DDoS Detection Using Active and Idle Features of Revised CICFlowMeter and Statistical Approaches

Distributed Denial of services (DDoS) attack is one of the most dangerous attacks that targeted servers. The main consequence of this attack is to prevent users from getting their legitimate services by bringing down targeted victim. CICFlowMeter tool generates bi-directional flows from packets. Eac...

Full description

Saved in:
Bibliographic Details
Published in2022 4th International Conference on Advanced Science and Engineering (ICOASE) pp. 148 - 153
Main Authors Ali, Basheer Husham, Sulaiman, Nasri, Al-Haddad, S.A.R., Atan, Rodziah, Hassan, Siti Lailatul Mohd
Format Conference Proceeding
LanguageEnglish
Published IEEE 21.09.2022
Subjects
Bidirectional control
CICFlowMeter
Confusion Matrix
DDoS
Denial-of-service attack
Entropy
Feature extraction
Scalability
Sensitivity
Sequential probability ratio test
Shannon Entropy
Online AccessGet full text

Cover

More Information
Summary:Distributed Denial of services (DDoS) attack is one of the most dangerous attacks that targeted servers. The main consequence of this attack is to prevent users from getting their legitimate services by bringing down targeted victim. CICFlowMeter tool generates bi-directional flows from packets. Each flow generates 83 of different features. The research focuses on 8 features which are active min (f1), active mean (f2), active max (f3), active std (f4), idle min (f5), idle mean (f6), idle max (f7), and idle std (f8). CICFlowMeter tool has several problems that affected on the detection accuracy of DDoS attacks. The idle and active based feature of Shannon entropy and sequential probability ratio test (SE-SPRT) approach was implemented in this research. The problems of original CICFlowMeter were presented, and the differences between original and revised version of CICFlowMeter tool were explored. The DARPA database and confusion matrix were used to evaluate the detection technique and present the comparison between two versions of CICFlowMeter. The detection method detected neptune and smurf attacks and had higher accuracy, f1-score, sensitivity, specificity, and precision when revised version of CICFlowMeter used to generate flows. However, the detection method failed to detect neptune attack and had higher miss-rate, lower accuracy, lower f1-score, and lower specificity, and lower precision when original version used in generating flows.
DOI:10.1109/ICOASE56293.2022.10075591