A Novel Supervised Deep Learning Solution to detect Distributed Denial of Service (DDoS) attacks on Edge

Systems using Convolutional Neural Networks (CNN) Note: Figures are created from cited
SCIENTEER PROJECT ID: 182334 sources or are my own

1: Background and Rationale 4a: Procedure 4b: CNN Architecture 5b: Results
• Therefore, models to - The proposed model was tested on over 5000 samples of
• The growing foray of 1. Data Preprocessing Algorithm 1. The output of the preprocessing algorithm (Fig. 5) will
Distributed Denial of Service defend and mitigate DDoS unseen DDoS flows.
In order to analyze the dataset and implement our then input the proposed CNN Architecture to be trained.
(DDoS) attacks has caused the traffic need to have three - The Confusion Matrix below shows that our model was very
CNN model, we had to preprocess our data to (Figure 6) successful. We can use these values to analyze our results in the
unavailability of millions of features.
cloud services, • Scalability, Flexibility, ensure the fairness and equality of the spread of form of other common performance metrics
data to get the most accurate results. - True Negative (TNR), True Positive (TPR)
• Up to $660 Billion in loss of Reliability - False Negative (FNR), False Positive (FPR)
revenue (1),
• Current state of the art • Algorithm 1 uses key feature extraction to
• DDoS is a threat to basic parse packets into “flows” and time stamps
internet standards and security. models, lack at least one
• DDoS attacks critical services of these components. (headers and columns) to easily feed into
and flood the network with • The model proposed will the CNN Model.
Fig. 7. Confusion Matrix of Testing
malicious traffic. have to include these 3 • Normalize and pad the resultant flow of Fig. 3. Proposed CNN architecture training flow accuracy of CNN Model
• In the first half of 2022 alone, features and use machine data 2. A 2D convolutional layer with 64 filters and a kernel size of 3 x 3.
there were 6,019,888 DDoS • The convolutional layer will be responsible
learning to build an active
attack devices across the for extracting features from the input data by
world. (2) intrusion detective sliding the filters over the input and
system (IDS) computing dot products (9). (𝑻𝑷𝑹+𝑻𝑵𝑹)
Accuracy: = 𝟗𝟕. 𝟕%
• Rationale: Create a novel (𝑻𝑷𝑹+𝑻𝑵𝑹+𝑭𝑷𝑹+𝑭𝑵𝑹)
3. A dropout layer with a recommended (𝑻𝑷+𝑻𝑵)
supervised model, that dropout rate of 0.5 (11). F1 Score: = 𝟗𝟕. 𝟐%
can handle any size of • This layer will randomly set a certain
𝑻𝑷+𝑻𝑵+𝑭𝑷+𝑭𝑵
data and differentiate percentage of input units to 0 at each update
between malicious and during training time, which helps prevent
overfitting.
6: Discussion /Conclusions
benign traffic consistently. • Here we will use the ReLU (Rectified Linear Strengths of this study:
• This model should be Unit) activation function. This function • Automated hyperparameter setup to fine tune and
functional on private and calculates the output of a neuron as the
maximum between 0 and the input value,
optimized to not keep lower accuracy model
Fig. 1: Attacker to User network connectivity
public networks Fig. 4. Flow Chart illustrating the • The model’s use of validation-test split optimizes
mathematically represented as
𝑓 𝑥 = max 0,1 algorithm the model for different features in PCAP files
2a: Engineering Question Fig. 2: Algorithm with DDoS data preprocessing in Python • Turns off neurons that do not affect the • The ReLU Activation and kernel technique was able
prediction to successfully identify the importance of specific
Can a dynamic deep learning model effectively differentiate
4. A GlobalMaxPooling2D layer. This layer will
between malicious and benign traffic based on different 2. CNN Model Architecture features with respect to others.
perform max pooling on the input, which
characteristics of the dataset? Additionally, can CNN models be Next, we implemented our CNN model using TensorFlow and reduces the spatial dimensions of the input o Further Research
successfully applied to the field of cybersecurity? the Keras API for ease of coding and debugging. (See 4b. CNN while retaining important features. • The model is based on a lab- based
Architecture) 5. A flattened layer. This layer will flatten the environment and dataset
2b. Engineering Goal 3. Training
output of the previous layer into a one-
dimensional tensor.
• However, the algorithm can be
trained for more complicated
Finally, we will use the Adam optimizer for training the model 6. The final fully connected layer will
contain a sigmoid activation function circumstances
The engineering goal of this project is to design and develop a and set the learning rate, batch size, and number of epochs as
(Figure 6) (12). • Can be developed into an active IDS
dynamic deep learning model that can accurately identify hyperparameters that the model tunes each iteration. 1
Fig. 5. Probability of a DDoS attack
platform to implement in the real
malicious and benign network traffic across a wide range of The data will be evenly split into 3 distinct sets (train, test, val) 𝜙 𝑧 = −𝑧
1+ⅇ (in the fully connected layer as world
attack methods and situations, even when dealing with large in HDF5 format for readability • This layer will perform the final computation a function of the input data set)
amounts of real-time data in short time constraints. to output a probability of the input being a
4. Testing DDoS attack. 6: Bibliography
The model will be tested under common performance metrics • Outputs a number between 0 and 1 as labels
3: Dataset and Materials such as a confusion matrix, accuracy, and F1 Score (See 5. to designate benign vs malicious traffic
1. AO Kaspersky Lab. (2023, January 10). Distributed denial of service: Anatomy and impact of DDoS attacks.
www.kaspersky.com. Retrieved January 22, 2023, from https://www.kaspersky.com/resource-center/preemptive-
safety/how-does-ddos-attack-work

Results for more information) • When p > .5, the attack will be classified as a 2. NetScout. (2022, September 26). NETSCOUT DDoS Threat Intelligence Report - Latest Cyber Threat Intelligence
o Data was used from the Canadian Institute of Cybersecurity’s (CIC) DDoS attack, otherwise it is benign.
Report. Netscout. Retrieved January 18, 2023, from https://www.netscout.com/threatreport/
3. What is DDoS mitigation? [Internet]. Cloudflare. Cloudflare Inc.; 2019 [cited 2022Dec22]. Available from:
DDoS Evaluation Dataset released in 2019 https://www.cloudflare.com/learning/ddos/ddos-mitigation/
4. Kawtar Bouzoubba, Youssef Taher, and Benayad Nsiri, “Predicting DOS-DDOS Attacks: Review and Evaluation Study
o CICDDoS2019 contains benign and the most up-to-date
common DDoS attacks, which resembles the true real-world
data (PCAPs).
5a: Training and Results of Feature Selection Methods based on Wrapper Process”.International Journal of Advanced Computer Science and
Applications(IJACSA), 12(5), 2021. http://dx.doi.org/10.14569/IJACSA.2021.0120517
5. Mahjabin T, Xiao Y, Sun G, Jiang W. “A survey of distributed denial-of-service attack, prevention, and mitigation
techniques.” International Journal of Distributed Sensor Networks. 2017;13(12). doi:10.1177/1550147717741463
6. S. T. Zargar, J. Joshi and D. Tipper, "A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS)
o Ideal for deep learning models because of variety of attacks The final model resulted in a 64-kernel convolutional model trained over 20000 flows of data.(Figure 6) Flooding Attacks," in IEEE Communications Surveys & Tutorials, vol. 15, no. 4, pp. 2046-2069, Fourth Quarter 2013,
doi: 10.1109/SURV.2013.031413.00127.
and headers. - In the training phase, the model goes over a grid of hyperparameters, maximum 1000 epochs for each point in the grid. The 7. T. Kim, B. Kang, M. Rho, S. Sezer, and E. G. Im, “A multimodal deep learning method for android malware detection
o Materials: using various features,” IEEE Transactions on Information Forensics and Security, vol. 14, no. 3, pp. 773–788, March
training process can stop earlier if no progress towards the minimum loss is observed for PATIENCE=10 consecutive epochs. 2019.
o Computer 8. Iman Sharafaldin, Arash Habibi Lashkari, Saqib Hakak, and Ali A. Ghorbani, "Developing Realistic Distributed Denial

o Linux Mint VM - It achieved a training accuracy of 96.7% of Service (DDoS) Attack Dataset and Taxonomy", IEEE 53rd International Carnahan Conference on Security
Technology, Chennai, India, 2019.
o Python Environment (using the Conda Framework and VSCode) - Performance (F1 score) is defined as the harmonic mean between precision and recall. It is used as a statistical measure to rate 9. R. Doriguzzi-Corin, S. Millar, S. Scott-Hayward, J. Martínez-del-Rincón and D. Siracusa, "Lucid: A Practical,
Lightweight Deep Learning Solution for DDoS Attack Detection," in IEEE Transactions on Network and Service
o Keras API easily builds layers in the CNN Model. performance: 96.4% Management, vol. 17, no. 2, pp. 876-889, June 2020, doi: 10.1109/TNSM.2020.2971776.
10. Madhavan, S. (2021, July 13). Introduction to convolutional neural networks. IBM developer. Retrieved January 5,
o Python wrapper for Pyshark, allowing python packet parsing 2023, from ttps://developer.ibm.com/articles/introduction-to-convolutional-neural-networks/
using Wireshark dissectors. 11. Brownlee, J. (2020, August 20). A gentle introduction to the rectified linear unit (ReLU).
MachineLearningMastery.com. Retrieved December 18, 2022, from https://machinelearningmastery.com/rectified-
o Seaborn/Matplotlib functions to visualize data linear-activation-function-for-deep-learning-neural-networks/
12. M. Roopak, G. Y. Tian and J. Chambers, "An Intrusion Detection System Against DDoS Attacks in IoT Networks,"
o TensorFlow to build the model in Python 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA, 2020,
o Wireshark to visualize the packets in the dataset Fig. 6. Flow from the input (DDoS attack) to the various training layers, and output of ML algorithm predicting an attack pp. 0562-0567, doi: 10.1109/CCWC47524.2020.9031206.
13. Sharma, S. (2022, November 20). Activation functions in neural networks. Medium. Retrieved January 22, 2023,
o CIC Dataset (8) from https://towardsdatascience.com/activation-functions-neural-networks-1cbd9f8d91d6
 Supplementary Information Note: Figures are created from cited
sources or are my own

Code of Preprocessing Data Code of CNN model Current Day State of the Art Drawbacks.
Current detection approaches mostly use filtering (4) or rate limiting, which
can help in reducing some types of attacks such as spoofing IP addresses as
used by attackers to hide their identity but are not flexible when new attacks
are made and can slow down website performance speeds. Reactive
techniques are often required, and detection is needed to alert about the
attack to perform some automatic action. (Figure 6)

Fig. 8: Flow Diagram of the current state of DDoS mitigation techniques

Additionally, a problem in many solutions is that it is always challenging
to differentiate malicious flows from legitimate flows (5). In
commonplace networks, existing defense mechanisms against DDoS
attacks have limited success because they cannot meet the considerable
challenge of achieving simultaneously efficient detection, effective
Code of CNN model response, acceptable rate of false alarm, and the real-time transfer of all
packets (6).

Future Work
1.Implement the model in a real-world environment: The high accuracy of the model
suggests that it would be effective in a real-world setting, so implementing the model in a
network security system would be a crucial next step.
2.Incorporate more data sources: Currently, the model is based on a single public dataset,
but incorporating data from additional sources, such as private datasets or real-time
network data, could further improve the model's accuracy and generalizability.
3.Evaluate performance under different types of attacks: The current model has been
tested on a variety of attack types, but evaluating the model's performance on a larger and
more diverse set of attack types would provide a more comprehensive understanding of
its capabilities.
4.Evaluate the impact of network characteristics on performance: The network
characteristics, such as network size and architecture, can impact the effectiveness of the
model. Evaluating the model's performance under different network conditions would
help understand the role that these factors play.
5.Consider the impact of data preprocessing techniques: The data preprocessing
techniques used in this project, such as normalization and padding, are crucial to the
model's performance. Evaluating alternative preprocessing techniques and optimizing
these steps could lead to further improvements in the model's accuracy.
6.Address interpretability and transparency concerns: As the model is used in security-
critical applications, understanding why the model makes certain predictions is important.
Research into methods for increasing the interpretability and transparency of the model's
predictions would be valuable.
Abstract