Keywords

Introduction

In this information age plenty of data generated every second, storing, managing and retrieving the data is a big challengeable task in this era. About 463 Exabyte’s of data is going to be generated per day in the year 2025 as per the prediction. In addition to this securing the data from the intrusion and information leakage is the highly essential and most challengeable task.

The cybercrime and data theft increased more than 600% during the pandemic [1, 2]. Ransomware attack increased to the large extend. The companies are investing a lot in cyber security and intrusion deduction. Malware attack, phishing attack, password attack, man in the middle attack and ransomware attack are quiet common attacks.

Especially the distributed denial of service attack is the one which makes the service inactive. It makes the particular server or resource inactive or inoperative. DDoS attack effects the organisation to the large extend [3, 4]. The cost of DDoS attack is maximum when compared to the other attacks. This book chapter focuses the DDoS attack since it is taking a significant role in the cyber-attacks.

Machine learning systems are the one which is learning from the data and doing classification or prediction according to the need [5, 6]. This book chapter focuses on utilising the machine learning techniques in the cyber security. Intrusion detection is the one, by which the traffic coming to the internal network from outside the world can be classified as genuine or intrusion, based on the characteristics of the traffic includes destination port, flow duration, total forward packet, total backward packets, flow packets, etc.

Support vector machine is the machine learning technique. It is the machine learning-based classification model which classifies the given input based on the hyper plan. The data points that lie one side of the hyperplane belong to one class. The data points that lie other side of the hyperplane belong to another class [7, 8].

In this work machine learning’s support vector machine is used to detect the distributed denial of service attack. The machine learning model is created and trained with the network traffic-based intrusion deduction data which is taken from Canadian Institute for Cyber Security. The dataset contains 79 attributes including destination port, flow duration, total forward packet, total backward packets, etc.

The model is getting trained with the labelled data which is having DDoS attack—yes as one label and DDoS attack—no as another label. Once the model got trained with the training data whenever the new traffic is coming it will detect whether it is an authorised traffic or intrusion. The dataset is divided into training set and testing set. Training set has been used for training purpose. The testing set is used to assess the quality of the model. The metrics precision, recall, F1-score and support are used in order to assess the quality of the SVM-based machine learning model.

Previous Work

Mihoub et al. in the year 2022 [9] proposed a method to detect the distributed denial of service attack using the machine learning classification model random forest. Random forest is a machine learning classification method which is commonly used for classification. Regression operation also can be performed by using random forest, but random forest performs well with classification. This proposed method is functioning based on looking back enabled method.

Liu et al. in the year 2020 proposed a method to detect the intrusion in the wireless sensor network [10]. Modified and improved KNN is used to detect the distributed denial of service in the wireless sensor networks. KNN is the well-known classification algorithm in machine learning.

Mahajan et al. in the year 2022 proposed a method to detect distributed denial of service attack using deep learning [11]. The 5G technology is enabling high data rate. In high data rate communication the chances for distributed denial of service attack also more. Here deep learning is utilised to solve the problem of distributed denial of service attack detection. Once the attack is detected then it is handled by mitigation policies. Model's performance is measured by the metrics.

Tonkal et al. in the year 2021 proposed a method to detect the distributed denial of service attack in software-defined network (SDN) [12]. The dataset which is used in this approach contains 23 features. The approach is using KNN, decision tree and artificial neural network approach too. The dataset contains the traffic details of Transfer Control Protocol (TCP), User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP). It contains both normal traffic and attack traffic. After using the algorithms KNN, decision tree and artificial neural network, it has been proved that decision tree is good in performance basis.

Kumar et al. proposed a method in the year 2011 to detect distributed denial of service attack [13]. Neural classifier is the machine learning-based classification method which is used for detection. KDD Cup, DARPA 1999, DHRPA 2000 or the datasets which are used for the training of the model. In this method the falls positive and the false negative are taken into the consideration. Method has been proved that it is having less false positive and false negative.

Zekri et al. [14] proposed a method using machine learning-based C4.5 algorithm to detect the distributed denial of service (DDoS) attack. C4.5 is the decision tree-based machine learning classification algorithm. The DDoS attack detection is done for cloud computing environment in order to secure the cloud environment from intrusion. Cloud resources can be utilised effectively when security is enabled properly.

He et al. proposed denial of service (DoS) (2017) [15] attack detection method in network using naïve Bayes method. Naïve Bayes method is a machine learning-based classification algorithm. Traditionally DoS attack detection happened based on threshold value. In order to improve the efficiency in detection machine learning-based naïve Bayes classification algorithm proposed. It enhances the security in cloud-based environment.

De Miranda et al. [16] proposed fuzzy logic and machine learning-based algorithm for distributed denial of service (DDoS) attack. In this proposed method reduction of quality (RoQ) attack is targeted. The K-nearest neighbour (KNN) is the classification algorithm based on machine learning which supports DDoS attack detection in the proposed method. Algorithm’s performance is proved based on F1-score metrics.

Aamir and Zaidi proposed a clustering-based semi-supervised ML method for DDoS attack detection (2021) [17]. This proposed method uses clustering techniques rather than classification method. Since it is a clustering method unlabelled data and partially labelled data can be used. Agglomerative clustering is the clustering method which is used to do the clustering with respect to DDoS detection. Accuracy is measured to assess the quality of the model.

Aysa et al. [18] proposed a method to detect DDoS attack detection for IoT or wireless sensor network (WSN). The method is based on machine learning. Machine learning-based decision tree approach is used to detect the DDoS attack. Decision tree is a classification method which provides solution for DDoS detection. Model’s performance is measured by the accuracy metrics of the classification model. It prevents the abnormal traffic in the wireless sensor networks.

Distributed Denial of Service Attack

In the year 2021 the distributed denial of service attack grown 31%. DDoS attack affects the organisation to the large extend. The cost or loss involved in the DDoS attack is high when compared to the other attacks. The service or server which undergone the DDoS attack will become inoperative. It will slowly move operative state to inoperative state. The attack affects all the resources including software and hardware resources. Edge network devices are the target for the DDoS attackers. Monitoring the network traffic and detecting the attack is the best way of detecting the intrusion. Even after that attack DDoS attack makes the system more vulnerable.

Application Layer Attack

The main objective of application layer attack is making the application inoperative. After identifying the vulnerabilities in the application. The attack happened against the application and make application inoperative. It makes the application unable to provide service to its uses. It is done by sending millions of requests with exception. Keep on sending the handshake message even after dialogue over. This kind of attempts makes the server irresponsive to the original user query.

Protocol Attack

Protocol-based distributed denial of service attack is different from application layer attack. Protocol attack is hard to find. There are lot of complications involved in identifying the protocol-based DDoS attack [19, 20]. The vulnerability in the network protocol is identified and utilised in this attack. It is hard to identify based on the complexity in the protocol. The close monitoring of the network traffic and analysis of streams in depth can increase the probability of identifying the protocol attack. Border Gateway Protocol is the one which undergone the protocol attack. Protocol attack is not the one which is frequently happened, but the impact of the attack is high.

Syn Flood

Syn flood attack takes significant role in the DDoS attack. The attacker sends repeated Syn message or packet to the server and makes the server irresponsive. Making the server busy in replying is the objective of the attack. Once the server is receiving frequent more number of Syn messages or Syn packets in order to process all the requests the entire server resources became busy. Making server resources busy and making it irresponsive from the user is the objective of the attack [21].

In the normal three-way handshake of the TCP. The client is sending synchronisation message to the server. The server is replying back with the Syn and acknowledgement message, then again client is sending acknowledgement message. After the three-way handshake the packet will start getting transfer. During Syn flood attack the attacker will send the spoofed Syn packet continuously to the server. The server will became busy by replying the acknowledgement for the packets received.

Volumetric Attacks

Volumetric attack targets the internal network. The attacker targets the internal network and creates the malicious traffic inside the internal network. Due to the artificially created traffic the service which is being delivered to the user or client will get interrupted. The main objective of volumetric attack is consuming the bandwidth of the internal network and makes the server or distributed system inoperative. The volumetric attack finds the vulnerability in DNS in order to occupy the traffic by sending the malicious code.

SVM

Support vector machine is the machine learning-based classification model. SVM mainly focuses binary classification. It supports multiclass classification also. SVM classifies the classes based on support vectors and hyperplane. Hyperplane is the one which classifies the given data into multiclasses. It is a supervised learning algorithm. SVM supports both classification and regression. It is more famous for classification [22].

Hyperplane divides the data environment into two classes. The objective of hyperplane is to have the maximum margin. Positive side of the hyperplane contains 1 class, and negative side of the hyperplane contains another class. Support vector machine is getting trained based on hinge loss function.

$${\text{hingeloss}} = \arg \min \sum_{i = 0}^{n - 1} {\max (0,1 - y_i (w^T x_i + w_0 ))}$$

Hyperplane

Hyperplane divides the data object into classes. Hyperplane is having margin. SVM’s objective is to increase the size of margin or having the maximum margin size. When the data environment is one-dimensional dot is the hyperplane which divides the data into two. When the distribution is two-dimensional a line can divide the entire distribution into two classes. In three-dimensional environment hyperplane is a plane. In multi-dimensional, it is called as hyperplane. The data points which are closed to the hyperplane is called support vectors. Support vectors decides the size of the margin. The objective of SVM is having bigger margin.

Support Vectors

Support vectors are the data points which are very close to the hyperplane. Margin of the hyperplane is decided by the support vectors in the environment. Every data point in the environment is represented by vector. If the data environment is three-dimensional environment then each vector contains three elements. The values in the vector are directly proportional to the dimension of the data environment.

Linear SVM

Linear SVM is used to do the classification on linearly separable data. The data is categorised into two types, the first one is linearly separable, and the second one is linearly inseparable. Based on the nature of the data distribution it is classified into linearly separable and linearly inseparable. Linear SVM is applied on the data which is linearly separable. In this the hyperplane divides the data linearly into two classes with respect to binary classification. If dimension is two then hyperplane is the line. If the number of dimension is three the hyperplane is plane. In the case of multi-dimensional environment the hyperplane is segregating the classes [23].

Nonlinear SVM

All the time the data is not convenient to separate it linearly. If the data is not ready to linearly separable, it should be converted into linearly separable data. In order to apply the SVM the linearly inseparable data should be converted into linearly separable data [24].

Increasing the dimension is the one way to make linearly inseparable data into linearly separable data. Kernel trick in SVM is used to make linearly inseparable data into linearly separable data. x is considered as the original independent variable. \(\emptyset (x)\) is the independent variable after applying the kernel tricks [25].

Deduction of DDoS Through SVM: (SVMBD)

In the proposed method SVMBD is detecting the DDoS attack based on the SVM algorithm. The dataset which is used for the training and model creation has been downloaded from Canadian Institute for Cyber Security. The Canadian Institute for Cyber Security (CIC) is providing the data in order to enhance the research in cyber security. The data, which is used, contains more than 10 k tuples including both the classes. The dataset contains two classes that are normal traffic and intrusion traffic. The dataset contains 78 attributes; it is a high-dimensional dataset. The data undergone the pre-processing techniques removes the missing values and changes the values into finite values.

The attributes of the dataset include destination port, flow duration, total forward packets, total length of forward packets, total length of the backward packet, etc. The model is getting trained with the dataset and tested with the unknown data. The quality and the performance of the model is tested based on the well-known metrics accuracy, precision, recall and F1-score. Figure 15.1 represents the flow diagram of the proposed SVMBD.

Fig. 15.1
A flow diagram presents 6 steps. 1. Dataset. 2. Pre-processing. 3. Creation of the model. 4. Training the model. 5. Trained model for D D o S attack detection. 6. Assessing the quality of the model using metrics. A dataset goes to S V M B D and also comes out.

SVM-based DDoS attack detection scheme (SVMBD)

Full size image

SVM-Based Model Creation

After pre-processing the dataset with 10,741 tuples and 78 attributes, it is splitted into X and Y. X is stated as independent variable, and Y is stated as dependent variable. Here the number of attributes in the independent variable is 77. Y is stated as dependent variable. Here the attribute ‘Label’ is considered as dependent variable. Based on the list of X, the Y is going to be identified.

Training the Model

Once the entire dataset is divided into independent variable and dependent variable and Y. Both X and Y are splitted into training data and testing data. The entire X is splitted into X-train and X-test. The same way entire Y is splitted into Y-train, Y-test. The purpose of dividing the entire data into training set and testing set is to evaluate the model.

The model should be evaluated based on the unforeseen data. The 15% of testing data taken into the consideration for evaluating the model. This 15% of data is unknown to the model because the data is not present in the training of the model. The model is getting trained with X-train and Y-train datasets. X-train and Y-train datasets is 85% of the original dataset.

Testing the Model

About 85% of the original data is taken into the consideration for training purpose. Remaining 15% of the data is allocated for testing. It is used to assess the quality of the model. Testing data is used to validate the model [26].

If the model is tested by the training data itself then it is not an effective way of testing. In order to enable the quality testing unforeseen data should be used. The model’s performance is measured in an effective way by validating the model using unforeseen test data.

Assessing the Quality of the Model Using Metrics

The model’s performance is measured by comparing the Y-test data and Y-pred data. The metrics accuracy, precision, recall and f1-score are used to measure the quality of the model.

Accuracy is the main metric to access the quality of the classification model.

$${\text{Accuracy}} = \frac{{{\text{True}}\;{\text{positive}} + {\text{True}}\;{\text{Negative}}}}{{{\text{Total}}\;{\text{number}}\;{\text{of}}\;{\text{Predictions}}}}$$

Accuracy of our proposed SVMBD algorithm is 85% (before scaling). It is stated in Table 15.1. Precision is another one metric which is used to access the quality of the model.

$${\text{Precision}} = \frac{{{\text{TP}}}}{{{\text{TP}} + {\text{FP}}}}$$
TP:

true positive

FP:

false positive.

Table 15.1 Performance evaluation before scaling
Full size table

Precision of proposed SVMBD algorithm is 86% (before scaling).

Recall is another metric which is conveying the proportion of correctly classified positives.

$${\text{Recall}} = \frac{{{\text{TP}}}}{{{\text{TP}} + {\text{FN}}}}$$

Recall of our proposed SVMBD algorithm is 86% (before scaling).

F1-score is also quite famous metrics which is assessing the quality of the machine learning model.

$$F1 {\text{- score}} = 2{*}\left( {\frac{{\text{Precision*Recall}}}{{{\text{Precision}} + {\text{Recall}}}}} \right)$$

F1-score of the proposed model SVMBD this 86% (before scaling).

Scaling is the mechanism which is related to pre-processing, which enhances the quality of data. Scaling makes the data more convenient to training of the machine learning model. Scaling operation performed on the data which is used to detect DDoS. After the scaling, performance of the model is assessed again using the metrics accuracy, precision, recall and F1-score. Improved performance achieved with 97% accuracy. It is stated in Table 15.2. Table 15.3 and Fig. 15.5 stated the comparison before scaling and after scaling. Figure 15.4 represents the detailed performance analysis after scaling. Figure 15.2 analysis chart represents the performance analysis associated with various metrics accuracy, precision, recall and score before scaling. Figure 15.3 analysis chart represents the performance analysis associated with various metrics accuracy, precision, recall and score after scaling.

Table 15.2 Performance evaluation after scaling
Full size table
Table 15.3 Performance before scaling versus after scaling
Full size table
Fig. 15.2
A bar graph of performance versus metrics before scaling. The values are as follows. Accuracy, 0.85. Precision, 0.86. Recall, 0.86. F 1 score, 0.86.

Performance analysis before scaling

Full size image
Fig. 15.3
A bar graph of performance versus metrics after scaling. The values are as follows. Accuracy, 0.97. Precision, 0.95. Recall, 0.98. F 1 score, 0.96.

Performance analysis after scaling

Full size image
Fig. 15.4
A text presents the values of performance after scaling for precision, recall, F 1 score, and support. It also depicts the values of accuracy, macro average, and the weighted average for precision, recall, F 1 score, and support.

Detailed performance analysis after scaling

Full size image
Fig. 15.5
A bar graph of performance versus metrics. The values are as follows. Before scaling, Accuracy 0.85, Precision 0.86, Recall 0.86, F 1 score 0.86. After scaling, Accuracy 0.97, Precision 0.95, Recall 0.98, F 1 score 0.96. Values are estimated.

Performance before scaling versus after scaling

Full size image

Conclusion

Establishing and enhancing the cyber security in all the field is highly essential in today's digital era. This book chapter focused the distributed denial of service attack detection. The impact of distributed denial of service attack is more, the attack is creating more data loss. It creates more reputation problem for the organisation since the service given by the organisation stops due to the attack. The machine learning technique has been utilised here in order to detect the DDoS attack.

Support vector machine-based machine learning model has been created and trained with the dataset downloaded from Canadian Institute for Cyber Security. The machine got trained with more the 10 K tuples which are having both the labels intrusion and genuine traffic. Once the model got trained the performance of the model is measured using the well-known classification metrics. Performance is measured before scaling the data as well as after the scaling. The model’s performance has been proved with 97% of accuracy. The model is now ready to receive the traffic and classify whether it is an intuition or normal traffic.