Abstract
Nowadays the internet has made a momentous impact on our daily life but we are not safe enough in the internet world. Last two decades, network security scholars have shown several innovative and practical solutions to save us from network and internet attacks. Among all the internet threats denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are considered the most notorious and devastating ones. These attacks are one of the main threats that are a serious security problem for today’s internet. To exhaust the resources of target networks, these attacks are launched by generating a huge amount of network traffic. This study proposes a new model for real-time intrusion prevention systems for DDoS attacks. It is true that creative attackers are continuously developing effective attacking tools and techniques to impose maximum damage due to the rapid technological advancement. The proposed Efficient Detection System of Network Intrusion (EDSONI) model makes use of both the detection and prevention of this malicious activity properly. CICIDS2017 dataset has been applied to this proposed system to experiment with the detection and prevention performance.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Nowadays, networks and internet have had a noteworthy effect on our day-to-day life. We are fully dependent on internet for sharing confidential and valuable information. Then again, on account of high dependence on the internet, hackers always investigate the shortcomings of the internet to paralyze the targeted servers or devices. Using this weakness, attackers always want to gain illegal access to damage targeted resources. In the world of computing, different security domains exist, and each one addresses various aspects of security [1]. Quite a few firewalls and cyber security systems are in action these days but they are not safe enough from cyber-attacks. Different cyber security systems are continuously implementing their defense mechanisms but dangerous attacks like zero-day are on the attack more dangerously on a daily basis. DDoS (Distributed Denial-of-Service) attacks are known to be the strongest and most destructive ones.
1.1 DoS and DDoS Attacks Overview
There is plenty of evidence on the DoS and DDoS attacks on the internet nowadays. DoS attacks typically flood servers and networks and practically perturb their victim’s resources. On the other hand, a DDoS security attack uses a lot of compromised computers to attack a targeted traffic, slowing the computer and its network connection to a halt. This is a very powerful many-to-one technique, which is difficult to prevent. When a DDoS attack strikes, all users of a website or other online resources are completely denied access, halting the operations of the victim organization websites in its tracks. A typical attack scenario involves a good number of login attempts or calls to a website or server. The huge volume of requests floods the targeted resource, which loses the ability to tend to its legitimate users. There are three basic categories of attack (Table 1).
1.2 Some Common Types of DDoS Attacks
DDoS attack has two types [3]: one, the bandwidth exhaustion create abstraction leading to the breakdown of network; two, resource exhaustion that exhausts key resources, memories, etc. Leading to the breakdown of the server [4]. There are different vectors of DDoS attacks, which aim to overwhelm the servers, firewalls, and different devices that vary destructively (Tables 2 and 3).
1.3 DDoS Prevention Techniques
It is difficult to stop DDoS attacks completely. We can mitigate in tolerant level by developing and using different techniques. There are many DDoS defense mechanisms that try to prevent systems from DDoS attacks:
-
Should disable unused port and services.
-
Should install latest security patches.
-
Should disable IP broadcast.
-
Should use Firewalls and Routers.
-
Ingress/Egress filtering [12].
-
Router-based packet filtering.
-
Load balancing.
1.4 Challenges of DDoS Attacks
The dangerous history of DDoS attacks shows the prevention of DDoS is nearly impossible. DDoS Protection is a challenge; the reasons are:
-
Difficulty in Managing Legitimate and Attack Traffic.
-
Lack of large-scale testing approaches.
-
Lack of infrastructure and expertise.
-
Lack of effective traffic analysis and defense system.
-
There are no common characteristics of DDoS.
2 Related Works
A deep study of the existing literature on DDoS architecture, detection, and prevention issues was assumed earlier to the introduction of the EDSONI model on DDoS attacks. In order to find out where further improvement could be made, relevant literature was reviewed. The study revealed that the threat implications should be the initial consideration in producing improved better detection and prevention techniques on DDoS attacks. Table 4 shows the comparison of the few existing relevant papers with our work.
2.1 DDoS Attack Tools and Their Comparison
There are several tools that are able to produce legal traffic and attack traffic [15]. Researchers hardly paid attention to the fact that DDoS use botnets to launch any attacks (Table 5).
3 EDSONI Research Methodology
EDSONI research methodology including detailed explanations of lab architecture, Dataset, hardware, and software are used for finding expected results are presented below.
3.1 Lab Architecture
3.2 Dataset
For dataset, we have used CICIDS2017 for network security and intrusion detection as it has diverse set of attacks. In this dataset, seven attack profiles based on the last updated list of common DDoS attack families have been created. The dataset is executed by using related tools and codes (Table 7).
4 Findings
The details of the proposed enhanced Efficient Detection System of Network Intrusion (EDSONI) model are discussed below (Fig. 2).
-
i.
Sniffer
The very first step of EDSONI is Sniffer. In this system, the “raw socket” has used for sniffing the packets from specific interface. Here all packets are saved in a file with PCAP extension that is the reason it is easy to analyze traffic for further analysis.
-
ii.
Extractor
Generally, when a raw packet is sniffed, it contains information that is padded with both signed and unsigned bits and characters. In extractor step from every raw packet, EDSONI extractor unpack and collect all possible information from the packet. After extracting, it is easy to get version, Internet Header Length, Type of Service, length of the packet, identification tag, flag, fragment offset, TTL, protocol, Header Checksum, source IP address, destination IP address, source MAC address, destination MAC address, and Payload, etc. of the packet.
-
iii.
Normalizer
In this step, normalizer normalizes all the data that were collected from extractor step for post-processing. So that the module selector engine and other post-processing steps can process them easily.
-
iv.
Module Selector
In Module Selection Engine, it selects the correct module such as TCP, UDP, ICMP, and other modules based on the analysis of PDU (Protocol Data Unit) and Packet Header.
-
v.
Pre-processor
Pre-processor is used for examination of packets and detection of suspicious activity, modification of packets so that the detection engine can properly interpret them. It analyzes sessions, payload, fragments, segments under particular module which saves the processing time. After that traffic will go to detection engine.
-
vi.
Detection and Prevention Engine
After pre-processor detection engine triggers a detection process in real-time with the help of selection of the detection mechanism. It is stated that EDSONI works in two modes. These are detection and prevention modes. In detection mode it only detects the intrusion, logs the information, and forwards the packet to the prevention mode.
-
vii.
Logs and visualization
Finally, visualize the results and logs of the detection and prevention.
4.1 Implementation and Experimental Result
Table 8 shows the experimental results of evaluation metrics in terms of weighted average for the six selected machine-learning algorithms derived from generated dataset. Execution time for the testing process is also calculated and shown in the table. Among six applied machine-learning algorithms Adaboost, J48, K-Nearest Neighbors (KNN), Multilayer Perceptron (MLP), Naïve Bayes, and Random Forest (RF), we have observed that based on the execution, MLP the slowest one requires 2836 s with 97.689% classification accuracy rate and on the contrary, the fastest one KNN requires only 1.2 s with 97.397% classification accuracy rate. Additionally, based on the weighted average of three evaluation metrics (Pr, Rc, and F-Measure), the highest accuracy rate refers to Naïve Bayes, Adaboost, and J48 algorithms. Considering the evaluation metrics and the execution time, Naïve Bayes is the best algorithm with the highest accuracy rate and short execution time among six applied machine-learning algorithms (Fig. 3; Table 9).
As an evaluation metrics, we have used above table features which are given below:
Precision (\({{\varvec{P}}}_{{\varvec{r}}}\)): It is the ratio of correctly classified attack flows (TP), in front of all classified flows (TP + FP).
Recall (\({{\varvec{R}}}_{{\varvec{c}}}\)): It is the ratio of correctly classified attack flows (TP), in front of all generated flows (TP + FN).
F-Measure: It is a harmonic combination of the precision and recalls into a single measure.
Matthews’s correlation coefficient (MCC): MCC is defined in terms of True Positive (TP), True Negative (TN), False Positive (FP), and False Negative (FN).
5 Conclusion and Future Work
It appears to be really difficult to completely defend the network from denial-of-service (DDoS) attacks on the internet today. In this study, we propose a system that evaluated a model called EDSONI for DoS and DDoS attacks. This article concludes that it is possible to train a Naïve Bayes that would successfully classify unseen data in different scenarios with a high accuracy in computer-generated simulation. Challenges and different DDoS prevention approaches are discussed in this paper. The proposed system can be used for the commercial purpose and it can implement as a part of firewall system to combine the working of detection and prevention systems. The enhancement can be made to check the same approach for different other attacks over the network in future.
References
Aldibotnet, DDoS Attack Tools, 2012. https://asert.arbornetworks.com/ddos-tools
Behal S, Kumar K (2017) Characterization and comparison of DDoS attack tools and traffic generations: a review. IJ Netw Secur 19(3):383–393
DDoS Attack on Bank of Greece https://www.hackread.com/anonymous-ddos-attack-bank-greece-website-down/. Accessed 8 June 2018
eSecurity Planet, 4 May 2017, www.esecurityplanet.com/network-security/types-of-ddos-attacks.html. Accessed 11 June 2018
GitHub engineering, DDoS incident Report. https://githubengineering.com/ddos-incident-report/. Accessed 9 June 2018
Github (2013), DDoS Attack Tools. https://github.com/
Hacker group ‘Anonymous’ claims credit for federal cyber-attacks. http://ottawacitizen.com/news/politics/federal-computer-servers-cyber-attacked-clement. Accessed 9 June 2018
HSBC internet banking services down after DDoS attack. https://www.theguardian.com/money/2016/jan/29/hsbc-online-banking-cyber-attack. Accessed 9 June 2018
Kali Linux Tutorials (2011) THC-SSL-DoS—a denial of service tool against secure web-servers and for Testing SSL-Renegotiation. https://www.thc.org/thc-ssl-dos
Kritikos K, Kirkham T, Kryza B, Massonet P (2017) Towards a security-enhanced PaaS platform for multi-cloud applications. Futur Gener Comput Syst 67:206–226
Hu L, Bi X (2011) Research of DDoS attack mechanism and its defense frame. In: Computer research and development (ICCRD), 3rd international conference, pp 440–442
Melbourne IT, DDoS Attacks of 2017 https://www.tripwire.com/state-of-security/featured/5-notable-ddos-attacks-2017/. Accessed 9 June 2018
Mittal A, et al (2011) A review of DDOS attack and its countermeasures in TCP based networks. Int J Comput Sci Eng Surv (IJCSES) 2. https://doi.org/10.5121/ijcses.2011.2413
Ferguson P, Senie D (1998) Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. In: RFC 2267, the internet engineering task force (IETF)
Packet Storm (2015) DDoS Attack Tools. http://packetstormsecurity.org
Sharafaldin I, et al (2018) Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th international conference on information systems security and privacy (ICISSP)
Shruthi P (2017) Network security in digitalization: attacks and defence. Int J Res Comput Appl Robot
Sourceforge (2012) DDoS Attack Tools. http://sourceforge.net/projects
UK National Lottery (2017) DDoS Attacks of 2017 https://www.tripwire.com/state-of-security/featured/5-notable-ddos-attacks-2017/. Accessed 9 June 2018
Vinko Z, KF, VS (2017) Denial of service attacks, defenses and research challenges. Springer Science Business Media New York. https://doi.org/10.1007/s10586-017-0730-x
Web attack knocks BBC websites offline https://www.bbc.com/news/technology-35204915. Accessed 9 June 2018
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Ali, M.N.B., Hossain, M.E., Bhuiyan, T., Hoque, M.S., Karthikeyan, J. (2022). A New Model for Real-Time Intrusion Prevention Systems for DDoS Attacks. In: Goyal, V., Gupta, M., Mirjalili, S., Trivedi, A. (eds) Proceedings of International Conference on Communication and Artificial Intelligence. Lecture Notes in Networks and Systems, vol 435. Springer, Singapore. https://doi.org/10.1007/978-981-19-0976-4_7
Download citation
DOI: https://doi.org/10.1007/978-981-19-0976-4_7
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-0975-7
Online ISBN: 978-981-19-0976-4
eBook Packages: EngineeringEngineering (R0)