The hybrid technique for DDoS detection with supervised learning algorithms

• Published in: Computer networks (Amsterdam, Netherlands : 1999) Vol. 158; pp. 35 - 45
• Main Authors: Hosseini, Soodeh, Azizi, Mehrdad
• Format: Journal Article
• Language: English
• Published: Amsterdam Elsevier B.V 20.07.2019; Elsevier Sequoia S.A
• Subjects: Algorithms; Bayesian analysis; Data transmission; DDoS; Decision trees; Denial of service attacks; Divergence; Feature extraction; Hybrid mechanism; Incremental learning; Machine learning; Multilayer perceptrons; Supervised learning; Incremental learning; DDoS; Hybrid mechanism; Machine learning
• ISSN: 1389-1286; 1872-7069
• DOI: 10.1016/j.comnet.2019.04.027

Distributed denial of service (DDoS) is still one of the main threats of the online services. Attackers are able to run DDoS with simple steps and high efficiency in order to prevent or slow down users' access to services. In this paper, we propose a novel hybrid framework based on data stream approach for detecting DDoS attack with incremental learning. We use a technique which divides the computational load between client and proxy sides based on their resource to organize the task with high speed. Client side contains three steps, first is the data collecting of the client system, second is the feature extraction based on forward feature selection for each algorithm, and the divergence test. Consequently, if divergence got bigger than a threshold, the attack is detected otherwise data processed to the proxy side. We use the naïve Bayes, random forest, decision tree, multilayer perceptron (MLP), and k-nearest neighbors (K-NN) on the proxy side to make better results. Different attacks have their specific behavior, and because of different selected features for each algorithm, the appropriate performance for detecting attacks and more ability to distinguish new attack types is achieved. The results show that the random forest produces better results among other mentioned algorithms.