2024 IEEE 21st Consumer Communications & Networking Conference (CCNC)

Machine Learning Algorithms for DoS and DDoS

Cyberattacks Detection in Real-time Environment
Ethan Berei M. Ajmal Khan Ahmed Oun
Department of Electrical & Computer Department of Electrical & Computer Department of Electrical & Computer
Engineering and Computer Science Engineering and Computer Science Engineering and Computer Science
Ohio Northern University Ohio Northern University Ohio Northern University
OH, USA OH, USA OH, USA
[email protected] [email protected] [email protected]
2024 IEEE 21st Consumer Communications & Networking Conference (CCNC) | 979-8-3503-0457-2/24/$31.00 ©2024 IEEE | DOI: 10.1109/CCNC51664.2024.10454755

Abstract— Amid the escalating global threat of severe features with many datapoints [10]. To train the models to have
cyberattacks, integrating Machine Learning (ML) into binary classifiers, the subcategories of the dataset are further
cybersecurity has become a critical research priority. This study broken down and combined into three smaller datasets: DDoS,
addresses this imperative by training several distinct ML models DoS, and web attack. The normal dataset is used as the true
using a refined dataset that underwent a meticulous double- negative case and remains the same. Standard dataset
feature reduction process. The objective is to enable the accurate preprocessing is then applied to the datasets. Each of the attack
detection of different malicious network traffic, mainly DoS and datasets are combined with the normal dataset. Then, label
DDoS, within real-time operational environments. To validate the
encoding, and standard scaling are utilized.
efficacy of ML algorithms in controlled settings, network packets
are captured and analyzed in real-time using a synergistic B. Model Selection and Training
combination of PyShark and CICFlowMeter tools. The results of
In this work, supervised ML classifiers are employed due to
this investigation are highly promising, revealing the successful
development of robust intrusion detection models through a novel
impressive results [7]. Three algorithms, Random Forest (RF),
dual-feature selection approach. Notably, these models achieved K-Nearest-Neighbors (KNN), and Support Vector Machine
exceptional accuracy rates in detecting cyberattacks, (SVM), are employed and evaluated using a set of metrics:
demonstrating a remarkable 99% success. Accuracy, Precision, Recall, F1-Socre, 5-fold stratified K-fold,
and the ROC AUC curve.
Keywords—Machine Learning, cybersecurity, Denial-of-
Service, Distributed Denial-of-Service, cyberattacks

I. INTRODUCTION
The number of Internet-connected devices is growing at a
rapid pace, and our society is enjoying lots of benefits from
using these devices [1]. However, cyberattacks cause a loss of
billions of dollars every year to the United States [2]. This paper
aims to develop a system to detect a few common cyberattacks
in the practical environment. Due to the increasing number of
cyberattacks, cybersecurity has been a top priority for
governments, businesses, and academia [3]. Thus, an effective
cybersecurity system must be developed to provide maximum Fig. 1. Overview of Machine Learning Model Creation
security from cyberattacks [4]. Furthermore, network and
human based methods are becoming outdated, incorporating ML Two methods of feature selection are used to both prevent
in intrusion detection systems to safeguard networks and IT overfitting and reduce the complexity of the models created.
resources cannot be avoided [5-9]. This has motivated us to set Extra tree classifier and principal component analysis (PCA) is
up a practical real-time system to detect DoS and DDoS attacks further used to reduce the dataset with SelectFromModel and a
using ML algorithms. Our main contribution in this paper is to threshold of 0.005. These methods turn the eighty-one initial
develop a practical system in the cybersecurity research lab features down to nine to twelve features. A graphical summary
where machine learning is employed to detect cyberattacks of the model creation process can be seen in Fig. 1.
including DoS and DDoS attacks. The results show high C. Experimental Setup
accuracy of cyberattack detection using ML in a real-time
environment. A laboratory environment is set up in the Cybersecurity lab,
as shown in Figure 2. In the lab, we connected four networks to
II. PROPOSED METHOD a router, where three networks are used by the attackers, while
one network is for the normal users. In addition, there is an
A. Data Selection and Preprocessing Intrusion Detection System (IDS) connected to the router and
The publicly available dataset called the inSDN dataset is the normal users’ network via a read-only link, which makes
selected because the dataset is well-labeled and has eighty-four

Authorized licensed use limited to: Biblioteca de la Universidad de Extremadura. Downloaded on January 12,2025 at 23:35:06 UTC from IEEE Xplore. Restrictions apply.
979-8-3503-0457-2/24/$31.00 ©2024 IEEE 1048
 2024 IEEE 21st Consumer Communications & Networking Conference (CCNC)

copies of every data packet for analysis. In this setup, attacks Firstly, we observed that the double feature selection is
are launched against victims and the IDS collects the network successful by improving overfitting. Furthermore, it reduced
traffic. For data collection, a Python program consisting of a the unnecessary complexity of the initial models and decreased
Python class called Pyshark and a Python program called both training and prediction times. Moreover, the models are
CICFlowMeter is used to create summaries of packet flows. highly accurate when compared to previous works.

IV. CONCLUSION
With the growth of increasingly intense cyberattacks across
the globe, the need to use Machine Learning in cybersecurity
has been a pressing issue for researchers everywhere. Nine
models created from a double-featured-reduced inSDN dataset
were trained to detect various malicious traffic in a real
environment. Moreover, to test the validity of ML algorithms
in the lab, packets were captured using a combination of
PyShark and CICFlowMeter, and then analyzed in real-time.
Furthermore, this work successfully created effective ML
intrusion detection models using double feature selection, as
Fig. 2. Experimental Setup in the Cybersecurity Lab
shown in the results with high accuracy of 99%.
Utilizing 8 virtual machines, two datasets for DoS and DDoS
are captured, and one dataset of normal traffic is also captured: FUTURE WORK
DoS dataset used a Kali Linux zombie is used to attack a victim
machine using HPing3, DDoS dataset had Four Kali Linux To continue towards the safe cyber world, future studies
zombie machines attack a victim machine. To experiment a wide should consider further improving the results of the individual
variety of DDoS attacks, HPing3, Slowloris, THC-SSL-DOS , models against new data. Moreover, we plan on implementing
and Rudy are utilized in the lab, and Normal Traffic had the models against a real network to test their validity in the real
machines running Windows 10 Home, Ubuntu LTS, and world.
Windows Server 2019 in an attack-free environment.
As the attacks happen, the machine collects the various REFERENCES
packets that are sent between the hosts. The capture filters are
[1] H. Kettani and P. Wainwright, “On the Top Threats to Cyber Systems,”
used to remove the normal traffic from the malicious attack IEEE 2nd ICICT, Kahului, HI, USA, 2019, pp. 175-179.
traffic. The packets are then analyzed by the ML models. The [2] G. Nebbione, and M. C. Calzarossa, “A Methodological Framework for
following statistics of each of the datasets are as follows: The AI-Assisted Security Assessments of Active Directory Environments,”
normal traffic simulation captured 6785 flows, The four IEEE Access, vol.11, pp.15119-15130, 2023.
Hping3 DoS attacks acquired 312145 flows, and the four DDoS [3] P. McQuaid, B. Britton, M. Minnich, D. Borelli, J. Baker and B. Burton,
attacks captured 557825 flows. “University and Government Uniting to Address Homeland
CyberSecurity Issues,” IEEE-HST, Woburn, MA, USA, 2018, pp. 1-5.
III. ANALYZING AND DISCUSSING RESULTS [4] A. Aljuhani, “Machine learning approaches for combating distributed
denial of service attacks in modern networking environments,” IEEE
TABLE I. MODEL RESULTS Access, vol. 9, pp.42236-42264, 2021.
[5] F. Hussain, S. G. Abbas, I. M. Pires, S. Tanveer, U. U. Fayyaz, N. M.
Evaluation Metrics Garcia, G. A. Shah, and F. Shahzad, “A two-fold machine learning
Attack Algorithm F1- K-Fold ROC approach to prevent and detect IoT botnet attacks,” IEEE Access, vol. 9,
Accuracy Precision Recall
Score Curve pp. 163412-163430, 2021.
RF 0.99967 0.99943 0.999 0.999 0.998 0.999 [6] N. Z. Gorment, A. Selamat, L. K. Cheng and O. Krejcar, “Machine
Learning Algorithm for Malware Detection: Taxonomy, Current
DoS KNN 0.99975 0.99953 0.999 0.999 0.998 0.999 Challenges and Future Directions,” IEEE Access, 2023.
SVM 0.99397 0.98910 0.997 0.993 0.991 0.994 [7] G. Apruzzese, P. Laskov, E. Montes de Oca, W. Mallouli, L. Rapa, A.
Grammatopoulos, and F. Franco, “The Role of Machine Learning in
RF 0.99984 0.99995 0.999 0.999 0.999 0.999 Cybersecurity,” Digital Threats: Research and Practice, vol 4, no. 1,
pp.1-38, 2023.
DDoS KNN 0.99986 0.99995 0.999 0.999 0.999 0.999 [8] M. S. Akhtar and T. Feng, “Evaluation of Machine Learning Algorithms
for Malware Detection,” Sensors, vol. 23, no. 2, p. 946, 2023.
SVM 0.99950 0.99938 0.999 0.999 0.999 0.999
[9] R. Sen, G. Heim, and Q. Zhu, “Artificial Intelligence and machine
RF 0.99985 1 0.958 0.979 0.999 0.979 learning in cybersecurity: Applications, challenges, and opportunities for
Web MIS academics,” Communications of the Association for Information
KNN 0.99978 0.97872 0.958 0.968 0.999 0.979 Systems, vol. 51, no. 1, pp. 179–209, 2022.
Attack
SVM 0.99956 0.97727 0.896 0.935 0.998 0.948 [10] M. S. Elsayed, N. -A. Le-Khac and A. D. Jurcut, “InSDN: A Novel SDN
Intrusion Dataset,” IEEE Access, vol. 8, pp. 165263-165284, 2020.

Authorized licensed use limited to: Biblioteca de la Universidad de Extremadura. Downloaded on January 12,2025 at 23:35:06 UTC from IEEE Xplore. Restrictions apply.
1049