Journal of King Saud University – Computer and Information Sciences 34 (2022) 825–831

Contents lists available at ScienceDirect

Journal of King Saud University –

Computer and Information Sciences
journal homepage: www.sciencedirect.com

A deep learning based intelligent framework to mitigate DDoS attack in

fog environment
Rojalina Priyadarshini ⇑, Rabindra Kumar Barik
KIIT University, Bhubaneswar, India

a r t i c l e i n f o a b s t r a c t

Article history: Fog computing (FC) is a contemporary computing paradigm that gives additional support to cloud envi-
Received 28 September 2018 ronment by carrying out some local data analysis in edge of the devices, facilitating networking, comput-
Revised 16 April 2019 ing, infrastructure and storage support as backbone for end user computing. Still enterprises are not
Accepted 17 April 2019
convinced to use this as security and privacy are most of the open and challenging issues. Availability
Available online 24 April 2019
among the security requirements is the one which is about rendering on demand service to different cli-
ent applications without any disruptions. It can often be demolished by Denial of service (DoS) and dis-
Keywords:
tributed denial of service (DDoS) attacks in fog and cloud computing environment. In this paper we
Fog computing
Deep learning
propose a novel Source based DDoS defence mechanism which can be used in fog environment as well
DDoS attack as the cloud environment to mitigate DDoS attacks. It makes use of Software Defined Network (SDN)
Software defined network to deploy the DDoS defender module at SDN controller to detect the anomalous behavior of DDoS attacks
Openflow network in Network/Transport level. The proposed work provides deep learning (DL) based detection method
which makes use of the network traffic analysis mechanisms to filter and forward the legitimate packets
to the server and can block the infected packets to cause further attacks.
Ó 2019 The Author(s). Published by Elsevier B.V. on behalf of King Saud University. This is an open access
article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

1. Introduction ments which intends to provide on demand service to different cli-

ent applications. DoS and DDoS attacks are the kind of attacks
In Cloud computing (CC) security is a challenge and has been a which can demolish the availability (Yan et al., 2016). The inten-
major concern for both industry and academia. Many researchers tion behind DoS attacks and DDoS attacks are making a machine
are working hard in last couple of years to cater to different secu- or network resource unavailable to its target clients. When these
rity needs in CC. FC has been evolved as a new computing para- attacks are performed by more than one persons, or bots, it is
digm which is useful for giving some extra support to cloud called as DDoS and DoS, in case attacks are performed by a single
environment (Buyya and Dastjerdi, 2016) which is formally intro- person or a system (Silva et al., 2013). A bot is a victimized
duced by Cisco (C.G.C. Index, YYYY). It functions in a similar way as machine created when a computer is injected through some soft-
cloud do, but is not centralized as cloud. Fog systems can be lever- ware as a malware code. So, DoS attacks could be considered as a
aged with doing some local data analysis in edge devices, facilitat- particular type of DDoS attacks. According to the source of DDoS
ing networking, computing, infrastructure and storage support as launch, these can be of two types. The attacks are either launched
backbone for end user computing (Khan et al., 2017). FC is a dis- by TCP, UDP, ICMP and DNS packets to disturb the target clients by
tributed paradigm that provides cloud-like services to the edge of exhausting their network resources or could be launched to
network (Xiao and Xiao, 2013; Mahmud et al., 2018). Among the exhaust the server resources like server’s socket, port, memory,
security requirements of FC, availability is one of the core require- database and input output bandwidth. In the former case the
attack is network level flooding and in the later case it is known
⇑ Corresponding author. as application level DDoS flooding which is usually performed on
E-mail address: [email protected] (R. Priyadarshini). a HTTP webpage (Yi et al., 2015). SDN is an emerging technology
Peer review under responsibility of King Saud University. and its architecture is a novel way to manage networks (Sahoo
et al., 2016). SDN architecture separates control plane from the
switches and provide its functionality in Controller, which is pro-
grammable and is used to process the incoming packets of the
Production and hosting by Elsevier switches. The packets are first matched in the forwarding table

https://doi.org/10.1016/j.jksuci.2019.04.010
1319-1578/Ó 2019 The Author(s). Published by Elsevier B.V. on behalf of King Saud University.
This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
826 R. Priyadarshini, R.K. Barik / Journal of King Saud University – Computer and Information Sciences 34 (2022) 825–831

of switch, if not present then it is sent to controller for processing. was based on computing the probability of the incoming IP address
During the Distributed Denial of Service(DDoS) attack, the online sequence. Berral et al. have used the intermediate data traffic,
services are made unavailable by overwhelming the same with Naive Bayes algorithm was used to identify the DDoS packets with
unwanted data traffic from multiple sources. The attack occurs in the help of source, destination IP address and some other shared
the network layer or the application layer of the compromised sys- information from the network nodes (Berral et al., 2008). Genetic
tem that are connected to the network. Controller, being the cen- Algorithm (GA), SVM are used by Shon et al. where the features
tral point of a SDN network is extremely vulnerable to such from data traffic are selected by GA, and SVM is used as a pure clas-
cyber attack and may affect the entire network(Shin and Gu, sifier to detect DDoS packets (Shon et al., 2005). Zecheng He et al.
2013). Still some of the characteristics of SDN like traffic analysis use machine learning algorithms such as SVM, Naive Bayes to pro-
capability, possessing a centralized control logically, view of global pose a DDoS detection system. They have employed the statistical
state of the network, and dynamic updation of forwarding rules features of virtual machines and cloud server to impede the pack-
makes it a suitable choice to detect and to defend against DDoS ets to move outside of the network (He et al., 2017). Neural net-
attacks in both cloud and fog environments (Kreutz et al., 2013). work and biological danger theory could also be employed in
The SDN controller has to operate in a centralized way. So there SDN to alleviate the DDoS attack. In these cases the associated risk
are ample chances for having DDoS attacks on the SDN controller is computed for every host and the same is sent to the very VM that
for leveraging the cloud to fog. For designing a secure and reliable keeps an eye on incoming data flow. If the computed risk factor of
SDN controller some methodologies can be imposed to defend the in-flow traffic is more than some predefined assessment then
against these attacks. SDN based DDoS defence mechanisms could some commands and orders are propagated to the SDN controller
be categorized into three classes basing on their deployment loca- to offer some defence mechanisms (Mihai-Gabriel and Victor-
tions. These could be (1) Source based mechanism (2) Network Valeriu, 2014) to act on. Manikopoulos and Papavassiliou have
based mechanism and (3) Destination based mechanism used a combination of neural network with a statistical method
(Mirkovic and Reiher, 2004). In this paper we are trying to build to defend against DDoS (Manikopoulos and Papavassiliou, 2002).
upon a source based defence mechanism to handle DDoS attacks Klomogrov-Smirnov test was carried out on the data traffic to
where the SDN controller detects the anomalous data traffic, recog- obtain the similarity measures and then Neural networks are used
nize the malicious packets and validate the source IP in the vicinity to classify the packets. Seufert and O’Brien extract the features
of the ingress network. from different protocol layers and resources of the system
The contributions towards this paper are listed below: (Seufert and O’Brien, 2007). Their idea was that, by taking the
behaviour of system resources, along with network characteristics
1. We propose a novel Source based DDoS defence mecha- will be meaningful; because at the time of attack, the system
nism which can be used in fog environment as well as resources are overwhelmed. Kumar et al. used a resilient back
the cloud environment to mitigate DDoS attacks. propagation algorithm to build the defense system (Kumar and
2. It uses SDN technology where the DDoS defender module is Selvakumar, 2011). All these methods are using shallow algorithms
deployed to defend against Network/Transport level DDoS to build the DDoS attack defense mechanisms. These shallow algo-
attacks. rithms have their limitations like (1) An extensive experimental
3. The proposed work provides a deep learning (DL) based analysis is required to capture the relevant statistical features
detection method which successfully detect the DDoS which will increase the generalization performance of the learning
infected packets and can block the same packet from being algorithm. (2) The models need to be trained regularly to learn the
propagated to cloud. new characteristics of incoming traffic. Yuan et al. (2017) used a
deep learning based solution named as DeepDefence to identify
The remaining paper is arranged as follows. Section 2 will DDoS packets. They have tested several DL models to categorize
describe work done so far in this context. Section 3 will portray the normal traffic and DDoS traffic. They have used Convolutional
the system model and the necessary conditions for DDoS attack. Neural Network (CNN), Recurrent Neural Network (RNN), Long
Section 4 will present the proposed model to design the defender Short-Term Memory Neural Network (LSTM), and Gated Recurrent
module. The experimental setup is provided in Section 5. The Unit Neural Network (GRU) in their work and achieved a signifi-
results and their analysis is given in Section 6. Section 7 will con- cant reduction in error rate compared with the conventional shal-
clude the paper, which also depict the future work. low methods. Li et al. (2018) also have used DL along with SDN to
mitigate the DDoS attacks and got an accuracy of 99% in training
phase and 98% for test data. In this piece of work a variation of
2. Related work DL algorithm, Long Short Term Memory (LSTM) is being imparted
to design a solution for DDoS mitigation which is especially tested
For designing solutions against DDoS attack prevention and in a Fog and Cloud environment. The reason behind choosing LSTM
detection, both statistical and machine learning based methods is its suitability to handle sequential and time dependent data. Fur-
are used (He et al., 2017). This section is discussed with numerous ther more the LSTM model is improvised by using dropout proba-
noteworthy works and investigations made with the aim of resolv- bility model, which can avoid over-fitting problem. It also uses a
ing the DDoS attack problem in accordance with SDN and machine Mini Batch(MB) gradient descent algorithm which is mainly used
learning. The key utility of DDoS revealing and alleviation schemes to fight against vanishing gradient problem. The proposed model
which use SDN are implemented with the help of a centralized SDN is tested on the standard dataset ISCX 2012 along with some real
controller. The behaviour and power of centralized SDN controller data. For getting these data, a test bed is built in a simulated envi-
is exploited to design intrusion detection mechanisms for DDoS ronment, where the DDoS attacks are created through an open
detection. On the other hand the widely used machine learning source tool- HPing-3. The attack is initiated by some random vir-
methods that are used for DDoS attacks are Naive bayes, K- tual machine. For these attacked packets, the common patterns
Nearest neighbourhood, Support Vector Machine (SVM), neural are found out by our model which helps them to segregate
networks, random forest models and decision tree. A hidden mar- between the attacked and normal packets. Further more, our
kov model is used along with reinforcement learning to isolate model is enhanced by using various dropout probability,which in
DDoS packets from normal packets by Xu et al. (2007). Their model turn is able to give a prediction accuracy of 98.88% on the test data.
 R. Priyadarshini, R.K. Barik / Journal of King Saud University – Computer and Information Sciences 34 (2022) 825–831 827

3. System model are stored in a form of a multi dimensional list ListL ; which is given
by:
Definition 1. Network N ¼ fFNd; Sw; Ln ; Rt g, the network where n
fListL gd ¼ fC 1;1 ; C 1;2 ; . . . ; C S;P g ð1Þ
DDoS attack is happened. FNd ¼ ffnd1 ; fnd2 ; . . . ::g is the fog envi-
ronment consisting of fog nodes represent in network N. where, d = 192 representing the number of dimensions of the data
S ¼ fSw1 ; Sw2 ; . . .g set of switches, Ln={lnk1, lnk2, . . .s}, set of links and n = number of data packets, where each packet represents an
exist between S and FN. Rt paves the path, consisting of a rote instance. All these features contain a mixture of text value, numer-
P < fndsouce ; fnddest > from source fog node fndsource to fnddest . ical value and Boolean value. The Boolean values are encoded into
binary values. The text values are also encoded to 16 bit of binary
Definition 2. Target Fog-Controller (TF):TF n d is the target node values. For converting the text values to binary bits a vector space
where SDN controller has been deployed as a centralized con- model is used. The ½d  n matrix is sliced into windows of a partic-
troller. At the time of attack, the controller’s resources would be ular time slots dt. Each window is labeled either as 0 or 1. 0 indi-
exhausted, CPU utilization is raise causing a degradation in overall cates normal window and 1 indicates the packets captured during
throughput of the system. attack.
In an LSTM there are three gates and one Cell state, named as
Forget gates, Input and Output gates. These are used to get rid of
Definition 3. Botnet BtNt ¼ fbt 1 ; bt 2 ; . . . ::g set of zombies causing vanishing gradient problem which may encounter in RNN. The
the attack by invoking the function AttackðTFi; tÞ which means that components of LSTM are represented by the following equations.
bt i sends infected request packets to TF i th target fog controller. Here, f t represents the forget gate and it represents the input gate.
For each gate different weight sets are used in LSTM which are rep-
resented by matrices given by Wf, Wi, Wc and Wo. The input at a
3.1. Necessary condition for DDOS attack
given time ‘t’ is given by Xt; Ct 0 is the intermediate state and Ct is
In the presented system model, there are two necessary condi- the cell state. The non-linear activation function sigmoid is used
tions for DDoS attack which are depicted below: to generate the output of forget, input and output gate. This is
given by Eq. (2). it ; f t and ot are the input, forget and output gate
Condition 1. There must exist a data path in between Bt and Tf respectively. The non-linear function tanhðÞ activation is used to
depicted as P < fnsouce; fndest >. The connecting path might be generate the intermediate state is given by Eq. (3). The current
direct or indirect. It is direct if there is a single link (ln) between BN state is presented as St whereas its previous state is given by
and TF i,e ln = 1 and indirect if it contains multiple links ðln > 1Þ. St  1. The architecture of LSTM is provided in Fig. 1.
1
f ðX t Þ ¼ ð2Þ
Condition 2. To perform the attack, the Botnet may contain a large 1  expaXt
number of zombies. e,g BN ¼ fbn1 ; bn2 ; . . . ::; bnn g, where ðn > thÞ, where, a is a constant and said to be as learning rate parameter.
(Here th is the threshold value of number of attackers so that the
resources of the FN is exhausted more than 50%). f ðX t Þ ¼ tanhðX t Þ ð3Þ

f t ¼ rðW f St1 þ W f X t Þ ð4Þ

Assumption 1. The transmission path followed for data forward-
ing from the controller and the cloud server is secured.
it ¼ rðW i St1 þ W i X t Þ ð5Þ

Assumption 2. The model is trained in a regular basis with the ot ¼ rðW o St1 þ W o X t Þ ð6Þ
new incoming data traffic entering into the edge network to build
the model more robust. C t0 ¼ tanhðW c St1 þ W c X t Þ ð7Þ
where C t0 is the intermediate cell state.
4. Deep learning model
C t ¼ ðit  C t0 Þ þ f 1  C ðt1Þ ð8Þ
To identify the DDoS attack, the goodness of Deep learning is
Ht ¼ Ot  tanhðC t Þ ð9Þ
used in this work. A Long Short Term Memory (LSTM) network is
used as it works well for time dependent sequential data The input to the proposed model is a multidimensional matrix.
(Hochreiter and Schmidhuber, 1997). It is independent of window There are 32 neurons in each cell, which are connected in a forward
size and it retains the knowledge of previous packet’s effect on the direction. In the suggested model lawful and unlawful machines
current packet. For a particular time t continuous network packets dispatch request to get admittance the cloud server and these mes-
are captured to form an input window. The pretrained model sages are propagated to cloud via the intermediate fog devices. The
which is already learned the generalized pattern exhibited in legit- intermediate fog device present in the fog network is responsible
imate and malignant packets from some historical data can be able for detecting the unlawful packets and handles them with proper
to make difference between the benign and malignant incoming defined schemes, allowing only the lawful messages to get access
packets (Diro and Chilamkurti, 2018). to the cloud server. This causes a reduction of irrelevant traffic
Let’s consider there are ‘S’ number of switches and ‘P’ number of and checks the unwanted traffic to reach the cloud and thereby
packets are traversing at t t h instance of time. The controller is con- avoiding superfluous utility of cloud resources.
nected with switches at tt h instance is represented as C½i; j where, In this proposed work, both benign and malignant packets are
ith switch is transmitting jth packet. Each packet C½i; j is character- transmitted from the client sites which may request to gain access
ized by several feature captured during packet analysis is given by to cloud services. But the entire data traffic before reaching to the
a matrix ½f 1 ; f 2 ; . . . ; f n , All the 192 features are collected and stored cloud service has to pass through the fog layer. The fog layer is con-
as a matrix of 192 columns, each column represents a feature. So stituted with a number of fog devices and a fog server, where the
the final set of all transmitted packets ðPÞ through switches ðSÞ SDN controller is installed. The SDN controller works as a central
828 R. Priyadarshini, R.K. Barik / Journal of King Saud University – Computer and Information Sciences 34 (2022) 825–831

Fig. 1. Architecture of Long Short Term Memory neural network model.

controller that is responsible to inspect all the incoming packets whether to drop or forward the packet to the cloud sever. For
from various nodes. There, the data traffics are filtered and some example, lets consider an incoming data packets entered to a net-
specific characteristics are captured by the Fog server, which are work. They may be normal or malignant packets. If a packet enters
the deciding features to identify that whether the incoming packet to our network, its characteristics are captured through HPing-3,
is legitimate or malicious. The attacks are generated from different and added to the deep defense model as a test input. Then it can
source machines by means of a variety of tools and scripts. The Fog predict, whether it is a safe packet. If it is not, then all its informa-
server is pre-trained with the deep learning algorithm. The algo- tion are sent to the SDN Controller. The controller in turn takes
rithms are trained with the captured characteristics of the incom- some action to prevent this packet to enter into the network.
ing data traffic. In other words it can be said that, the server is One of the action could be by blocking the IP address in the flow
deployed with classifier models to characterize the incoming pack- table of the controller.
ets whether are legitimate or malicious. Upon an incoming request,
the packets are passed through the classifiers, to decide the
requests are legitimate or not. If the packet is found to be the legit- 5. Experimental setup
imate one, it is forwarded to the cloud server. If it is found to be the
suspicious, then the IP address of the corresponding packet is The system model is configured by setting up a cloud environ-
moved to the blocked list of the flow table of switches from SDN ment, where all the necessary conditions are satisfied. The whole
controller. Sufficient programming is done at switch level to pre- environment is constituted by three layers. The top most layer is
vent the packet from being forwarded to the cloud server. comprised of a set of open source software to build the cloud envi-
The detail mechanism of the discussed scheme is given in the ronment. ‘Owncloud’ is a cloud storage connected with ‘Apache’
sequence diagram given in Fig. 2. The user system is consisting web-server. To setup ‘Owncloud’ we need PHP, MySQL as pre- req-
of more than one virtual machine. The virtual machines are uisite. The cloud server is deployed on Cent OS7. The database used
responsible for transmitting both normal and infected packets, in in MySQL is ‘MariaDB’. MariaDB is a fork of MySQL which is com-
a given time slot t. The middle layer is the fog network which is monly used by linux distribution like CentOS. The fog layer is com-
built on software defined network (SDN) architecture. The SDN prised of few virtual machines, a SDN with an Apache server,
architecture has a controller, an open-flow switch and hosts. The where the SDN controller is installed. The application layer
responsibility of SDN controller is to manage the whole network includes varieties of legitimate and attacker virtual machines
by maintaining the network forwarding table. The flow table pre- installed with linux, windows OS. The main attacks are performed
sent in the switches are updated with each new entry coming to on TCP, UDP and ICMP protocols through random VMs by using
the network, and the network forwarding table updates itself HPing-3. Mininet emulator is used to create a topology for multiple
according to the change of state taking place in the flow tables of VMs in application layer.
each switch. Basing on some rules, the SDN controller can forward We have used ‘FloodLight’ controller in the fog server as an SDN
the packets or drop them. In this work, the controller is capturing controller. It is an Apache licensed Java based controller, which is
the network characteristics, which are the features mentioned in used to establish the connection links Ln = ln1, ln2, . . .. between
section-1. These features are then passed through a Deep learning fog nodes Fn and client machines. A DDoS Defence module is
detector module. This module is pre-trained with some historical developed and configured inside the controller.
data and is learned to differentiate among DDoS packets and nor- The deep learning model is built by using an open source
mal packets. Upon receiving the new incoming data traffic, the fea- Python library ‘Keras’ which runs on a ‘Tensorflow’ background
tures are collected and, the detector model takes a decision (Priyadarshini et al., 2018). LSTM is explored with 128 hidden neu-
 R. Priyadarshini, R.K. Barik / Journal of King Saud University – Computer and Information Sciences 34 (2022) 825–831 829

Fig. 2. State-Chart of the proposed model.

rons, the loss function used is ‘binary cross-entropy’, and ‘Adam’s’ Table 1
optimizer used with a dropout probability as 0.2. The model uses 2 Details of the dataset attributes used in the proposed model.
hidden layes with 128 hidden neurons, which uses Sigmoid, where Total No. of fields 192 No. of classes 3
as the output layer uses a tanh() activation function. As because, No. of Categorical fields 4 No. of bits required to represent 16
the model is using a Sigmoid activation function, it may suffer from categorical fields
No. of Numerical field 9 No. of bits required to represent Nil
vanishing gradient problem. To avoid this, without using batch gra-
numerical fields
dient descent, a Mini-batch gradient descent (GD) algorithm is No. of Boolean fields 179 No. of bits required to represent 2
used. In Mini-batch GD, after iterating up to a fixed mini-batch Boolean fields
size, the learning restarts with a new mini-batch, there by reducing
the chance of exploding gradient. Here, the mini-batch size is cho-
sen as 512 iterations. The python execution environment is run on and remaining 10% data are taken as validation data as well as test
Anaconda distribution on a Windows-10 operating system. data. We have used a 10-cross validation scheme for validating the
output. During this, the total data samples are divided equally into
6. Results and analysis 10 divisions, from which 9 divisions are randomly chosen as the
training samples and remaining one division will go for testing.
6.1. Training of DDoS defence model This process is repeated for 10 times and then average of all itera-
tions is taken as the final result. The model’s parameters are also
For training the Deep learning based DDoS defence module, tried to be changed. The model is tried with 1 hidden layer, 2 hid-
Hogzilla Dataset is used in this work to train and validate the pro- den layers then again by changing the number of hidden nodes, ini-
posed model. This dataset is extracting data from CTU-13 Botnet tially from 32 nodes to 64 and then 128 nodes. Similarly the drop
(Garcia et al., 2014) and the ISCX 2012 IDS (Shiravi et al., 2012) out probability is initially set as 0.1 and later on settled at 0.2. The
datasets. In these data, each flow has 192 behavioural characteris- dropout probability is used to avoid over-fitting problem and for
tics. The dataset CTU-13 botnet carries all the features concerning quick response in recurrent neural network; where the visible
the attacked packets and ISCX 2012 IDS dataset contain informa- and hidden units of the neural networks are removed temporarily
tion regarding normal packets. The dataset contains three types along with their incoming and out-going connections (Srivastava
of fields. They are numerical, categorical and Boolean. The categor- et al., 2014). Initially the network is trained with dropout as 0,
ical fields are represented as binary strings by using One-hot and then tried with 0.1 to 0.3. But the model was tuned with 0.2.
encoding scheme(Cassel and Lima, 2006). In this scheme each cat- It can be observed from the results that, the model of LSTM with
egorical attribute is converted into an equivalent 16 bit binary 2 hidden layers with dropout rate 0.2 is performing well. The
strings. Table 1 depicts the attribute details regarding this. parameters of the model are fine tuned with analyzing the results
The results produced in this section are produced by running after changing the parameters and repeating the experiments.
the deep learning model on the CTU-13 Botnet and the ISCX Fig. 3 represents the percentage of accuracy with respect to train-
2012 IDS datasets. The split among training and test sample is ing and testing instances. Fig. 4 considers only the test data and
90:10. It means that, 90% of entire data sample is used as training draws a comparative graph of the error rate on variants of LSTM.
830 R. Priyadarshini, R.K. Barik / Journal of King Saud University – Computer and Information Sciences 34 (2022) 825–831

Fig. 3. Comparison of Training and Testing accuracy of LSTM-2.

Fig. 5. Rate of Error for different LSTM models.

99.12% and on the test sample is also promising, which is coming

as 98.88%.

6.2. DDoS defence model test

The Testing of built model is carried out with two types of data.
At first, the model is tested on the Hogzilla dataset, from which 10%
of the total dataset is exploited as the test samples. Along with this,
some real DDoS attacks are performed and a test bed is produced
to validate the model. The network traffic is extracted using
TCPDump. TCPDump is an automated tool to monitor network
statistics. To simulate the DDoS attack a tool known as Hping3 is
being used by which both malicious and non-malicious data are
collected separately. DDoS attacks are performed on TCP, UDP
and ICMP protocols through some random virtual machines with
the help of Hping3 open source tool. These attacked packets are
Fig. 4. Validation accuracy of different LSTMs. then passed through the Deep learning model, the results are pre-
sented in Table 2, where the performance measures are chosen as
accuracy percentage on test data on all LSTM variants with varying
number of hidden neurons. Again these LSTMs are tested without
Fig. 5 shows the accuracy of LSTM variants on the test data. It can dropout probability and with dropout probability as 0.1 and 0.2.
be observed that, LSTM2.2 is outperforming in terms of accuracy It can be observed that, the LSTM model with 3 hidden layers, con-
over others. The performance on training data sample is almost sisting 128 number of input nodes and with drop-out rate as 0.2 is

Table 2
Types of Models with different parameters and their performance.

Model Type LSTM with no LSTM with 1 hidden LSTM with 2 hidden LSTM with 3 hidden
hidden layers layers (LSTM-1) layers (LSTM-2) layers (LSTM-3)
Activation Function Sigmoid, Tanh Sigmoid, Tanh Sigmoid, Tanh Sigmoid, Tanh
Validation Accuracy Percentage
No hidden neurons = 32 87.67 91.33 94.68 93.67
No hidden neurons = 64 87.96 96.98 95.67 97.45
No hidden neurons = 128 89.88 96.45 95.89 97.21
Dropout = 0.0 89.88 96.45 95.89 93.29
Dropout = 0.1 90.13 91.57 97.39 96.78
Dropout = 0.2 90.98 92.89 98.88 98.34

Table 3
Performance Comparison of DDoS Defence Model with other existing DL Models.

Model Type Training Accuracy Testing Accuracy Dataset Used Used in Cloud and Fog
Stacked Auto Encoder (Niyaz et al., 2016) NA 95.65 Captured Data No
LSTM (Yuan et al., 2017) 99.00 98.00 ISCX 2012 No
LSTM-2 Dropout = 0.2 99.48 98.88 ISCX 2012, Real Data Yes
 R. Priyadarshini, R.K. Barik / Journal of King Saud University – Computer and Information Sciences 34 (2022) 825–831 831

out performing then the others. Table 3 represents the comparison Garcia, S., Grill, M., Stiborek, J., Zunino, A., 2014. An empirical comparison of botnet
detection methods. Comput. Security 45, 100–123.
of DDoS Defence model with the existing models which used DL
He, Z., Zhang, T., Lee, R.B., 2017. Machine learning based ddos attack detection from
along with SDN in past. It can be found out, LSTM 2.2 is giving source side in cloud. Cyber Security and Cloud Computing (CSCloud), 2017 IEEE
some promising results for test data. 4th International Conference on. IEEE, pp. 114–120.
Hochreiter, S., Schmidhuber, J., 1997. Long short-term memory. Neural Comput. 9
(8), 1735–1780.
7. Conclusion Khan, S., Parkinson, S., Qin, Y., 2017. Fog computing security: a review of current
applications and security solutions. J. Cloud Comput. 6 (1), 19.
Kreutz, D., Ramos, F., Verissimo, P., 2013. Towards secure and dependable software-
In this work we have designed a deep learning based model to defined networks. Proceedings of the second ACM SIGCOMM workshop on Hot
protect a Fog network from DDoS attacks. We used SDN technology topics in software defined networking. ACM, pp. 55–60.
to control the whole Fog network. The open flow based SDN net- Kumar, P.A.R., Selvakumar, S., 2011. Distributed denial of service attack detection
using an ensemble of neural classifier. Comput. Commun. 34 (11), 1328–1341.
work is exploited and is equipped with a DDoS defense module
Li, C., Wu, Y., Yuan, X., Sun, Z., Wang, W., Li, X., Gong, L., 2018. Detection and defense
which makes use of deep learning technology. LSTM model is cho- of ddos attack–based on deep learning in openflow-based sdn. Int. J. Commun
sen among all the other deep learning varieties. Because, LSTM Syst 31, (5) e3497.
Mahmud, R., Kotagiri, R., Buyya, R., 2018. Fog computing: A taxonomy, survey and
works well for sequential data, and the data packets used for DoS
future directions. Internet of Everything. Springer, pp. 103–130.
detection are time collected in. The deep learning model is trained Manikopoulos, C., Papavassiliou, S., 2002. Network intrusion and fault detection: a
with the historical data and tested with both simulated and real statistical anomaly approach. IEEE Commun. Mag. 40 (10), 76–82.
DDoS attack packets. The model has experimented on different Mihai-Gabriel, I., Victor-Valeriu, P., 2014. Achieving ddos resiliency in a software
defined network by intelligent risk assessment based on neural networks and
parameters to get a set of optimized performance tuners. LSTM danger theory. Computational Intelligence and Informatics (CINTI), 2014 IEEE
with 3 hidden layers, one dense layer, 128 input nodes and where 15th International Symposium on. IEEE, pp. 319–324.
a dropout rate is 0.2 for all the hidden layers is giving a good per- Mirkovic, J., Reiher, P., 2004. A taxonomy of ddos attack and ddos defense
mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34 (2), 39–53.
formance indicator in terms of growing accuracy and reduced error Niyaz, Q., Sun, W., Javaid, A.Y., 2016. A deep learning based ddos detection system in
rate. For setting up the fog environment we have used a real cloud software-defined networking (sdn), arXiv preprint arXiv:1611.07400.
setup wih some open source cloud platform, SDN controller is con- Priyadarshini, R., Barik, R.K., Panigrahi, C., Dubey, H., Mishra, B.K., 2018. An
investigation into the efficacy of deep learning tools for big data analysis in
figured with ‘FloodLight’ controller. The controller node is health care. Int. J. Grid High Performance Comput. (IJGHPC) 10 (3), 1–13.
equipped with a DL model which is trained with Hogzilla dataset Sahoo, K.S., Mohanty, S., Tiwary, M., Mishra, B.K., Sahoo, B., 2016. A comprehensive
and is tested on some real time DDoS attack. For causing the DDoS tutorial on software defined network: The driving force for the future internet
technology. Proceedings of the International Conference on Advances in
attacks, some open source tools are used. The model is showing
Information Communication Technology & Computing. ACM, p. 114.
98.88% of accuracy on testing data set. Upon detecting the incom- Seufert, S., O’Brien, D., 2007. Machine learning for automatic defence against
ing data packet as suspicious malicious packets, the openflow distributed denial of service attacks. Communications, 2007. ICC’07. IEEE
International Conference on. IEEE, pp. 1217–1222.
switch present in SDN can prevent the packets to further propaga-
Shin, S., Gu, G., 2013. Attacking software-defined networks: a first feasibility study.
tion to the cloud server. The infected packet is denied for being for- Proceedings of the second ACM SIGCOMM workshop on Hot topics in software
warded to the server, which can prevent the entire fog network defined networking. ACM, pp. 165–166.
from being affected by the DDoS attacks. Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A., 2012. Toward developing a
systematic approach to generate benchmark datasets for intrusion detection.
Comput. Security 31 (3), 357–374.
Conflict of interest Shon, T., Kim, Y., Lee, C., Moon, J., 2005. A machine learning framework for network
anomaly detection using svm and ga. Information Assurance Workshop, 2005.
IAW’05. Proceedings from the Sixth Annual IEEE SMC. IEEE, pp. 176–183.
None. Silva, S.S., Silva, R.M., Pinto, R.C., Salles, R.M., 2013. Botnets: a survey. Comput. Netw.
57 (2), 378–403.
Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., Salakhutdinov, R., 2014.
Dropout: a simple way to prevent neural networks from overfitting. J. Mach.
References Learn. Res. 15 (1), 1929–1958.
Xiao, Z., Xiao, Y., 2013. Security and privacy in cloud computing. IEEE Commun.
Berral, J.L., Poggi, N., Alonso, J., Gavalda, R., Torres, J., Parashar, M., 2008. Adaptive Surveys Tutorials 15 (2), 843–859.
distributed mechanism against flooding network attacks based on machine Xu, X., Sun, Y., Huang, Z., 2007. Defending ddos attacks using hidden markov models
learning. Proceedings of the 1st ACM workshop on Workshop on AISec. ACM, and cooperative reinforcement learning. In: Pacific-Asia Workshop on
pp. 43–50. Intelligence and Security Informatics. Springer, pp. 196–207.
Buyya, R., Dastjerdi, A.V., 2016. Internet of Things: Principles and paradigms. Yan, Q., Yu, F.R., Gong, Q., Li, J., 2016. Software-defined networking (sdn) and
Elsevier. distributed denial of service (ddos) attacks in cloud computing environments: A
Cassel, M., Lima, F., 2006. Evaluating one-hot encoding finite state machines for seu survey, some research issues, and challenges. IEEE Commun. Surveys Tutorials
reliability in sram-based fpgas. On-Line Testing Symposium, 2006. IOLTS 2006. 18 (1), 602–622.
12th IEEE International. IEEE, p. 6. Yi, S., Qin, Z., Li, Q., 2015. Security and privacy issues of fog computing: a survey. In:
C.G.C. Index, Forecast and methodology, 2015–2020 white paper, Retrieved 1st International Conference on Wireless Algorithms, Systems, and Applications.
June. Springer, pp. 685–695.
Diro, A.A., Chilamkurti, N., 2018. Distributed attack detection scheme using deep Yuan, X., Li, C., Li, X., 2017. Deepdefense: identifying ddos attack via deep learning.
learning approach for internet of things. Future Generation Comput. Syst. 82, 2017 IEEE International Conference on Smart Computing (SMARTCOMP). IEEE,
761–768. pp. 1–8.