A New Model for Real-Time Intrusion Prevention Systems for DDoS Attacks

Abstract

Nowadays the internet has made a momentous impact on our daily life but we are not safe enough in the internet world. Last two decades, network security scholars have shown several innovative and practical solutions to save us from network and internet attacks. Among all the internet threats denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are considered the most notorious and devastating ones. These attacks are one of the main threats that are a serious security problem for today’s internet. To exhaust the resources of target networks, these attacks are launched by generating a huge amount of network traffic. This study proposes a new model for real-time intrusion prevention systems for DDoS attacks. It is true that creative attackers are continuously developing effective attacking tools and techniques to impose maximum damage due to the rapid technological advancement. The proposed Efficient Detection System of Network Intrusion (EDSONI) model makes use of both the detection and prevention of this malicious activity properly. CICIDS2017 dataset has been applied to this proposed system to experiment with the detection and prevention performance.

1 Introduction

Nowadays, networks and internet have had a noteworthy effect on our day-to-day life. We are fully dependent on internet for sharing confidential and valuable information. Then again, on account of high dependence on the internet, hackers always investigate the shortcomings of the internet to paralyze the targeted servers or devices. Using this weakness, attackers always want to gain illegal access to damage targeted resources. In the world of computing, different security domains exist, and each one addresses various aspects of security [1]. Quite a few firewalls and cyber security systems are in action these days but they are not safe enough from cyber-attacks. Different cyber security systems are continuously implementing their defense mechanisms but dangerous attacks like zero-day are on the attack more dangerously on a daily basis. DDoS (Distributed Denial-of-Service) attacks are known to be the strongest and most destructive ones.

1.1 DoS and DDoS Attacks Overview

There is plenty of evidence on the DoS and DDoS attacks on the internet nowadays. DoS attacks typically flood servers and networks and practically perturb their victim’s resources. On the other hand, a DDoS security attack uses a lot of compromised computers to attack a targeted traffic, slowing the computer and its network connection to a halt. This is a very powerful many-to-one technique, which is difficult to prevent. When a DDoS attack strikes, all users of a website or other online resources are completely denied access, halting the operations of the victim organization websites in its tracks. A typical attack scenario involves a good number of login attempts or calls to a website or server. The huge volume of requests floods the targeted resource, which loses the ability to tend to its legitimate users. There are three basic categories of attack (Table 1).

Table 1 Different categories of attack [2]

1.2 Some Common Types of DDoS Attacks

DDoS attack has two types [3]: one, the bandwidth exhaustion create abstraction leading to the breakdown of network; two, resource exhaustion that exhausts key resources, memories, etc. Leading to the breakdown of the server [4]. There are different vectors of DDoS attacks, which aim to overwhelm the servers, firewalls, and different devices that vary destructively (Tables 2 and 3).

Table 2 Well-known DDoS attacks

Table 3 Last four years some well-known DDoS attacks

1.3 DDoS Prevention Techniques

It is difficult to stop DDoS attacks completely. We can mitigate in tolerant level by developing and using different techniques. There are many DDoS defense mechanisms that try to prevent systems from DDoS attacks:

• Should disable unused port and services.

• Should install latest security patches.

• Should disable IP broadcast.

• Should use Firewalls and Routers.

• Ingress/Egress filtering [12].

• Router-based packet filtering.

• Load balancing.

1.4 Challenges of DDoS Attacks

The dangerous history of DDoS attacks shows the prevention of DDoS is nearly impossible. DDoS Protection is a challenge; the reasons are:

• Difficulty in Managing Legitimate and Attack Traffic.

• Lack of large-scale testing approaches.

• Lack of infrastructure and expertise.

• Lack of effective traffic analysis and defense system.

• There are no common characteristics of DDoS.

2 Related Works

A deep study of the existing literature on DDoS architecture, detection, and prevention issues was assumed earlier to the introduction of the EDSONI model on DDoS attacks. In order to find out where further improvement could be made, relevant literature was reviewed. The study revealed that the threat implications should be the initial consideration in producing improved better detection and prevention techniques on DDoS attacks. Table 4 shows the comparison of the few existing relevant papers with our work.

Table 4 Comparison of different parameters

2.1 DDoS Attack Tools and Their Comparison

There are several tools that are able to produce legal traffic and attack traffic [15]. Researchers hardly paid attention to the fact that DDoS use botnets to launch any attacks (Table 5).

Table 5 Comparison of DDoS attack tools

3 EDSONI Research Methodology

EDSONI research methodology including detailed explanations of lab architecture, Dataset, hardware, and software are used for finding expected results are presented below.

3.1 Lab Architecture

See (Fig. 1; Table 6).

Fig. 1

Lab architecture

Table 6 Hardware and software are used in lab architecture

3.2 Dataset

For dataset, we have used CICIDS2017 for network security and intrusion detection as it has diverse set of attacks. In this dataset, seven attack profiles based on the last updated list of common DDoS attack families have been created. The dataset is executed by using related tools and codes (Table 7).

Table 7 Similarities and differences between CICIDS2017 dataset and public datasets based on last IDS dataset evaluation framework [21]

4 Findings

The details of the proposed enhanced Efficient Detection System of Network Intrusion (EDSONI) model are discussed below (Fig. 2).

Fig. 2

Proposed EDSONI model

1. i.

   Sniffer

   The very first step of EDSONI is Sniffer. In this system, the “raw socket” has used for sniffing the packets from specific interface. Here all packets are saved in a file with PCAP extension that is the reason it is easy to analyze traffic for further analysis.

2. ii.

   Extractor

   Generally, when a raw packet is sniffed, it contains information that is padded with both signed and unsigned bits and characters. In extractor step from every raw packet, EDSONI extractor unpack and collect all possible information from the packet. After extracting, it is easy to get version, Internet Header Length, Type of Service, length of the packet, identification tag, flag, fragment offset, TTL, protocol, Header Checksum, source IP address, destination IP address, source MAC address, destination MAC address, and Payload, etc. of the packet.

3. iii.

   Normalizer

   In this step, normalizer normalizes all the data that were collected from extractor step for post-processing. So that the module selector engine and other post-processing steps can process them easily.

4. iv.

   Module Selector

   In Module Selection Engine, it selects the correct module such as TCP, UDP, ICMP, and other modules based on the analysis of PDU (Protocol Data Unit) and Packet Header.

5. v.

   Pre-processor

   Pre-processor is used for examination of packets and detection of suspicious activity, modification of packets so that the detection engine can properly interpret them. It analyzes sessions, payload, fragments, segments under particular module which saves the processing time. After that traffic will go to detection engine.

6. vi.

   Detection and Prevention Engine

   After pre-processor detection engine triggers a detection process in real-time with the help of selection of the detection mechanism. It is stated that EDSONI works in two modes. These are detection and prevention modes. In detection mode it only detects the intrusion, logs the information, and forwards the packet to the prevention mode.

7. vii.

   Logs and visualization

   Finally, visualize the results and logs of the detection and prevention.

4.1 Implementation and Experimental Result

Table 8 shows the experimental results of evaluation metrics in terms of weighted average for the six selected machine-learning algorithms derived from generated dataset. Execution time for the testing process is also calculated and shown in the table. Among six applied machine-learning algorithms Adaboost, J48, K-Nearest Neighbors (KNN), Multilayer Perceptron (MLP), Naïve Bayes, and Random Forest (RF), we have observed that based on the execution, MLP the slowest one requires 2836 s with 97.689% classification accuracy rate and on the contrary, the fastest one KNN requires only 1.2 s with 97.397% classification accuracy rate. Additionally, based on the weighted average of three evaluation metrics (Pr, Rc, and F-Measure), the highest accuracy rate refers to Naïve Bayes, Adaboost, and J48 algorithms. Considering the evaluation metrics and the execution time, Naïve Bayes is the best algorithm with the highest accuracy rate and short execution time among six applied machine-learning algorithms (Fig. 3; Table 9).

Table 8 Experimental performance result of 6 machine learning algorithms

Fig. 3

Overall performance rate of different algorithms

Table 9 Results of Naïve Bayes

As an evaluation metrics, we have used above table features which are given below:

$$ {\text{Accuracy}}:\left( {{\text{TP}} + {\text{TN}}} \right)/\left( {{\text{TP}} + {\text{TN}} + {\text{FP}} + {\text{FN}}} \right), $$

(1)

$$ {\text{TPR}}:{\text{True Positive Rate}} = {\text{TP}}/{\text{TP}} + {\text{FN}}, $$

(2)

$$ {\text{FPR}}:{\text{False Positive Rate}} = {\text{FP}}/{\text{FP}} + {\text{TN}}, $$

(3)

Precision (\({{\varvec{P}}}_{{\varvec{r}}}\)): It is the ratio of correctly classified attack flows (TP), in front of all classified flows (TP + FP).

Recall (\({{\varvec{R}}}_{{\varvec{c}}}\)): It is the ratio of correctly classified attack flows (TP), in front of all generated flows (TP + FN).

F-Measure: It is a harmonic combination of the precision and recalls into a single measure.

$$ {{\varvec{P}}}_{{\varvec{r}}} = \frac{{{\text{TP}}}}{{{\text{TP}} + {\text{FP}}}}, {{\varvec{R}}}_{{\varvec{c}}} = \frac{{{\text{TP}}}}{{{\text{TP}} + {\text{FN}}}}, {{\varvec{F}}}_{{\text{measure}}} = \frac{2}{{\frac{1}{{{\text{Pr}}}} + \frac{1}{{{\text{Rc}}}}}} $$

(4)

Matthews’s correlation coefficient (MCC): MCC is defined in terms of True Positive (TP), True Negative (TN), False Positive (FP), and False Negative (FN).

5 Conclusion and Future Work

It appears to be really difficult to completely defend the network from denial-of-service (DDoS) attacks on the internet today. In this study, we propose a system that evaluated a model called EDSONI for DoS and DDoS attacks. This article concludes that it is possible to train a Naïve Bayes that would successfully classify unseen data in different scenarios with a high accuracy in computer-generated simulation. Challenges and different DDoS prevention approaches are discussed in this paper. The proposed system can be used for the commercial purpose and it can implement as a part of firewall system to combine the working of detection and prevention systems. The enhancement can be made to check the same approach for different other attacks over the network in future.