Hide/Show Apps

A novel online approach to detect DDOS attacks using mahalanobis distance and Kernel-based learning

Daneshgadeh Çakmakçı, Salva
Distributed denial-of-service (DDoS) attacks are continually evolving as the computer and networking technologies and attackers’ motivations are changing. In recent years, several supervised DDoS detection algorithms have been proposed. However, these algorithms require a priori knowledge of the classes and cannot automatically adapt to the frequently changing network traffic trends. This emphasizes the need for the development of new DDoS detection mechanisms that target zero-day and sophisticated DDoS attacks. To fulfill this need, an online sequential DDoS detection scheme that is suitable for use with multivariate data was proposed. The proposed algorithm utilizes a kernel-based learning algorithm, the Mahalanobis distance, and a Chi-square test. The algorithm is fully automated and does not require a pre-defined setting of any thresholds or baseline normal network traffic for training. Initially, four entropy-based and four statistical-based features were extracted from network flows as detection metrics per minute. Then, the Enhanced Kernel based Online Anomaly Detection Algorithm (E-KOAD) was employed to detect entropy-based input feature vectors that were suspected to be DDoS. This algorithm assumes no model for network traffic or DDoS in advance; then, it constructs and adapts a Dictionary of features that approximately span the subspace of normal behavior. Every T minutes, the Mahalanobis distance between suspicious vectors and the distribution of Dictionary members is measured. Subsequently, the Chi-square test is used to evaluate the Mahalanobis distance. The proposed DDoS detection scheme was applied to the CICIDS2017 dataset and the performance of the algorithm was measured using different performance metrics including accuracy, recall, precision and ROC-Curve. Finally, the results were compared with those by existing algorithms.