Machine Learning Based DDos Detection Through NetFlow Analysis

Distributed Denial of Service (DDos) has been a lasting severe threat to Internet, which is evolving both in technique and traffic volume recently. Many traditional detection methods fail due to their limitations in real-time, complexity or universality. Therefore, it is necessary to explore how to timely detect different kinds of DDOS by utilizing simple traffic sampling data such as NetFlow in high speed networks up to Tbps bandwidth. In this paper, we put forward a scheme to identify DDos traffic with NetFlow feature selection and machine learning. Firstly, we extract adaptive flow-based features and pattern-based features from sampling NetFlow data in real-time. Then we build a detector by RandomForest and evaluate it by using a research lab network trace which contains benign traffic and simulated DDos traffic of different kinds by popular DDos tools. Experiment results show that our method achieves an average accuracy of more than 99% and a false-positive less than 0.5%. Besides, our method is valid for DDos means such as stealthy DDos attack so it is more universal that typical traditional methods. Finally, we apply our detector on the real-world NetFlow logs provided by a large ISP, and measure the characteristics of DDos in several dimensions. This also proves that our detector is applicable for real-world network.

[1]  Zhu Jian-qi,et al.  A novel DoS detection mechanism , 2011, 2011 International Conference on Mechatronic Science, Electric Engineering and Computer (MEC).

[2]  Anna Sperotto,et al.  Flow-based intrusion detection , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[3]  홍원기,et al.  A Flow-based Method for Abnormal Network Traffic Detection , 2004 .

[4]  Muhammad Ejaz Ahmed,et al.  Mitigating DNS query-based DDoS attacks with machine learning on software-defined networking , 2017, MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM).

[5]  Ananthram Swami,et al.  Detection of stealthy TCP-based DoS attacks , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[6]  Ali A. Ghorbani,et al.  Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization , 2018, ICISSP.

[7]  Yan Gao,et al.  A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[8]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[9]  Pere Barlet-Ros,et al.  Practical anomaly detection based on classifying frequent traffic patterns , 2012, 2012 Proceedings IEEE INFOCOM Workshops.

[10]  Seref Sagiroglu,et al.  Big data analytics for network anomaly detection from netflow data , 2017, 2017 International Conference on Computer Science and Engineering (UBMK).

[11]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[12]  Minlan Yu,et al.  The Dark Menace: Characterizing Network-based Attacks in the Cloud , 2015, Internet Measurement Conference.

[13]  Antoine Bagula,et al.  Using exponentially weighted moving average algorithm to defend against DDoS attacks , 2016, 2016 Pattern Recognition Association of South Africa and Robotics and Mechatronics International Conference (PRASA-RobMech).

[14]  Ali A. Ghorbani,et al.  An Evaluation Framework for Intrusion Detection Dataset , 2016, 2016 International Conference on Information Science and Security (ICISS).