Data mining techniques for effective detection of distributed denial-of-service attacks

Lee, Yuen Hui (2024) Data mining techniques for effective detection of distributed denial-of-service attacks. Master dissertation/thesis, UTAR.

Preview

PDF Download (3690Kb) | Preview

Abstract

A study on using data mining techniques on classification of Distributed Denial-of�Service (DDoS) attacks is carried out by first performing preliminary classification of DDoS attacks using five (5) selected classifiers available on the Waikato Environment for Knowledge Analysis (WEKA), namely Naive Bayes, J48, Random Forest, JRip and K-Nearest Neighbour (KNN/IBk), among which, the J48 Classifier was selected to further test different values of confidence factor (C) and minimum number of objects per leaf (M) parameters of the J48 Classifier to observe the results obtained from classification on a sampled data set created from the Consolidated DDoS Data Set (created from both the CICIDS2017 and the CIC-DDoS2019 data sets). Two types of classification (and optimisation via testing different values of C and M in both the Experimenter and the Explorer module in WEKA) were performed, preliminary ungrouped classification and simplification of classification via hierarchical grouped classification (with the hierarchy being defined by Sharafalddin et. al., originally made for the CIC-DDoS2019 data set and grouping from the top three (3) levels of the hierarchy). The first grouping (Level 0 Grouped Classification) involves reducing the classification from multi-class classification to bi-class classification between Normal/BENIGN and DDoS attack instances. In Level 1 Grouped Classification, DDoS attacks are grouped based on whether they are Exploitation, Reflection or HTTP/WebDDoS attacks, while in Level 2 Grouped Classification, DDoS attack labels are grouped into TCP (Reflection), TCP (Exploitation), UDP (Reflection), UDP (Exploitation), TCP/UDP (Reflection) and WebDDoS (all while BENIGN instances are relabelled Normal). Evidently, Level 1 Grouped Classification emerged as the winner in terms of overall TPR and GMEAN, while being only second in terms of overall F-Measure to Level 2 Grouped Classification, and performed worse in terms of PREC and had the highest overall False Positive Rates (FPR) among all classifications done. While preliminary ungrouped classification does highlight the problems of unbalanced data sets with only marginal changes in True Positive Rates (TPR) for individual DDoS attack labels for different values of C and M tested (with the highest increase being TPR for SSDP attacks increasing from 2.0% at C = 0.25 to 4.2% at C = 0.5), hierarchical grouped classification, while shows marginal increase in overall TPR for DDoS attacks, still show errors in classifying certain DDoS attacks like Portmap, SSDP, UDPLag, DNS and LDAP, as other DDoS attack types (especially true in Level 1 and 2 Grouped Classification, where the errors are predominantly between separate DDoS attack groups), while potentially resulting in oversimplification of classifying DDoS attacks (especially true for Level 0 and 1 Grouped Classification), as grouping DDoS attacks this way increases overall TPR of classification by including DDoS attacks classified as other DDoS attacks into the calculation of TPR.

Actions (login required)