ANN Based DDoS Attack Detaction
ANN Based DDoS Attack Detaction
ANN Based DDoS Attack Detaction
II. RELATED WORKS This entire works discussed in this related literature survey;
the existing systems are not satisfy high accuracy with low
There are many proposals and methods are discussed about
detection rate as well as light weight algorithm all together.
DDoS detection and prevention on SDN and SDN based
As we conclude from this survey we need light weight rule
environments.
based detection model with less detection time and high
DDoS attack threads cause degradation of network services
accuracy rate.
resulting with vast loss in a network environment. Some of the
proposed literatures related to our proposed model are
III. PROPOSED MODEL
reviewed in this section.
Methods, practices and solution to the DDoS attack detection We created fat tree topology in Mininet environment and we
and mitigation on SDN [11] in this proposal author clarify generated normal as well as attack traffic and log the traffic
solutions and findings for detection and mitigation. They dataset. Selected attributes from dataset is take as an input to
propose and present a proactive framework which is SDN our proposed model to calculate the detection output. Our
based defense mechanism. They classified existing solutions proposed model is shown in fig. 1
according to its techniques and listed pros and cons of each
model based on that classification they concluded there is
some management rules and customizability is required for
DDoS attack detection and prevention applications.
DDoS lightweight protection algorithm [12] is based on a set
of rules to characterize data which is sent to the network as an
attack or not. This lightweight algorithm mainly evaluates
three criteria, such as CPU utilization, number of flow table
entries and consumed bandwidth with POX controller. Time
interval of the data collection process is also an important
factor, if the interval is short then there will be an overhead on
detection. In this proposal, they were more concentrated on
CPU and bandwidth for lightweight scheme rather than the
detection process. Also, they discuss block a botnet mounted
DDoS attack [13], in this proposal they introduce efficiently
block Mirai botnet mounted attacks.
Intelligent rule based DoS detection [14] model has two
algorithms, one is feature selection algorithm and another is
rule based classification algorithm. Scoring and ranking are
used in the feature selection algorithm; classify the feature set
based on the major or minor effect accordingly. Then the rule
based classifications are used to detect the DoS attack based
on priority selected by the feature selection algorithm. The list
of rules is formulated by generic if-then rule. Achieved 98.5%
of accuracy level in its detection algorithm but not discussed
the classification time and detection time. More than Fig. 1 Proposed Model
detection accuracy classification and detection time is also
important. Deep Learning for crossfire detection [15], in this We propose an ANN model to detect DDoS attack on
proposal they discussed about different deep learning effective and efficient way with minimum detection time.
algorithms to detect and train the data. Controller capture Artificial neurons (node) are the collection unit of ANN. The
traffic information and need to performance analysis, the weights of the edges help us to adjust the learning process.
higher frequent measurement will result in better detection Connection between the artificial neurons is the edges, each
rate. Based on that traffic data the deep learning algorithms connection transmit signal from one node to another node.
are implemented to train the dataset. They compared ANN,
Weight is calculated based on the signal strength of the each
CNN and LSTM networks algorithms and analysis the results.
connection. The entire ANN is aggregated with layers.
Almost all deep learning algorithms are approximately
achieved 80% of accuracy with less detection time. A. Model computation:
ASVM [16] Advanced support vector mechanism, objective Proposed three layer neural network model is shown in Fig. 2.
of this proposal is to detect flooding based DDoS attacks on Input layer consist of 4 nodes, both hidden layers contain 5
SDN. Volumetric and asymmetric techniques are used in this nodes and the output layer consist of single node to generate
proposal to reduce the test and training time with best
single output.
accuracy rate. In this proposal they organize customizable
DDoS defense mechanism with alerts for security
requirements. OpenDaylight multi controllers are used in
their topology to generation traffic for training and validation
data. Various metrics are utilized to analysis the performance
of their proposed model.
Input Layer:
B. Optimizers
Various optimizers are tested with this model to improve
the performance of the proposed model. Optimizers used are
Adam, Nadam, sgd, and RMSProp.
Adam
Activation function used in Layer 1 and 2 is ReLU Adam is an optimizer of the classical stochastic gradient
Output Layer: descent algorithm to improve neural network link weights
based on train data [17]. Adam merges the advantages of both
Root Mean Square Propagation (RMSProp) optimizer and
Adaptive Gradient Algorithm (AdaGrad) optimizer.
Forwarded propagation:
Layer 0: SGD, NADAM and RMSProp
I= Stochastic gradient descent (SGD) optimizer is supporting for
Layer 1 momentum, learning rate and Nesterov momentum. Nesterov
Adam optimizer (NADAM) is Adam RMSprop with Nesterov
momentum. Root Mean Square Propagation (RMSProp) is
Layer 2 normally a better choice for recurrent neural networks (RNN)
[18].
A. Experimental Setting
It can be generalized The experiment of our proposed model is conducted on the
OpenFlow enabled network based Mininet emulator and the
topology is animated in MiniNAM. OpenDaylight controller
is used in this network topology. The network topology used
For l = 1…3 in this experiment is shown in Fig. 3. We generate 500 traffic
data’s in both normal and attack environments with 15
Where the shape of each parameter is calculated based on its minutes of emulation time. We generated DDoS attack
units
traffics and normal traffics are implemented in this work. Data
=( ) = (4, 5)
collection is the most important task of this model to detect
=( ) = (5, 5)
attacks on SDN. The network traffic data’s are collected
=( ) = (5, 1)
through OpenFlow switches. Collected data’s are trained with
ReLU activation functions in hidden layers: machine learning and deep Learning algorithms, algorithms
are developed and tested in python environment.
g(z)= max(0,z)
g1(z)=
a
C. Evaluation Results
The performance evaluation of proposed ANN model is
compared with various machine learning models. Best model
among the machine learning model is selected based on its
cross validation report in Box plot shown in Fig. 6
Accuracy Score
Accuracy is a great measure which calculated based on
confusion matrix values, the accuracy score of ANN and DT
is shown in table.3
REFERENCES
1. Nunes, Bruno Astuto A., et al. "A survey of software-defined
networking: Past, present, and future of programmable networks." IEEE
Communications Surveys & Tutorials 16.3 (2014): 1617-1634.
2. https://noviflow.com/the-basics-of-sdn-and-the-openflow-network-arc
hitecture/
3. Scott-Hayward, Sandra, Gemma O'Callaghan, and Sakir Sezer. "SDN
security: A survey." 2013 IEEE SDN For Future Networks and Services
(SDN4FNS). IEEE, 2013.
4. S. Asadollahi, B. Goswami, and A. M. Gonsai, “Implementation of SDN
using OpenDayLight controller,” in Proceedings of the International
Conference on Recent Trends in IT Innovations-Tec´afe, vol. 52, no .2,
India, April 2017.
5. F. Keti and S. Askar, “Emulation of software defined networks using
mininet in different simulation environments,” in Proceedings of the 6th
International Conference on Intelligent Systems, Modeling, and
Simulation, Kuala Lumpur, February 2015.
6. Nguyen, Tam N. "The challenges in SDN/ML based network security: A
Fig. 10 Recall survey." arXiv preprint arXiv:1804.03539 (2018).
7. Nanda, Saurav, et al. "Predicting network attack patterns in SDN using
machine learning approach." 2016 IEEE Conference on Network
F1-Score is the weighted average of precision and recall. The
Function Virtualization and Software Defined Networks (NFV-SDN).
F1-Score graph between ANN and DT is shown in fig.11 IEEE, 2016.
8. Latah, Majd, and Levent Toker. "Artificial intelligence enabled
software-defined networking: a comprehensive overview." IET
Networks 8.2 (2018): 79-99.
9. Balsubramani, Akshay, et al. "An adaptive nearest neighbor rule for
classification." arXiv preprint arXiv:1905.12717 (2019).
10. Cui, Mingjian, Jianhui Wang, and Meng Yue. "Machine learning based
anomaly detection for load forecasting under cyberattacks." IEEE
Transactions on Smart Grid (2019).
11. Bawany, Narmeen Zakaria, Jawwad A. Shamsi, and Khaled Salah.
"DDoS attack detection and mitigation using SDN: methods, practices,
and solutions." Arabian Journal for Science and Engineering 42.2
(2017): 425-441.
12. Gkountis, Christos, et al. "Lightweight algorithm for protecting SDN
controller against DDoS attacks." 2017 10th IFIP Wireless and Mobile
Networking Conference (WMNC). IEEE, 2017.
13. Kolias, Constantinos, et al. "DDoS in the IoT: Mirai and other botnets."
Computer 50.7 (2017): 80-84.
14. Rajendran, Rakesh, et al. "Detection of DoS attacks in cloud networks
using intelligent rule based classification system." Cluster Computing:
1-12.
Fig.11 F1-Score