MFFLR-DDoS: An encrypted LR-DDoS attack detection method based on multi-granularity feature fusions in SDN

Jin Wang; Liping Wang; Ruiqing Wang; Jin Wang; Liping Wang; Ruiqing Wang

doi:10.3934/mbe.2024185

Mathematical Biosciences and Engineering

2024, Volume 21, Issue 3: 4187-4209. doi: 10.3934/mbe.2024185

Previous Article Next Article

Research article

MFFLR-DDoS: An encrypted LR-DDoS attack detection method based on multi-granularity feature fusions in SDN

Jin Wang ^{1
,
,},
Liping Wang ^{1
,
,},
Ruiqing Wang ²

1.
College of Computer Science & Technology, Zhejiang University of Technology, Hangzhou 310023, China
2.
School of Mathematics, Zhengzhou University of Aeronautics, Zhengzhou 450046, China

Received: 30 October 2023 Revised: 01 February 2024 Accepted: 02 February 2024 Published: 26 February 2024

Low rate distributed denial of service attack (LR-DDoS) is a special type of distributed denial of service (DDoS) attack, which uses the vulnerability of HTTP protocol to send HTTP requests to applications or servers at a slow speed, resulting in long-term occupation of server threads and affecting the normal access of legitimate users. Since LR-DDoS attacks do not need to send flooding or a large number of HTTP requests, it is difficult for traditional intrusion detection methods to detect such attacks, especially when HTTP traffic is encrypted. To overcome the above problems, we proposed an encrypted LR-DDoS attack detection and mitigation method based on the multi-granularity feature fusion (MFFLR-DDoS) for software defined networking (SDN). This method analyzes the encrypted session flow from the time sequence of packets and the spatiality of session flow and uses different deep learning methods to extract features, to obtain more effective features for abnormal traffic detection. In addition, we used the advantages of SDN architecture to perform real-time defense against LR-DDoS attacks by the way of SDN controller issuing flow rules. The experimental results showed that the MFFLR-DDoS model had a higher detection rate than advanced methods, and could mitigate LR-DDoS attack traffic online and in real-time.
- LR-DDoS attack,
- malicious encrypted traffic,
- anomaly detection,
- SDN,
- feature fusion,
- deep learning
Citation: Jin Wang, Liping Wang, Ruiqing Wang. MFFLR-DDoS: An encrypted LR-DDoS attack detection method based on multi-granularity feature fusions in SDN[J]. Mathematical Biosciences and Engineering, 2024, 21(3): 4187-4209. doi: 10.3934/mbe.2024185

Related Papers:

Abstract

Low rate distributed denial of service attack (LR-DDoS) is a special type of distributed denial of service (DDoS) attack, which uses the vulnerability of HTTP protocol to send HTTP requests to applications or servers at a slow speed, resulting in long-term occupation of server threads and affecting the normal access of legitimate users. Since LR-DDoS attacks do not need to send flooding or a large number of HTTP requests, it is difficult for traditional intrusion detection methods to detect such attacks, especially when HTTP traffic is encrypted. To overcome the above problems, we proposed an encrypted LR-DDoS attack detection and mitigation method based on the multi-granularity feature fusion (MFFLR-DDoS) for software defined networking (SDN). This method analyzes the encrypted session flow from the time sequence of packets and the spatiality of session flow and uses different deep learning methods to extract features, to obtain more effective features for abnormal traffic detection. In addition, we used the advantages of SDN architecture to perform real-time defense against LR-DDoS attacks by the way of SDN controller issuing flow rules. The experimental results showed that the MFFLR-DDoS model had a higher detection rate than advanced methods, and could mitigate LR-DDoS attack traffic online and in real-time.

References

[1]	Y. Zhang, L. Cui, W. Wang, Y. Zhang, A survey on software defined networking with multiple controllers, J. Netw. Comput. Appl., 103 (2018), 101–118. https://doi.org/10.1016/j.jnca.2017.11.015 doi: 10.1016/j.jnca.2017.11.015
[2]	A. Dhanapal, P. Nithyanandam, The slow HTTP DDOS attacks: Detection, mitigation and prevention in the cloud environment, Scalable Comput-Prac., 20 (2019), 669–685. https://doi.org/10.12694/scpe.v20i4.1569 doi: 10.12694/scpe.v20i4.1569
[3]	M. Assis, L. Carvalho, J. Lloret, M. J. Proenca, A GRU deep learning system against in software defined network, J. Netw. Comput. Appl., 177 (2021), 102942. https://doi.org/10.1016/j.jnca.2020.102942 doi: 10.1016/j.jnca.2020.102942
[4]	S. Sabour, N. Frosst, G. Hinton, Dynamic routing between capsules, in 31st Annual Conference on Neural Information Processing Systems (NIPS), (2017), 3856–3866.
[5]	P. Kumar, R. Kumar, A. Kumar, A. Franklin, S. Garg, S. Singh, Blockchain and deep learning for secure communication in digital twin empowered industrial IOT network, IEEE T. Netw. Sci. Eng., 10 (2023), 2802–2813. https://doi.org/10.1109/TNSE.2022.3191601 doi: 10.1109/TNSE.2022.3191601
[6]	Y. Liu, T. Zhi, M. Shen, L. Wang, Y. K. Li, M. Wan, Software-defined DDoS detection with information entropy analysis and optimized deep learning, Future Gene. Comput. Syst., 129 (2022), 99–114. https://doi.org/10.1016/j.future.2021.11.009 doi: 10.1016/j.future.2021.11.009
[7]	J. Bhayo, R. Jafaq, A. Ahmed, S. Hameed, S. Shah, A time-efficient approach toward DDoS attack detection in IoT network using SDN, IEEE Int. Things J., 9 (2022), 3612–3630. https://doi.org/10.1109/JIOT.2021.3098029 doi: 10.1109/JIOT.2021.3098029
[8]	Y. Cao, H. Jiang, Y. Deng, J. Wu, P. Zhou, W. Luo, Detecting and mitigating DDoS attacks in SDN using spatial-temporal graph convolutional network, IEEE Trans. Depend. Sec. Cpmput., 19 (2022), 3855-3972. https://doi.org/10.1109/TDSC.2021.3108782 doi: 10.1109/TDSC.2021.3108782
[9]	L. Zhang, J. Wang, A hybrid method of entropy and SSAE-SVM based DDoS detection and mitigation mechanism in SDN, Comput. Secur., 115 (2022), 102604. https://doi.org/10.1016/j.cose.2022.102604 doi: 10.1016/j.cose.2022.102604
[10]	J. Wang, Y. Liu, H. Feng, IFACNN: Efficient DDoS attack detection based on improved firefly algorithm to optimize convolutional neural networks, Math. Biosci. Eng., 19 (2022), 1280–1303. https://doi.org/10.3934/mbe.2022059 doi: 10.3934/mbe.2022059
[11]	P. Chauhan, M. Atulkar, An efficient centralized DDoS attack detection approach for Software Defined Internet of Things, J. Supercomput., 79 (2023), 10386–10422. https://doi.org/10.1007/s11227-023-05072-y doi: 10.1007/s11227-023-05072-y
[12]	B. Gogoi, T. Ahmed, HTTP low and slow DoS attack detection using LSTM based deep learning, in IEEE 19th India Council International Conference (INDICON), (2022), 1–6. https://doi.org/10.1109/INDICON56171.2022.10039772
[13]	B. Nugraha, R. Murthy, Deep learning-based slow DDoS attack detection in SDN-based networks, in 2020 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), (2020), 51–56. https://doi.org/10.1109/NFV-SDN50289.2020.9289894
[14]	N. Muraleedharan, B. Janet, A deep learning based HTTP slow DoS classification approach using flow data, ICT Express, 7 (2021), 210–214. https://doi.org/10.1016/j.icte.2020.08.005 doi: 10.1016/j.icte.2020.08.005
[15]	C. Xu, J. Shen, X. Du. Low-rate DoS attack detection method based on hybrid deep neural networks, J. Inf. Secur. Appl., 60(2021), 102879. https://doi.org/10.1016/j.jisa.2021.102879 doi: 10.1016/j.jisa.2021.102879
[16]	Y. Chen, M. Zhang, F. Xu, Slow HTTP DoS attack detection method based on one-dimensional convolutional neural network, J. Comput. Appl., 40 (2020), 2973–2979. https://doi.org/10.1109/MCG.2020.2973109 doi: 10.1109/MCG.2020.2973109
[17]	Y. Wang, R. Ye, Credibility-based countermeasure against slow HTTP DoS attacks by using SDN, in 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC), (2021), 890–895. https://doi.org/10.1109/CCWC51732.2021.9375911
[18]	N. Yungaicela-Naula, C. Vargas-Rosales, J. Perez, D. Carrera, A flexible SDN-based framework for slow-rate DDoS attack mitigation by using deep reinforcement learning, J. Netw. Comput. Appl., 205 (2022), 103444. https://doi.org/10.1016/j.jnca.2022.103444 doi: 10.1016/j.jnca.2022.103444
[19]	H. Li, S. Zhang, H. Song. W. Wang, Robust malicious encrypted traffic detection based with multiple features, J. Cyber Secur., 6 (2021), 129–142.
[20]	A. Ferriyan, A. H. Thamrin, K. Takeda, J. Murai, Encrypted malicious traffic detection based on Word2Vec, Electronics, 11 (2022), 679–684. https://doi.org/10.3390/electronics11050679 doi: 10.3390/electronics11050679
[21]	Y. Gu, H. Xu, X. Zhang, Multi-granularity representation learning for encrypted malicious traffic detection, Chin. J. Comput., 46 (2023), 1888–1899.
[22]	N. Garcia, T. Alcaniz, A. Gonzalez-vidal, J. B. Bernabe, D. Rivera, A. Skarmeta, Distributed real-time SlowDoS attacks detection over encrypted traffic using artificial intelligence, J. Netw. Comput. Appl., 173 (2021), 102871. https://doi.org/10.1016/j.jnca.2020.102871 doi: 10.1016/j.jnca.2020.102871
[23]	J. Tang, L. Yang, S. Liu, Caps-LSTM: A novel hierarchical encrypted VPN network traffic indentification using CapsNet and LSTM, in 3th International Conference on Science of Cyber Security (SciSec), (2021), 139–153. https://doi.org/10.1007/978-3-030-89137-4_10
[24]	M. Lotfollahi, M. Siavoshani, R. Zade, M. Saberian, Deep packet: A novel approach for encrypted traffic classification using deep learning, Soft Comput., 24 (2020), 1999–2012. https://doi.org/10.1007/s00500-019-04030-2 doi: 10.1007/s00500-019-04030-2
[25]	S. Cui, J. Liu, C. Dong, Z. Lu, D. Du, Only Header: A reliable encrypted traffic classification framework without privacy risk, Soft Comput., 26 (2022), 13391–13403. https://doi.org/10.1007/s00500-022-07450-9 doi: 10.1007/s00500-022-07450-9
[26]	Z. Zou, J. Ge, H. Zheng, Y. Wu, C. Han, Z. Yao, Encrypted traffic classification with a convolutional long short-term memory neural network, in 20th IEEE International Conference on High Performance Computing and Communications (HPCC), (2018), 329–334.
[27]	H. Yan, J. Wang, P. Zhang, Capsule network assisted IoT traffic classification mechanism for smart cities, IEEE Int. Things J., 6 (2019), 7515–7525. https://doi.org/10.1109/JIOT.2019.2901348 doi: 10.1109/JIOT.2019.2901348
[28]	Y. Zeng, H. Gu, W. Wei, Y. Guo, Deep-full-range: A deep learning based network encrypted traffic classification and intrusion detection framework, IEEE Access, 6 (2019), 45182–45190. https://doi.org/10.1109/ACCESS.2019.2908225 doi: 10.1109/ACCESS.2019.2908225
[29]	SplitCap tool. Available from: https://www.netresec.com/index.ashx?Page = SplitCap.
[30]	B. Nunes, M. Mendoca, X. Nguyen, K. Obraczka, T. Turletti, A survey of software-defined networking: Past, present, and future of programmable networks, IEEE Commun. Surv. Tut., 16 (2014), 1617–1634. https://doi.org/10.1109/SURV.2014.012214.00180 doi: 10.1109/SURV.2014.012214.00180
[31]	R. De Oliveira, A. Shinoda, C. Schweitzer, L. Prete, Using mininet for emulation and prototyping software defined networks, in 2014 IEEE Colombian Conference on Communications and Computing (COLCOM), (2014), 1–6. https://doi.org/10.1109/ColComCon.2014.6860404
[32]	Slowhttptest Tool Source Code. Available from: https://github.com/shekyan/slowhttptest/.
[33]	D-ITG Tool User Guide. Available from: http://traffic.comics.unina.it/software/ITG/manual/
[34]	H. Jazi, H. Gonzalez, N. Stakhanova, A. Ghorbani, Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling, Comput. Netw., 121 (2017), 25–36. https://doi.org/10.1016/j.comnet.2017.03.018 doi: 10.1016/j.comnet.2017.03.018
[35]	Z. Liu, J. Yu, B. Yan, G. Wang, A deep 1-D CNN and bidirectional LSTM ensemble model with arbitration mechanism for LDDoS attack detection, IEEE Trans. Emerg. Top. Comput. Intell., 6 (2022), 1396–1410. https://doi.org/10.1109/TETCI.2022.3170515 doi: 10.1109/TETCI.2022.3170515

Reader Comments

Your name:*

Email:*
© 2024 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)