School of Computer Science Engineering and Information Systems

Winter Semester –2023-24

B.Tech IT – Capstone Project (ITE1904)

Final Review Presentation

on

Evaluating the effectiveness of Machine Learning algorithms in

combating DDoS attacks generated by external hardware

Guide: Presenter:

Prof. Jeyanthi N mam Nikhil Kumar

20BIT0127
Table of Content
1. Introduction
2. Problem Definition, Scope and Objective
3. Literature Survey
4. Background
4.1 Algorithms used
4.2 DDoS Attack Types
4.3 Benchmark Dataset
5. Project Description and Goals
6. Proposed Architecture and Methodology
6.1 Proposed Architecture
6.2 Proposed Methodology
7. Output of ML Algorithms
8. Result and Analysis
9. References
Introduction
Introduction
Denial of Services (DoS) attack is a cyber-attack in which the assailant inundates a target system or network with an
excessive amount of traffic or requests. This onslaught disrupts the normal functioning of the system, denying
legitimate users access to its services. On the other hand, a distributed denial-of-service (DDoS) attack involves the
use of multiple computers to maliciously flood a server's resources and/or bandwidth, hindering legitimate users
from accessing its services. Both types of attacks aim to overloading the network resources including network
interface throughput or computational load. DDoS attacks are becoming more complex and challenging to detect
and combat, and requiring a trusted approach to identify DDoS attack traffic behavior.

This project provides a review for executing the most recently ML algorithms for DDoS attack detection. The main
objective is to determine the most accurate ML algorithms for classifying DDoS attacks based on used dataset.
Therefore, A comparative study has been done among twelve ML algorithms to identify the most effective and
efficient one for DDoS detection. The paper has been structured as follows. It provides a background of some of
ML algorithms used for DDoS detection. The related works have been explored. The proposed Methodology for
DDoS attack detection is presented. The experiments and results including data pre-processing, implementation
details of the concerned algorithms, experimental setup, evaluation metrics, and result analysis are presented.
Problem Definition
Problem Definition
The main problem is to develop an effective and efficient technique that can detect and mitigate DDoS attacks
accurately. The proposed technique should be able to handle both high volume and low volume attacks while
maintaining the normal traffic flow. Additionally, the technique should be able to differentiate between legitimate
traffic and malicious traffic.

Objective & Scope

The objective of this study is to evaluate the effectiveness of various machine learning algorithms in detecting and
mitigating distributed denial-of-service (DDoS) attacks generated by external hardware. Specifically, the aim is to
assess the performance of different machine learning models in accurately identifying DDoS attacks, distinguishing
them from normal network traffic, and effectively mitigating their impact on network services and infrastructure.

The proposed technique can be used in various industries such as banking, healthcare, e-commerce, and government
organizations to prevent DDoS attacks. The technique can be implemented in both hardware and software, making
it flexible and scalable.
Literature Survey
Literature Survey
In the paper [1], the authors investigated the effectiveness of Logistic Regression, Naive Bayes algorithm, and artificial neural networks
in detecting DoS attacks using publicly available datasets. Their experiments revealed that artificial neural networks exhibited higher
accuracy, ROC curve performance, and balanced accuracy compared to Naive Bayes algorithm and logistic regression, particularly in
datasets with slightly imbalanced distributions. This suggests that neural network algorithms may offer superior performance in
identifying DoS attacks, thus highlighting the potential of machine learning techniques in cyber-security. The findings underscore the
importance of leveraging proactive prevention and early detection strategies to mitigate security vulnerabilities and threats in cyberspace.

The study [2] presents FloodDetector as a robust framework capable of detecting DoS flooding attacks independently of the controller
used. By combining supervised (K-NN) and unsupervised (ANN) classifiers, FloodDetector outperforms single-classifier approaches in
terms of detection accuracy. The research contributes to the understanding of the effectiveness of combining different types of classifiers
in detecting flooding attacks, laying the groundwork for future work on developing efficient mitigation strategies against such attacks. In
response to this challenge, the authors propose FloodDetector, a controller-independent SDN application designed to detect both known
and unknown flooding attacks. FloodDetector utilizes two machine learning classifiers, K-Nearest Neighbor (K-NN) and Artificial Neural
Network (ANN), to achieve this objective.

The paper [3] provides an overview of research studies that have been conducted to detect DDoS attacks in software-defined network
(SDN) environments using machine learning (ML) techniques. On Comparison of existing approaches of Machine Learning for the
detection of Dos attack in sdn environment. K-Nearest Neighbor produces maximum accuracy of 98.3% and Deep Neural Network
produces 92.30% accuracy. The results of this research also demonstrated that the deep learning approach is more accurate, adequate and
effective, which is compared with classical machine learning approaches. There are also some limitations of existing work.
Literature Survey
In this paper [4], researcher focused on the performance evaluation of classification machine learning (ML) algorithms for SYN flood
attack detection. The classification models are trained and tested with packet capture datasets collected from the ethic telecommunication
network by generating and capturing packets using Hping3 and Wire shark tools. This dataset was further preprocessed and evaluated
using four classification ML algorithms and three training approaches. The experimental results show that the J48 algorithm performs
with an accuracy of 98.57%, and the AdaBoost, Naïve Bayes, and ANN algorithms with an accuracy of 98.52%, 95.31%, and 94.85%,
respectively. Among all of them j48 algorithm has performed the best for SYN attack detection because it has the highest accuracy.

The research paper [5] provides explored techniques such as honeypots and pseudo-honeypots to counter DDoS attacks, with SDNs
playing a crucial role in their implementation. This paper provides a comprehensive survey of related work in IoT security and deep
learning from 2017 to 2021, offering insights for researchers interested in this field. The survey underscores the importance of faster
attack prediction through traffic and packet data analysis and emphasizes the role of SDNs in facilitating flexible and efficient network
architectures. Software Defined Networks (SDN) offer a dynamic and adaptive approach to handling security threats in IoT networks.
Deep learning methodologies, particularly Long Short-Term Memory (LSTM) models, have shown promise in predicting and classifying
attacks or anomalies in network traffic data.

This paper [6] introduces a novel unsupervised ensemble learning framework for botnet detection. Individual novelty-based learners are
trained with legitimate traffic to detect unseen benign and anomalous traffic flows. Predictions from these learners are then combined
using an unsupervised neural network-based ensemble model. Results demonstrate improved botnet detection performance with minimal
false alarms compared to individual base learners and baseline ensemble methods. This approach addresses the challenge of detecting
novel anomalies without relying on labeled data, achieving promising results across diverse attack scenarios.
Literature Survey
This study [7] addresses several critical questions regarding the efficacy of combining cyber and physical features in detecting cyber-
attacks on UAVs. To investigate, a preliminary test bed with two coordinated UAVs is developed, with one UAV subjected to various
cyber-attacks. Cyber and physical features are collected under normal and attack conditions. Intrusion detection systems employing
shallow and deep machine learning models are developed, utilizing cyber-only, physical-only, and cyber-physical features from both
attacked and un-attacked UAVs. The findings indicate that integrating cyber and physical features from the attacked UAV enhances
detection performance by up to 2% in the F1 score. The best detection performance, with an F1 score of 96.3%, is achieved by combining
cyber and physical features from both UAVs at the ground control station.

In this paper [8] the proposed approach utilizes unsupervised techniques to detect anomalies based on source and destination IP addresses,
offering interpretable results for security analysts. It reports IP addresses associated with anomalies and provides detailed information on
detected anomalies, enhancing transparency. Anomalies are represented using images generated from unsupervised base learners,
allowing analysts to visually observe attack patterns. Additionally, traffic representations are analyzed using a Convolutional Neural
Network (CNN) to recognize attack patterns, contributing to a more transparent attack detection system. The emphasis on explain ability
underscores the importance of interpretable models in network intrusion detection.

The study [9] explores defenses against BW-DDoS attacks, highlighting the need for sophisticated defense mechanisms due to the
potential for more devastating future attacks. The proposed blended model, incorporating machine learning techniques like ADT-SVM,
aims to enhance DDoS attack prediction accuracy and improve the effectiveness of defense strategies. By identifying potential DDoS
threats in advance, security measures can be implemented proactively, such as alerting cyber teams and taking preventive actions to
mitigate the impact of an attack on specific sites. Bandwidth Distributed Denial-of-Service (BW-DDoS with ADT-SVM) attacks presents
a significant threat to the Internet, where numerous hosts flood the network with packets, causing congestion and obstructing legitimate
traffic.
Background
Algorithms Used
1. Logistic Regression Algorithm
2. Support Vector Machine Algorithm
3. K-Nearest Neighbor Algorithm
4. Decision Tree Algorithm
5. Naïve Bayes Algorithm
6. Quadratic Discriminant Analysis Algorithm
7. Random Forest Algorithm
8. Extra Tree Classifier Algorithm
9. Gradient Boosting Algorithm
10. XGBoost Algorithm
11. Adaboost Algorithm
12. CatBoost Algorithm
DDoS Attack Types
1. TCP / SYN Flood Attack
A TCP SYN flood attack is a type of cyber-attack that involves
sending a large number of malicious packets to a target computer or
server in order to overwhelm it with traffic. In a SYN flood attack,
the client sends overwhelming numbers of SYN requests and
intentionally never responds to the server’s SYN-ACK messages.
This leaves the server with open connections awaiting further
communication from the client.

How TCP Flood DoS Attack happens?

The TCP Flood DDoS attack exploits a weakness in the TCP/IP protocol, which requires a three-way handshake process to
establish a connection. This process involves the sending and receiving of three separate packets between the client and server
before a connection can be established. The TCP Flood DdoS attack takes advantage of the fact that the server has to allocate
system resources to manage each connection request, and when a large number of requests are sent simultaneously, the server
becomes overwhelmed and unable to function properly.
2. ICMP Flood Attack
ICMP is a flooding attack. In an ICMP flood attack, the attacker
overwhelms the targeted resource with ICMP echo request (ping)
packets, large ICMP packets, and other ICMP types to
significantly saturate and slow down the victim‘s network
infrastructure.

How ICMP Flood DoS Attack happens?

ICMP Flood attacks exploit the Internet Control Message Protocol (ICMP), which enables users to send an echo packet to a
remote host to check whether it’s alive. More specifically during a DDoS ICMP flood attack, the agents send large volumes of
ICMP_ECHO_REQUEST packets (“ping”) to the victim. These packets request a reply from victim and this has as a result
saturation of bandwidth of victim network connection. During an ICMP flood attack, source IP address may be spoofed.
Attackers use IP spoofing in order to hide their true identity, & this makes trace back of the DDoS attacks even more difficult.
3. UDP Flood Attack
In a UDP flood attack, the attacker typically uses a botnet, which
is a network of compromised computers or devices that have
been infected with malware and can be remotely controlled by
the attacker. The botnet sends a large number of UDP packets to
the target network, saturating its bandwidth and preventing
legitimate traffic from getting through.

How UDP Flood DoS Attack happens?

UDP flood attacks typically work by overwhelming a target network with a large number of UDP packets. The attacker sends
a flood of UDP packets to the target network, typically using a botnet or other compromised devices to generate a high
volume of traffic. The target network becomes overwhelmed and cannot handle the volume of traffic, causing network
congestion, slow response times, or even a network outage. This can disrupt normal network operations and cause significant
downtime and lost productivity.
Benchmark Dataset

The dataset is a crucial resource enabling cyber security experts to construct and assess intrusion detection
systems tailored for IoT environments. On the other hand, dataset is the most used for DDoS detection and
categorization of attacks.. It contains a large number of samples and a wide variety of DDoS attacks. In
addition, it encompasses 88 network traffic features, spanning a broad spectrum of statistics related to DoS
and DDoS traffic. The dataset comprises an extensive compilation of DDoS attacks. The attacks are
categorized based on exploitation and reflection techniques
Project Description & Goals
Project Description
The project aims to assess the efficacy of machine learning algorithms in mitigating Distributed Denial of Service
(DDoS) attacks originating from external hardware sources. DDoS attacks, orchestrated by malicious actors, pose a
significant threat to network security by flooding systems or services with an overwhelming volume of traffic,
rendering them inaccessible to legitimate users. While traditional mitigation techniques exist, such as firewall
configurations and traffic filtering, the increasing sophistication of DDoS attacks requires innovative approaches for
detection and prevention.

In this project, we will focus on evaluating various machine learning algorithms to detect and combat DDoS attacks
generated by external hardware devices. External hardware sources, including compromised IoT devices or botnets,
are commonly used by attackers to launch large-scale DDoS attacks due to their widespread availability and
vulnerability to exploitation.

The project will involve collecting and analyzing real-world DDoS attack data generated by external hardware
sources. We will explore the effectiveness of machine learning algorithms, such as neural networks, decision trees,
and ensemble methods, in accurately identifying and mitigating DDoS attacks in this context. Additionally, we will
investigate the feasibility of implementing these algorithms in real-time or near-real-time systems to enable
proactive threat response.
Project Goals
• Data Collection: Gather real-world data on DDoS attacks originating from external hardware sources, including
IoT devices and botnets.

• Algorithm Evaluation: Assess the performance of various machine learning algorithms, including classical
Machine Learning models, and ensemble methods, in detecting and mitigating DDoS attacks.

• Real-time Implementation: Investigate the feasibility of implementing the most effective machine learning
algorithms in real-time or near-real-time systems to enable proactive DDoS attack detection and response.

• Performance Comparison: Compare the effectiveness and efficiency of machine learning-based DDoS
mitigation approaches with traditional mitigation techniques, such as firewall configurations and traffic filtering.
Proposed Architecture
High Level Diagram
Low Level Diagram
Proposed Methodology
Output of ML Algorithms
Result & Analysis
Result Discussion
Mainly, twelve supervised ML algorithms have been applied in the proposed methodology for DDoS detection. The
below table lists these algorithms with their evaluation. The evaluation metrics that are used include accuracy,
recall, precision and F1-score for normal and malicious traffic. Additionally, key tuning parameters for some
classification algorithms as (XGBoost, GB, RF, KNN, ETC) are tuned to optimize their performance and underwent
training and testing using K-fold cross-validation to optimize their generalization capability.

According to the implementation results, it is found that CatBoost algorithms have advanced with the highest
accuracy of 99.99%. RF, GB, CatBoost algorithms have advanced with the highest recall, clearly outperforming
other classifiers whereas RF algorithm achieves the highest overall accuracy of 99.99%. CatBoost algorithm closely
followed at 99.90%. Also, GB algorithm shows strong performance as it achieved accuracy of 99.31%. The
remaining algorithms have relatively lower scores. However, elementary single algorithms like NB and QDA
demonstrate over less accuracy and failing to capture complex attack patterns. This underscores the significance of
ensemble algorithm that integrates multiple weak learners to enhance predictive prowess through diversity and
accuracy gains. Overall, CatBoost and RF provides a good balance of predictive power, training efficiency, and
generalization capability.
 Precision Recall F1-Score
Algorithm Accuracy Normal Malicious Normal Malicious Normal Malicious

Logistic Regression 76.64 % 0.84 0.66 0.79 0.72 0.81 0.69

SVM 97.00 % 0.97 0.97 0.98 0.95 0.97 0.96
K-Nearest 98.00 % 0.99 0.98 0.99 0.98 0.99 0.98
Neighbor
Decision Tree 98.22 % 0.98 0.99 0.99 0.97 0.99 0.98
Naïve Bayes 65.81 % 0.68 0.63 0.74 0.55 0.71 0.59
QDA 47.15 % 0.13 1.00 1.00 0.42 0.23 0.60
Random Forest 99.99 % 1.00 1.00 1.00 1.00 1.00 1.00
Extra Tree 99.27 % 0.99 0.99 0.99 0.99 0.99 0.99
Classifier
Gradient Boosting 99.31 % 0.99 1.00 1.00 0.99 0.99 0.99
XGBoost 98.40 % 0.98 1.00 1.00 0.96 0.99 0.98
AdaBoost 98.89 % 0.99 0.99 0.99 0.98 0.99 0.99
CatBoost 99.90 % 1.00 1.00 1.00 1.00 1.00 1.00
References
References
[1] Zhuolin Li, Hao Zhang, Hossain Shahriar, Dan Lo, Kai Qian, Michael Whitman, Fan Wu, “Denial of Service (DoS) Attack Detection: Performance Comparison of Supervised Machine Learning
Algorithms,” 2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing | 978-1-7281-6609-4/20 | doi: 10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00088

[2] Samer Y Khamaiseh, Abdullah Al-Alaj, Aquella Warner, “FloodDetector: Detecting Unknown DoS Flooding Attacks in SDN,” 2020 International Conference on Internet of Things and
Intelligent Applications | 978-1-7281-9301-4/20 | doi: 10.1109/ITIA50152.2020.9312310

[3] Shaveta Gupta, Dinesh Grover, “A Comprehensive Review on Detection of DDoS Attacks using ML in SDN Environment,” 2021 International Conference on Artificial Intelligence and Smart
Systems (ICAIS) | 978-1-7281-9537-7/20 | doi: 10.1109/ICAIS50930.2021.939598

[4] Wassihun Beyene W/Mariam, Yalemzewd Negash, “Performance Evaluation of Machine Learning Algorithms for Detection of SYN Flood Attack,” 2021 IEEE AFRICON | 978-1-6654-1984-
0/21 | doi: 10.1109/AFRICON51333.2021.9570968

[5] Zikra Amin, Ahmedul Kabir, “A Performance Analysis of Machine Learning Models for Attack Prediction using Different Feature Selection Techniques,” 2022 IEEE/ACIS 7th International
Conference on Big Data, Cloud Computing, and Data Science | 978-1-6654-6582-3/22 | doi: 10.1109/BCD54882.2022.9900597

[6] Valentina Timcenko, Slavko Gajin, “Hybrid Machine Learning Traffic Flows Analysis for Network Attacks Detection,” 2022 30th Telecommunications Forum (TELFOR) | doi:
10.1109/TELFOR56187.2022.9983780

[7] Sindhu Pusarla, Umashankar Ghugar, Turgut Özseven, Bhupesh Kumar Dewangan, Tanupriya Choudhury, Jagdish Chandra Patni, “A Compressive Study on Detection Accuracy Model for DoS
Attack in SDN Using Ensemble Learning Techniques”, 2023 7th International Symposium on Innovative Approaches in Smart Technologies (ISAS) | 979-8-3503-8306-5/23 | doi:
10.1109/ISAS60782.2023.10391345

[8] V. Prabhu; P. Balamurugan, “Survey on Security based Approach to Prevent Attacks in SDN using IoT Framework”, 2023 2nd International Conference on Edge Computing and Applications
(ICECAA) | 979-8-3503-4757-9/23 | doi: 10.1109/ICECAA58104.2023.10212199

[9] S. Santhosh, M. Sambath, J. Thangakumar, “Detection of DDOS Attack using Machine Learning Models”, 2023 International Conference on Networking and Communications (ICNWC) | 979-8-
3503-3600-9/23 | 2023 IEEE | doi: 10.1109/ICNWC57852.2023.10127537

[10] R. Sahila Devi, R. Bharathi, P. Krishna Kumar, “Investigation on Efficient Machine Learning Algorithm for DDoS Attack Detection”, 2023 International Conference on Computer, Electrical &
Communication Engineering (ICCECE) | 978-1-6654-5251-9/23 | 2023 IEEE | doi: 10.1109/ICCECE51049.2023.10085248
Thank you