DDOS Armour
Group Members:
Yousuf Ahmed Siddiqui (K214594)
Sufiyaan Usmani (K213195)
Syed Arham Ahmed (K214841)
Course Instructor:
Shaheer Ahmed
�Contents
1 Abstract 2
2 Introduction 2
3 Literature Review 2
4 Methodology 3
4.1 LUCID Model Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5 Results 5
6 Conclusion 5
1
� 1. Abstract the DDoS, have become common. To counter
the evolving techniques of attackers, more sophis-
Distributed Denial of Service (DDoS) at-
ticated defense mechanisms are required. Tradi-
tacks are among the most damaging threats
tional signature-based intrusion detection systems
to today’s internet, disrupting essential ser-
are ineffective against new attacks, while statisti-
vices’ availability. Detecting DDoS attacks
cal anomaly-based detection systems struggle with
poses a significant challenge due to the va-
setting appropriate thresholds for detection. Ma-
riety of attack methods used and the large
chine learning techniques, particularly deep learn-
volume of traffic that needs to be analyzed.
ing (DL) systems, have shown promise in discrimi-
In this report, we introduce a practical and
nating DDoS traffic from benign traffic by extract-
lightweight DDoS detection system called
ing high-level features from low-level packet data.
LUCID, which utilizes Convolutional Neural
However, existing DL-based approaches described
Networks (CNNs) to classify traffic flows as
in the literature are often too resource-intensive for
either malicious or benign. We make several
real-world deployment, especially for online attack
key contributions: (1) we apply CNNs in-
detection in live networks. Convolutional Neural
novatively to detect DDoS traffic with min-
Networks (CNNs), a specific DL technique, have
imal processing overhead, (2) we develop
gained popularity in various fields, including com-
a dataset-agnostic preprocessing mechanism
puter vision and natural language processing. De-
to generate traffic observations for real-time
spite being relatively under-researched in cyberse-
attack detection, (3) we conduct activation
curity, CNNs have shown promise in areas such as
analysis to provide insights into how LU-
malware detection, code analysis, and network traf-
CID classifies DDoS attacks, and (4) we val-
fic analysis. While large CNN architectures have
idate our solution empirically on a hardware
demonstrated state-of-the-art detection rates, there
platform with limited resources. Using the
has been less focus on minimizing their size while
most up-to-date datasets, LUCID achieves
maintaining performance in resource-constrained
detection accuracy comparable to the cur-
environments. Given the increasing use of IoT de-
rent state-of-the-art methods while reducing
vices vulnerable to DDoS attacks, there is a need
processing time by 40 times. Our evalua-
to deploy defense mechanisms closer to the edge
tion results demonstrate that the proposed
of the network, considering both protection against
approach is effective for detecting DDoS at-
attacks and resource constraints. This paper ad-
tacks in resource-constrained operational en-
dresses the need for advanced DDoS detection capa-
vironments.
ble of deployment on resource-constrained devices.
2. Introduction Specifically, it introduces LUCID (Lightweight, Us-
able CNN in DDoS Detection), a DL-based DDoS
DDoS attacks represent a significant threat to the
detection architecture designed for online resource-
internet today, disrupting vital services in both pro-
constrained environments. LUCID leverages CNNs
duction systems and everyday life. Despite being
to learn the behavior of DDoS and benign traffic
known to the network research community since
flows with minimal processing overhead and attack
the early 1980s, our defenses against these attacks
detection time. Additionally, this paper presents a
remain inadequate. A notable demonstration of
dataset-agnostic preprocessing mechanism for gen-
the potential disruption caused by targeted DDoS
erating traffic observations consistent with those
attacks occurred in late 2016 when the Domain
collected in existing online systems. It also includes
Name Server (DNS) provider Dyn was attacked.
a kernel activation analysis to interpret and explain
This attack, executed by the Mirai botnet of un-
the features LUCID considers important when clas-
secured Internet of Things (IoT) devices, impacted
sifying DDoS attacks. Finally, the paper provides
over 60 services, making it the largest DDoS at-
an empirical validation of LUCID on a resource-
tack recorded at that time, reaching 600 Gbps.
constrained hardware platform, demonstrating its
Subsequently, in February 2018, Github experi-
applicability in edge computing scenarios.
enced another major DDoS attack, peaking at a
rate of 1.3 Tbps. This attack exploited a vulnera- 3. Literature Review
bility in memcached, a popular database caching
tool, using an amplification attack with spoofed Distributed Denial of Service (DDoS) attacks rep-
source IP addresses. These examples highlight that resent a persistent and evolving threat to network
the scale rather than the sophistication of attacks availability, prompting extensive research into effec-
often determines their success. In recent years, tive detection and mitigation strategies. This sec-
DDoS attacks have become more challenging to tion provides a comprehensive review of the exist-
detect due to the diverse combination of attack ing literature, highlighting key developments, chal-
approaches used. For instance, multi-vector at- lenges, and trends in DDoS detection methodolo-
tacks, which involve using multiple protocols for gies.
2
� Early efforts to combat DDoS attacks focused on and the learning procedure.
signature-based intrusion detection systems (IDSs), Network traffic preprocessing involves several
which relied on predefined patterns to identify ma- steps to prepare raw traffic data for input to the
licious traffic. However, the inherent limitations of CNN model.
signature-based approaches, such as their inability We collect network traffic data from various
to adapt to novel attack vectors, spurred the explo- sources, including packet captures and network
ration of alternative detection techniques. traces. From these data sources, we extract relevant
An emerging paradigm in DDoS detection in- attributes from each packet, such as packet size,
volves the application of machine learning (ML) al- protocol type, and timestamp. These attributes
gorithms, particularly deep learning (DL) models, provide valuable information for detecting DDoS
to discern patterns indicative of DDoS activity from attacks.
network traffic data. DL techniques, such as Con- To simulate the behavior of online intrusion de-
volutional Neural Networks (CNNs), have demon- tection systems, we segment the collected data into
strated promising capabilities in discriminating be- fixed-length time windows. Each time window con-
tween benign and malicious traffic, leveraging high- tains a sequence of packets captured within a spe-
level feature representations learned directly from cific period, allowing the CNN model to analyze
raw data. traffic flows over time.
Recent advancements in DL-based DDoS detec- During preprocessing, we perform feature engi-
tion have focused on addressing practical chal- neering to extract meaningful features from raw
lenges, including processing overhead and deploy- packet data. This process involves transforming
ment feasibility. Notably, LUCID (Lightweight, Us- raw attributes into numerical representations suit-
able CNN in DDoS Detection), introduced in this able for input to the CNN model. Additionally, we
study, embodies a shift towards lightweight and ef- normalize the extracted features to a standard scale
ficient detection architectures tailored for resource- to ensure consistency and facilitate model training.
constrained environments. To enhance the diversity of our training data and
The research landscape also encompasses innova- improve model generalization, we apply data aug-
tions in traffic preprocessing techniques to enhance mentation techniques. These techniques involve in-
the efficacy of DL models in DDoS detection. By troducing variations to the training data, such as
transforming raw network traffic data into struc- adding noise or perturbing existing samples, to cre-
tured inputs suitable for ML algorithms, prepro- ate a more robust model.
cessing mechanisms play a crucial role in enabling
real-time detection and accurate classification of
DDoS attacks.
Furthermore, the evaluation of DDoS detection
solutions across diverse datasets and deployment
scenarios remains a critical area of investigation.
Comprehensive assessments, such as those con-
ducted in this study, provide valuable insights into
the performance, robustness, and scalability of de-
tection systems under varying conditions.
Overall, the literature underscores the evolving
nature of DDoS threats and the continuous pursuit
of innovative detection methodologies to mitigate
their impact. The integration of DL techniques,
lightweight architectures, and effective preprocess-
ing mechanisms represents a promising avenue for
advancing the state-of-the-art in DDoS detection Figure 1: Vision model lifecycle
and bolstering network resilience against malicious
attacks.
4.1 LUCID Model Architecture
4. Methodology
The LUCID model architecture comprises several
We present LUCID, a CNN-based solution for layers designed to effectively capture and classify
DDoS detection suitable for online resource- patterns in network traffic data.
constrained environments. Our approach leverages Traffic flows are represented as 2-D matrices,
CNNs to identify DDoS patterns efficiently, regard- where each row corresponds to a packet and each
less of their temporal positioning in the input data. column represents a specific feature extracted dur-
This methodology section outlines the network traf- ing preprocessing. This input representation en-
fic preprocessing, the LUCID model architecture, ables the CNN to learn spatial relationships be-
3
� Feature Description
Timestamp Timestamp of the packet re-
ception
Packet Length Length of the packet in
bytes
Highest Layer Highest layer in the packet
IP Flags Flags associated with the IP
header
Source IP Source IP address of the
packet Figure 2: Model Architecture
Source Port Source port number (if ap-
plicable)
Destination IP Destination IP address of
the packet
Destination Port Destination port number (if
applicable)
Protocols Value Value representing the pro-
tocols in the packet The learning procedure involves training the LU-
TCP Length Length of the TCP segment CID model using labeled network traffic data and
(if applicable) optimizing model parameters to minimize predic-
TCP Acknowl- TCP acknowledgment num- tion errors.
edgment ber (if applicable)
TCP Flags Flags associated with the
We employ the binary cross-entropy loss func-
TCP segment (if applicable)
tion to measure the discrepancy between predicted
TCP Window TCP window size (if appli-
and ground truth labels. This loss function penal-
Size cable)
izes incorrect predictions, encouraging the model to
UDP Length Length of the UDP segment
learn accurate representations of DDoS and benign
(if applicable)
traffic.
ICMP Type Type of the ICMP packet (if
applicable)
During training, we utilize gradient descent op-
Table 1: Description of independant features
timization techniques to update model parameters
iteratively. By computing the gradient of the loss
function with respect to each parameter, we adjust
the parameters in the direction that minimizes the
tween packets within the same flow. loss.
The convolutional layer consists of multiple fil- To assess the performance of the trained model,
ters that slide over the input matrices to extract we evaluate its performance on a separate valida-
local patterns and features. These filters capture tion dataset. Metrics such as accuracy, precision,
spatial dependencies between neighboring packets, recall, and F1 score are used to measure the model’s
allowing the model to detect DDoS-related patterns effectiveness in detecting DDoS attacks while min-
efficiently. imizing false positives.
After convolution, max pooling layers downsam-
ple the feature maps to reduce dimensionality and We perform hyperparameter tuning to optimize
extract the most relevant information. This process the model’s architecture and training parameters.
helps the model focus on essential features while This involves adjusting parameters such as learning
discarding irrelevant details, improving computa- rate, batch size, and network architecture to im-
tional efficiency and generalization. prove model performance and convergence speed.
The final classification layer utilizes fully con-
nected layers to map the extracted features to out- Once trained and validated, the LUCID model is
put classes (i.e., benign or malicious). The model ready for deployment in production environments.
outputs probabilities indicating the likelihood of a We deploy the model on edge devices or network
given traffic flow being associated with a DDoS at- appliances to provide real-time DDoS detection and
tack. mitigation capabilities.
4
� Figure 4: Data preprocessing steps
6. Conclusion
The persistent threat of DDoS attacks poses signif-
icant challenges to network availability worldwide.
In this study, we introduced a CNN-based architec-
ture for DDoS detection, emphasizing practicality,
lightweight implementation, and efficient attack de-
tection.
Our approach leverages the inherent advantages
of CNN models, eliminating the need for threshold
configuration common in statistical methods and
reducing the reliance on expert feature engineering
typical in alternative machine learning techniques.
This simplifies deployment and enhances practical-
ity.
Figure 3: Data preprocessing steps
Unlike existing solutions, our innovative traf-
fic preprocessing mechanism considers the dynamic
nature of traffic flows across network devices, facil-
itating real-time DDoS detection. Evaluation re-
sults demonstrate that LUCID achieves state-of-
5. Results the-art performance across various datasets, under-
scoring its stability and reliability.
The DDoS Armour system, designed for real-time Furthermore, our evaluation on resource-
detection and mitigation of distributed denial-of-constrained devices highlights the adaptability of
service (DDoS) attacks, offers a comprehensive so-our model for deployment in challenging environ-
ments. Notably, LUCID exhibits a remarkable
lution through its intuitive graphical user interface
(GUI). Key metrics such as the DDoS Score and 40x improvement in processing time compared to
DDoS Percentage are prominently displayed, al- similar solutions.
lowing users to track fluctuations in threat levels Finally, our activation analysis provides valuable
and the proportion of malicious traffic. Real-timeinsights into how LUCID learns to identify DDoS
monitoring of network metrics, including packets traffic, filling a crucial gap in existing research.
This comprehensive approach enhances our under-
received per second and sample rates, enables swift
detection of anomalies. Additionally, users can standing of DDoS detection mechanisms and con-
tributes to the ongoing efforts to safeguard network
identify the source of network traffic and rely on the
system’s high accuracy, backed by a robust machineinfrastructure against malicious attacks.
learning model achieving an impressive 97.3 % ac-
References
curacy across diverse datasets such as DOS2017,
DOS2018, SYN2020, and DOS2019. DDoS Armour [1] Rajeev Kumar Gupta Vasudev De-
ensures effective protection against DDoS attacks, halwar Ashutosh Sharma Deepak Ku-
bolstering network security and maintaining service mar, R.K.Pateriya. e and Engineer-
availability. ing Department, Maulana Azad Na-
5
� tional Institute of Technology, B.
https://pdf.sciencedirectassets.com/280203/1-
s2.0-S1877050923X00027/1-s2.0-
S187705092300217X/main.pdf?X-Amz-
Security-Token=IQoJb3JpZ2luX2VjEPX
[Accessed 12-05-2024].
[2] Roberto Doriguzzi Corin, S. Millar, Sandra
Scott-Hayward, Jesus Martinez-del Rincon, and
D. Siracusa. Lucid: A practical, lightweight
deep learning solution for ddos attack detec-
tion. IEEE Transactions on Network and Ser-
vice Management, PP:1–1, 02 2020.
[3] Mahmoud Elsayed, Nhien-An Le-Khac,
Soumyabrata Dev, and Anca Jurcut. Ddosnet:
A deep-learning model for detecting network
attacks, 06 2020.
[4] Meenakshi Mittal, Krishan Kumar, and Sunny
Behal. Deep learning approaches for detecting
DDoS attacks: a systematic review. Soft Com-
put., 27(18):1–37, January 2022.
