Application of Machine Learning Techniques to Distributed Denial of Service (DDoS) Attack Detection: A Systematic Literature Review. Sergio Armando Gutiérrez, John Willian Branch Grupo GIDIA, Departamento de Ciencias de la Computación y la Decisión Universidad Nacional de Colombia Medellín Email: {saguti jwbranch}@unal.edu.co Keywords: Network Security, DDoS attack detection, SLR, Systematic Literature Review. Abstract This paper presents an approximation to state of art in application of some machine learning techniques to the field of Distributed Denial of Service (DDoS) attack detection. From a structured mapping study, relevant papers were selected, and later they were reviewed to detect the type of attacks they address, the techniques providing best performances and the techniques which present evidence to be conceived and used in distributed environments. 1 Introduction Denial of Service (DoS) Attacks are not a new concern on the field of Computer Security. In mid nineties decade, they became a very effective attack method. Later, with the wide adoption of Internet, threats such as viruses, trojans and worms appeared, taking DoS to a higher scale, producing the so-called Distributed Denial of Service (DDoS) Attacks. A DDoS attack is a type of Denial of Service where multiple coordinated devices are used to lauch an attack towards one or more targets. The ultimate goal of DDoS is to exhaust processing and connectivity resources of the targets to avoid that legitimate users access the services provided by computer platforms, thus causing a partial or total unavailability. Because of the many-to-one dimension that poses this type of attacks, they are generally very powerful and devastating. Scientific community forecasts that the disruptive power of DDoS attacks, their sofistication and damage capacity tends to increase in a very high rate, becoming a very critical threat for modern and emergent internet services [1, 2, 3, 4, 5]. Development of adequate solutions to detect and prevent this devastating attacks, and to minimize the damage they can provocate becomes an important task for scientific community. In this paper, an approximation to state-of art from a Systematic Literature Review in application of Machine Learning to DDoS Attack detection is presented. Machine Learning can be defined as the ability which can be exhibited by a computer program to learn and improve its future execution from the results of previous execution. In other words, the ability to improve its performance over the time. Machine learning aims to answer many of the same questions as statistics or data mining. However, unlike statistical approaches which tend to focus on understanding the process that generated the data, machine learning techniques focus on building a system that improves its performance based on previous results. In other words systems that are based on the machine learning paradigm have the ability to change their execution strategy on the basis of newly acquired information [6] This paper is organized as follows. Section 2 describes the methodology used to perform the Literature Review, the search parameters used, the research questions and the inclusion and exclusion criteria used to produce the literature mapping and identify the papers to be reviewed. Section 3 presents the detailed Literature Review on the selected paper, and the answers to proposed research questions. Finally, Section 4 presents the conclusion of this Literature Review and future work that can be derived from it. 2 Methodology For this paper, the methodology of Systematic Literature Review introduced by Kitchenham et al [7] was used. A previous mapping was performed to identify the most relevant Machine Learning techniques used for DDoS attack detection to focus the review. For paper retrieval, SciVerse SCOPUS (http://www.scopus.com) was used. This is because SCOPUS has a wide coverage, with access to several of the most important scientific databases as ACM, IEEE, Elsevier, among other, simplifying in that way the search process. The main interest in the searching was DDoS attack detection, so the search string used was ( DDoS Attack Detection ) OR ( Distributed Denial of Service Attack Detection ). The search was configured to retrieve works between 2008 and 2012, on the field of Computer Science, and the types of publications retrieved were Journal Articles, Review Articles, and Conference articles. No other filters were applied.
2.1 Research questions For the guidance of literature review, three research questions were defined: RQ1: What types of DDoS Attacks have been addressed with detection based on Machine Learning techniques? RQ2: What of the Machine Learning techniques included in the review present the best performance, regarding the reduction of false detections (False possitives and false negatives)? RQ3: What of the techniques included in the review are reported to be used in distributed environments, or included in collaborative detection implementations? There are two main interests in chosing these research questions. One is the interest in detecting what types of attacks are being studied with more detail. Literature reports that detection of attacks related to transport and network protocols has had more interest, but attacks targetted to application protocols are not still a widely explored research topic [8, 9, 10, 11]. The other interest is identifying how much attention is put in attack detection for distributed computational environments, and in development of collaborative approaches for attack detection. Because of the nature of DDoS attacks, distributed and large scale, and because of the emergence of computing paradigms such as Cloud Computing, distributed solutions and collaborative approaches appear to be promising solutions to face this kind of attacks [12, 13, 14, 15]. 2.2 Inclusion and exclusion criteria Some rules were defined to select the relevant papers from the whole universe retrieved at search time. These criteria were applied to select among the downloaded works, to decide which to review or which to discard. For the mapping previously performed to identify the Machine Learning techniques to be reviewed in detail, papers whose main topic would be Distributed Denial of Service Attack Detection were included, and papers written in english. On the other side, the works not having DDoS detection as main topic, written in other languages different than english and the ones which could not be downloaded or gotten after requesting them to the authors were discarded and not included for further study. 2.3 Preliminary Results After performing the search with the keywords and parameters previously mentioned, SCOPUS retrieved 405 papers. From these 405 papers, 345 were downloaded or obtained from direct request to the authors. The other 60 papers were discarded directly by one or several of the exclusion criteria defined. Then, after applying the inclusion and exclusion criteria on the 345 remaining papers, 141 papers were selected, and classified for further analysis. From this universe of 141 papers, after a mapping study, 54 papers were identified to present approaches for DDoS Attack Detection, using mainly Machine Learning techniques. Further classification was performed on these 54 papers, and the most used techniques were detected; these were Cumulative Sum - CUSUM Algorithm (11 papers), Support Vector Machines - SVM (5 papers), Principal Components Analysis - PCA (4 papers) and Neural Classifiers (4 papers) In the next section, detailed revision of these works is presented, focused in answering the proposed research questions. 3 Detailed Literature Review In this section, the detailed literature review is presented. In the first part, the review of the selected papers is discused; the papers are grouped by the technique they use. In the second part, the proposed research questions are answered. 3.1 Literature Review 3.1.1 CUmulative SUM (CUSUM) Algorithm Wei et al [16] present a mechanism for detection of DDoS attacks aimed to TCP protocol on Kernel based Virtual Machines (KVM) [17]. They focus in studying the relationship that should be kept between starting and ending packets associated to TCP connections. Their approach shows high performance regarding detection time, and refers to have almost 0% of false detections. It presents an scalability issue because information of the connection is stored in hash tables, what might induce performance degradation if tables have high number of records. Nosrati et al [18] address the detection of DDoS attacks in Internet Multimedia Subsystem, specifically in relation to REGISTER operation (the action a device performs to authenticate and inform itself its location within the network to a control entity) of Session Initiation Protocol (SIP). They present a variant of CUSUM named adaptive z-score CUSUM; this adaptive variant has the capacity to adapt itself to changes which could occur in the traffic (In this case, quantity of REG- ISTER messages), for example, for connection restablishment. Their approach presents a low detection time, and a False Rate Alarm near to 6%. It is a simple approach, which could be adapted to be used in other application cases. Yi et al [19] present a mechanism to analyze per IP behavior. A profile of the sending and receiving traffic of every IP address in the network is created. Then, that profile is evaluated to decide whether it meets normal behavior, or whether it indicates an anomaly. The presented approach analyzes metrics of messages related to TCP protocol, and also ICMP and DNS messages. It is conceived to be deployed at so-called leaf routers, that is to say, routers which interconnect particular network segments. The presented results show times in the order of minutes for detection, which for some application scenarios could be inconvenient. Also, although it is thought to be used at leaf routers to protect smaller network segments, it might have scalability issues for high number of users, and it is not clear
whether present limitations in evironments using dynamic IP assignments. Du and Nakao [20] present Mantlet, a complete solution for DDoS attacks, covering Anti-Spoofing (False source IP Addresses), detection and mitigation. The detection component of Mantlet uses CUSUM to detect anomalies in the ratio between sent and received packets. A very important feature of the presented solution is that it generalyzes the detection, covering besides TCP packets also UDP packets. Thus, it covers a wider spectrum of Transport Layer. Mantlet shows a very low rate of false alarms, and the capacity to reduce detection times as the attack intensity increases; it implies that for stealth attacks (low rate attacks), performance might drop. Salem et al [21] propose an approach for Flooding DDoS attacks using a variation of CUSUM named Multi Channel Non Parametric (MNP). This solution covers a wide spectrum of network protocols, being able to detect TCP, UDP and ICMP based attacks. The justification in using a non parametric version is because of the high varaibility of network traffic and the lack of consensus on relevant features to monitor on it. This work does not present detailed results on detection time or false detections rate. Leu and Li [22] present an Intrusion Prevention System with detection features based on CUSUM. Their approach presents detection time around 1.3 secs, and detection accuracy of 98.4%; low rates of false positives (3.2%) and false negatives (0%). Zhou et al [23, 24] present an approach for attack detection starting from a P2P network built for detection. Devices organize themselves in a P2P network, detection is performed locally at end host via CUSUM algorithm, and at occurrence of abnormalities, they are broadcasted to other nodes in the network. With this information, similarity of abnormalities is detected. Detection rate for this approach is as high as 96%, and false positives as 9.3%. He et al [25] present a scheme for bandwidth estimation for detection of DDoS. The main idea of this solution is that during a DDoS attack, available bandwidth is depleted. This approach presents a 100% detection rate and low detection times. Finally Berral et al [26] present and adaptive approach for detecting flooding attacks. They combine CUSUM for anomaly detection with other Machine Learning techniques such as Naive Bayes for traffic classification. This approach presents 95% of accuracy, no false positives, and only false negatives. 3.1.2 Support Vector Machines Choi et al [27] present an approach based in the concept of Timeslot Monitoring Model. This technique operates monitoring and producing profiles from user activity in predefined intervals, to detect whether a given profile corresponds to normal or attack activity, when that activity is executed by an automatic tool. This approach fits to detection of application layer protocols although it was tested specifically with HTTP protocol; It shows 100% of accuracy when 2 intervals for monitoring are used. Cheng et al [28, 29] present an approach based in the notion of flow interaction. It starts from the idea that for normal communication flows, entities present interaction, whereas during attacks, entities might not present interaction (mainly because spoofing appears, false source IP addresses). SVM is used to classify whether flows correspond to attack or normal traffic according to the notion of interaction. This approach presents a high detection rate, around 100% and very low false alarm rates, even with multiple network flows, with the ability to even perceive low rate DDoS attacks mixed with high volume of legitimate traffic. Bao [30] presents a mechanism for attack detection using data collected via Simple Network Based Protocol (SNMP), instead of using raw communication packets. Via an ensemble of SVM, traffic classification is performed to detect initially, whether an attack is ocurring and the specific attack type. This approach presents a performance of 99.27% of attack detection rate, with 1.9% false positives and 0.73% false negatives. Yu et al [4] present a very similar approach to Bao s, with results slightly better. 3.1.3 Principal Component Analysis Bharati et al [31] present a framework based on PCA for detection of application layer DDoS attacks, specifically, those based on HTTP traffic. It works by building profiles from browsing activity of users. This framework presents very low attack detection time, in comparison to other existing methods; no information on false positives is provided. Liu et al [32, 33] present a solution combined of PCA and Sketches for detection in a distributed way. It is able to perform detection of anomalies both at the user side and at a central point, usually the Network Operation Center. Although results are not presented in detail, from graphics provided by authors is possible to note that the proposed approach has very low false detections rate, and it has low detection times. Finally, Li et al [34] present a solution using PCA based on the concept of spatial correlation; this is, relations which can be established from studying similarities which present the traffic flows associated to attack, when directed towards the target. This solution shows more than 80% accurate detections, with only 0.1% of false positives. It is important remark the distributed nature of this solution, understanding the very own distributed nature of the attacks under study. 3.1.4 Neural classifiers Raj Kumar et al [35] present an approach based on an ensemble of neural classifiers, on the idea that by combining classifiers, it is possible to reduce the overall error. Applied to detection of TCP, UDP, ICMP and HTTP based attacks, it presented a 98% of accurate detections, and around 3% of false positives. Li et al [36] present an approach based on LVQ Neural Networks; they present results showing 99.7% of accurate detections, with around 0.3% of false positives; results with this kind of neural network are shown to be better than the ones obtained with back propagation neural network.
Wu et al [37] present the usage of Neural Networks in detection of DDoS attacks against DNS servers; the overall performance obtained in their work is 96.5%, with 0% false positives. Finally, [38] present detection of DDoS attacks on IP flows using neural network classification, specifically back propagation network; although details are not discused in detail, graphics show low false positives and high good classification rates. 3.2 Answering research questions In this part of the section, answers to the proposed research questions are provided. Regarding RQ1, most of the reviewed works show to be focused in low level DDoS attacks; IP, TCP and UDP based attacks is the most commonly analyzed attack type. Anyway, some of the authors address the problem of application based attacks, which are more complex to detect because of the high variability of attack patterns that can appear on traffic associated to them. Specifically the works referenced in [18] (SIP - IMS), [19] (DNS), [27] (HTTP), [31] (HTTP), [35] (HTTP), [37] (DNS) present approaches for application layer attack detection. Particularly, in the case of HTTP, is usual to model the attack as variations on normal user activites profiles. In relation to RQ2, the review of the selected works allows to see that the best performances are provided with implementations of SVM( [30]) and LVQ Neural networks ([36]). It is important to clarify that there were some papers which did not present explicitly their results, so it might be possible to have approaches which would have better results to these referenced. Finally, regarding RQ3, most of the works present centric solutions, to be used near to victim device. There are references of distributed approaches in [23, 24] and [34]. 4 Conclusions and Future Work An approach to state of art in application of Machine Learning to DDoS Attack detection was presented via Systematic Literature Review. From a structured procedure for reviewing papers, it was detected that an important topic to be researched is detection of application layer based protocols. Reviewed authors who have worked on this topic usually mention the wide quantity of literature which can be found regarding low level (Transport and network layers) DDoS attacks in contrast to literature on Application Layer attacks. Another important detected issue is that, although there are techniques providing good performances, increasing accuracy, reducing detection times and avoiding false detections is always a goal to achieve in detection techniques. Besides, an important challenge arises in relation to application of detection techniques on high speed networks, which are everyday more common. Collaborative and distributed detection is a topic deserving more attention. Because of the emergent trend on cloud and grid computing environments, platforms and services tend to be highly distributed, so, because of this fact and because of the very own nature of DDoS attacks, it is possible that approaches with capabilities of collaboration, distribution and even mobility combined with machine learning and other techniques could provide better performance. As future work from this review, exploring more recent papers (up to date) and deeper analysis of experimental results of reviewed papers is proposed. References [1] C.-M. Chen, Y.-H. Ou, and Y.-C. Tsai, Web botnet detection based on flow information, in ICS 2010 - International Computer Symposium, pp. 381 384, 2010. [2] D. Kim, B. Kim, I. Kim, J. Oh, J. Jang, and H. Cho, Automatic control method of DDoS defense policy through the monitoring of system resource, in Recent Researches in Applied Informatics - Proceedings of the 2nd International Conference on Applied Informatics and Computing Theory, AICT 11, pp. 140 145, 2011. [3] H. Liu, Y. Sun, and M. Kim, Fine-grained DDoS detection scheme based on bidirectional count sketch, in Proceedings - International Conference on Computer Communications and Networks, ICCCN, 2011. [4] J. Yu, H. Lee, M.-S. Kim, and D. Park, Traffic flooding attack detection with SNMP MIB using SVM, Computer Communications, vol. 31, no. 17, pp. 4212 4219, 2008. [5] R. Yogesh Patil and L. Ragha, A rate limiting mechanism for defending against flooding based distributed denial of service attack, in Proceedings of the 2011 World Congress on Information and Communication Technologies, WICT 2011, pp. 182 186, 2011. [6] A. Patcha and J.-M. Park, An overview of anomaly detection techniques: Existing solutions and latest technological trends, Computer Networks, vol. 51, no. 12, pp. 3448 3470, 2007. [7] B. A. Kitchenham and S. Charters, Guidelines for performing systematic literature reviews in software engineering, 2007. [8] S. Ranjan, R. Swaminathan, M. Uysal, A. Nucci, and E. Knightly, DDoS-shield: DDoS-resilient scheduling to counter application layer attacks, IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp. 26 39, 2009. [9] Y. Xie and S.-Z. Yu, A large-scale hidden semi-markov model for anomaly detection on user browsing behaviors, IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp. 54 65, 2009. [10] C. Ye and K. Zheng, Detection of application layer distributed denial of service, in Proceedings of 2011 International Conference on Computer Science and Network Technology, ICCSNT 2011, vol. 1, pp. 310 314, 2011.
[11] Y. Xie and S. Tang, Online anomaly detection based on web usage mining, in Proceedings of the 2012 IEEE 26th International Parallel and Distributed Processing Symposium Workshops, IPDPSW 2012, pp. 1177 1182, 2012. [12] T. Gamer, Distributed detection of large-scale attacks in the internet, in Proceedings of 2008 ACM CoNEXT Conference - 4th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT 08, 2008. [13] T. Gamer and C. Mayer, Simulative evaluation of distributed attack detection in large-scale realistic environments, Simulation, vol. 87, no. 7, pp. 630 647, 2011. [14] S. Shalinie, M. Kumar, M. Karthikeyan, J. Sajani, V. Nachammai, K. Sundarakantham, and K. Mallikarjunan, CoDe - an collaborative detection algorithm for DDoS attacks, in International Conference on Recent Trends in Information Technology, ICRTIT 2011, pp. 113 118, 2011. [15] T. Gamer, Collaborative anomaly-based detection of large-scale internet attacks, Computer Networks, vol. 56, no. 1, pp. 169 185, 2012. [16] Z. Wei, G. Xiaolin, H. Wei, and Y. Si, TCP DDOS attack detection on the host in the KVM virtual machine environment, in Proceedings - 2012 IEEE/ACIS 11th International Conference on Computer and Information Science, ICIS 2012, pp. 62 67, 2012. [17] S. Zeng and Q. Hao, Network I/O path analysis in the kernel-based virtual machine environment through tracing, in Proceedings of the 2009 First IEEE International Conference on Information Science and Engineering, ICISE 09, (Washington, DC, USA), pp. 2658 2661, IEEE Computer Society, 2009. [18] E. Nosrati, A. Kashi, Y. Darabian, and S. Tonekaboni, Register flooding attacks detection in IP multimedia subsystems by using adaptive z-score CUSUM algorithm, in 2011 International Conference on Information Technology and Multimedia: Ubiquitous ICT for Sustainable and Green Living, ICIM 2011, 2011. [19] Z. Yi, L. Qiang, and Z. Guofeng, A real-time DDoS attack detection and prevention system based on per-ip traffic behavioral analysis, in Proceedings - 2010 3rd IEEE International Conference on Computer Science and Information Technology, ICCSIT 2010, vol. 2, pp. 163 167, 2010. [20] P. Du and A. Nakao, Mantlet trilogy: DDoS defense deployable with innovative anti-spoofing, attack detection and mitigation, in Proceedings - International Conference on Computer Communications and Networks, IC- CCN, 2010. [21] O. Salem, A. Mehaoua, S. Vaton, and A. Gravey, Flooding attacks detection and victim identification over high speed networks, in 2009 Global Information Infrastructure Symposium, GIIS 09, 2009. [22] F.-Y. Leu and Z.-Y. Li, Detecting DoS and DDoS attacks by using an intrusion detection and remote prevention system, in 5th International Conference on Information Assurance and Security, IAS 2009, vol. 2, pp. 251 254, 2009. [23] Z. Zhou, D. Xie, and W. Xiong, A novel distributed detection scheme against DDoS attack, Journal of Networks, vol. 4, no. 9, pp. 921 928, 2009. [24] Z. Zhou, D. Xie, and W. Xiong, A P2P-based distributed detection scheme against DDoS attack, in Proceedings of the 1st International Workshop on Education Technology and Computer Science, ETCS 2009, vol. 2, pp. 304 309, 2009. [25] L. He, B. Tang, and S. Yu, Available bandwidth estimation and its application in detection of DDoS attacks, in 2008 11th IEEE Singapore International Conference on Communication Systems, ICCS 2008, pp. 1187 1191, 2008. [26] J. Berral, N. Poggi, J. Alonso, R. GavaldÃ, J. Torres, and M. Parashar, Adaptive distributed mechanism against flooding network attacks based on machine learning, in Proceedings of the ACM Conference on Computer and Communications Security, pp. 43 49, 2008. [27] Y. Choi, J. Oh, J. Jang, and I. Kim, Timeslot monitoring model for application layer DDoS attack detection, in Proceedings - 6th International Conference on Computer Sciences and Convergence Information Technology, ICCIT 2011, pp. 677 679, 2011. [28] J. Cheng, J. Yin, Y. Liu, Z. Cai, and C. Wu, DDoS attack detection using IP address feature interaction, in International Conference on Intelligent Networking and Collaborative Systems, INCoS 2009, pp. 113 118, 2009. [29] J. Cheng, J. Yin, Y. Liu, Z. Cai, and M. Li, DDoS attack detection algorithm using ip address features, vol. 5598 LNCS. 2009. [30] C.-M. Bao, Intrusion detection based on one-class SVM and SNMP MIB data, in 5th International Conference on Information Assurance and Security, IAS 2009, vol. 2, pp. 346 349, 2009. [31] R. Bharathi and R. Sukanesh, A PCA based framework for detection of application layer DDoS attacks, WSEAS Transactions on Information Science and Applications, vol. 9, no. 12, pp. 389 398, 2012. [32] Y. Liu, L. Zhang, and Y. Guan, A distributed data streaming algorithm for network-wide traffic anomaly detection, in Performance Evaluation Review, vol. 37, pp. 81 82, 2009.
[33] Y. Liu, L. Zhang, and Y. Guan, Sketch-based streaming PCA algorithm for network-wide traffic anomaly detection, in Proceedings - International Conference on Distributed Computing Systems, pp. 807 816, 2010. [34] Z. Li, G. Hu, and X. Yao, Spatial correlation detection of DDoS attack, in 2009 International Conference on Communications, Circuits and Systems, ICCCAS 2009, pp. 304 308, 2009. [35] P. Raj Kumar and S. Selvakumar, Distributed denial of service attack detection using an ensemble of neural classifier, Computer Communications, vol. 34, no. 11, pp. 1328 1341, 2011. [36] J. Li, Y. Liu, and L. Gu, DDoS attack detection based on neural network, in 2010 2nd International Symposium on Aware Computing, ISAC 2010 - Symposium Guide, pp. 196 199, 2010. [37] J. Wu, X. Wang, X. Lee, and B. Yan, Detecting DDoS attack towards DNS server using a neural network classifier, vol. 6354 LNCS. 2010. [38] D. Wang, G. Chang, X. Feng, and R. Guo, Research on the detection of distributed denial of service attacks based on the characteristics of IP flow, vol. 5245 LNCS. 2008.