on OpenStack. Controlled attack scenarios were used to investigate the ability of ML for tasks such as detecting and identifying SYN_Flood and GET_Flood DDoS attacks mixed, in different proportions, with legitimate clients. kNN and Random Forest ML algorithms were trained and tested, and for evaluation the metrics accuracy, recall, precision, and F1-score were used. Our experiments presented about 87% of accuracy in the detection of SYN_Flood and GET_Flood DDoS attacks, whereas Snort IDS mostly fails to detect the latter attack by processing the corresponding packet traces. Also, the detection of PING_Flood DDoS attack was tested without training as an initial evaluation towards the generalization of the proposal.
Similar content being viewed by others
Notes
CloudFlare Web page. https://www.cloudflare.com/ddos.
Zenedge Web page. https://www.zenedge.com/.
Akamai Web page. https://www.akamai.com/us/en/products/security/.
The list of all monitored features from Ceilometer is available at https://docs.openstack.org/ceilometer/rocky/admin/telemetry-measurements.html
Available: https://scikit-learn.org/stable/
References
Verisign: what is a ddos attack? https://blog.verisign.com/security/ddos-protection/q2-2018-ddos-trends-report-52-percent-of-attacks-employed-multiple-attack-types/, (2018). Accessed 11 March 2019
Arkko, J.: Centralised architectures in internet infrastructure. Internet-Draft draft-arkko-arch-infrastructure-centralisation-00, Internet Engineering Task Force, (2019). Work in Progress
Bhardwaj, K., Miranda, J.C., Gavrilovska, A.: Towards iot-ddos prevention using edge computing. In: USENIX Workshop on Hot Topics in Edge Computing (HotEdge 18). USENIX Association, Boston (2018)
Doshi, R., Apthorpe, N., Feamster, N.: Machine learning ddos detection for consumer internet of things devices. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 29–35 (2018)
SNORT Team Project. Snort users manual (2020)
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15(4), 2046–2069 (2013)
Gupta, B.B., Badve, O.P.: Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a cloud computing environment. Neural Comput. Appl. 28(12), 3655–3682 (2017)
Ramanathan, S., Mirkovic, J., Yu, M., Zhang, Y.: Senss against volumetric DDoS attacks. In: Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC ’18, pp. 266–277. Association for Computing Machinery, New York (2018)
Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: 24th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 15), pp. 817–832 (2015)
Fung, C.J., McCormick, B.: Vguard: a distributed denial of service attack mitigation method using network function virtualization. In: 2015 11th International Conference on Network and Service Management (CNSM), pp. 64–70. IEEE (2015)
Jakaria, A.H.M., Yang, W., Rashidi, B., Fung, C., Rahman, M.A.: Vfence: a defense against distributed denial of service attacks using network function virtualization. In: 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 431–436. IEEE (2016)
Alharbi, T., Aljuhani, A., Liu, H.: Holistic DDoS mitigation using NFV. In: 2017 IEEE 7th Annual Computing and Communication Workshop and Conference (CCWC), pp. 1–4 (2017)
Sahay, R., Blanc, G., Zhang, Z., Debar, H.: Aroma: an SDN based autonomic DDoS mitigation framework. Comput. Secur. 70, 482–499 (2017)
Dantas, Y.G., Nigam, V., Fonseca, I.E.: A selective defense for application layer DDoS attacks. In: 2014 IEEE Joint Intelligence and Security Informatics Conference, pp. 75–82 (2014)
Corrêa, J.H.G.M., Sousa Junior, E.A., Fonseca, I.E., Nigam, V., Ribeiro, M.R.N., Villaça, R.S.: Selectivity and autoscaling as complementary defenses for DDoS protection to cloud services. In: 2019 IEEE 8th International Conference on Cloud Networking (CloudNet), pp. 1–3 (2019)
Boutaba, R., Salahuddin, M.A., Limam, N., Ayoubi, S., Shahriar, N., Estrada-Solano, F., Caicedo, O.M.: A comprehensive survey on machine learning for networking: evolution, applications and research opportunities. JISA 9(1), 16 (2018)
Buczak, A.L., Guven, E.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18(2), 1153–1176 (2016)
Somani, G., Gaur, M.S., Sanghi, D., Conti, M., Buyya, R.: DDoS attacks in cloud computing: issues, taxonomy, and future directions. Comput. Commun. 107, 30–48 (2017)
Shameli-Sendi, A., Pourzandi, M., Fekih-Ahmed, M., Cheriet, M.: Taxonomy of distributed denial of service mitigation approaches for cloud computing. J. Netw. Comput. Appl. 58, 165–179 (2015)
Boero, L., Marchese, M., Zappatore, S.: Support vector machine meets software defined networking in ids domain. In: 2017 29th International Teletraffic Congress (ITC 29), vol. 3, pp. 25–30 (2017)
Suresh, M., Anitha, R.: Evaluating machine learning algorithms for detecting DDoS attacks. In: International Conference on Network Security and Applications, pp. 441–452. Springer (2011)
Zekri, M., Kafhali, S.E., Aboutabit, N., Saadi, Y.: DDoS attack detection using machine learning techniques in cloud computing environments. In: 2017 3rd International Conference of Cloud Computing Technologies and Applications (CloudTech), pp. 1–7 (2017)
He, Z., Zhang, T., Lee, R.B.: Machine learning based ddos attack detection from source side in cloud. In: 2017 IEEE 4th International CSCloud, pp. 114–120 (2017)
Phan, T.V., Park, M.: Efficient distributed denial-of-service attack defense in SDN-based cloud. IEEE Access 7, 18701–18714 (2019)
Özçelik, M., Chalabianloo, N., Gür, G.: Software-defined edge defense against IoT-based DDoS. In: 2017 IEEE International Conference on Computer and Information Technology (CIT), pp. 308–313 (2017)
Miao, R., Potharaju, R., Yu, M., Jain, N.: The dark menace: characterizing network-based attacks in the cloud. In: Proceedings of the 2015 Internet Measurement Conference, IMC ’15, pp. 169–182. Association for Computing Machinery, New York (2015)
Solanas, M., Hernandez-Castro, J., Dutta, D.: Detecting fraudulent activity in a cloud using privacy-friendly data aggregates. arXiv preprint arXiv:1411.6721 (2014)
Nichols, N., Greaves, M., Smith, W., LaMothe, R., Longoni, G., Teuton, J.: Identification of program signatures from cloud computing system telemetry data. In: 2016 IEEE SSCI, pp. 1–5 (2016)
Jyothi, V., Wang, X., Addepalli, S. K., Karri, R.: Brain: behavior based adaptive intrusion detection in networks: Using hardware performance counters to detect ddos attacks. In: 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID), pp. 587–588 (2016)
Azmandian, F., Kaeli, D.R., Dy, J.G., Aslam, J.A.: Securing virtual execution environments through machine learning-based intrusion detection. In: 2015 IEEE 25th International Workshop on Machine Learning for Signal Processing (MLSP), pp. 1–6 (2015)
Kupreev, Oleg, B., E., Gutnikov, A.: DDoS attacks in q3 2019. https://securelist.com/ddos-report-q3-2019/94958/ (2019). Accessed 30 Jan 2020
Amjad, A., Alyas, T., Farooq, U., Tariq, M.: Detection and mitigation of DDoS attack in cloud computing using machine learning algorithm. EAI Endors. Trans. Scalable Inf. Syst. 6(23), 159834 (2019)
OpenStack Documentation. Openstack docs: Ceilometer. https://docs.openstack.org/ceilometer/rocky (2019). Accessed 11 June 2019
Duda, R.O., Hart, P.E., Stork, D.G.: Pattern Classification, vol. 2. Wiley, New York (2001). ISBN: 978-0-471-05669-0
Bill Buchanan. Snort analyser. Accessed 10 April 2019
Ruhl and johnjg12. Snort rule to detect http flood. Accessed Oct April 2019
Acknowledgements
This work was financed in part by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior—Brazil (Capes)—Finance Code 001. It also received funding from Conselho Nacional de Desenvolvimento Científico e Tecnológico—Brazil (CNPq) (grant agreements 432787/2016-0, and 428311/2018-0) and Fundação de Amparo à Pesquisa e Inovação do Espírito Santo (Fapes) (Grant Agreements 94/2017, 269/2019 and 582/2019).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Corrêa, J.H., Ciarelli, P.M., Ribeiro, M.R.N. et al. ML-Based DDoS Detection and Identification Using Native Cloud Telemetry Macroscopic Monitoring. J Netw Syst Manage 29, 13 (2021). https://doi.org/10.1007/s10922-020-09578-1
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10922-020-09578-1