RT-SAD: Real-Time Sketch-Based Adaptive DDoS Detection for ISP Network

With the great changes in network scale and network topology, the difficulty of DDoS attack detection increases significantly. Most of the methods proposed in the past rarely considered the real-time, adaptive ability, and other practical issues in the realworld network attack detection environment. In this paper, we proposed a real-time adaptive DDoS attack detection method RTSAD, based on the response to the external network when attacked. We designed a feature extraction method based on sketch and an adaptive updating algorithm, which makes the method suitable for the high-speed network environment. Experiment results show that our method can detect DDoS attacks using sampled Netflowunder high-speed network environment, with good realtime performance, low resource consumption, and high detection accuracy.


Introduction
Distributed denial of service (DDoS) attack has been one of the most difficult attacks in the network. DDoS attacks can interrupt the network service temporarily or even make the system break down. DDoS attacks are usually launched by botnet devices. In recent years, the number of IoT devices is increasing rapidly, which are more vulnerable [1] than traditional network equipment. e IoT botnet expands the scales of DDoS attacks significantly. In 2016, DNS service provider Dyn was attacked by massive IoTdevices controlled by Mirai Botnet, which directly led to a large area of services unavailable on the east coast of the United States. Another difficulty in defense against DDoS attacks is the rise of reflection amplification attacks. In 2018, GitHub was attacked by a reflection amplification DDoS attack by leveraging the Memcached protocol vulnerability, with the reflection multiple as high as 50,000 times and the peak traffic of 1.35 Tbps.
According to Akamai's annual summary [2] of DDoS attacks in 2020, the number of large-scale DDoS attacks has increased significantly. In the largest DDoS attack event [3], the attack traffic has reached 1.44 Tbps, and the attack is very complex. It is necessary to combine multiple mitigation methods as soon as possible to block the attack. However, for large-scale DDoS attacks, it is difficult to deploy attack detection and defense devices near the victims for effective defense. A more effective way is to collect traffic and detect DDoS attacks on the backbone network.
In the past decades, researchers have proposed many detection methods for DDoS attacks. Most of the existing methods are based on machine learning or deep learning. ese methods need to train the model on a large number of labeled network traffic data in advance to ensure the accuracy of attack detection. However, there are some problems in these methods: (a) At present, new attack vectors are constantly being mined. For example, at the end of July 2020, the FBI issued an alert [4] that CoAP, WS-DDARMS, and other protocols may be used to launch DDoS attacks. DDoS attacks based on new attack vectors may have great changes in the statistical characteristics such as packet speed and packet spacing used in traditional methods, which makes traditional methods less adaptable to different attacks. (b) Most of the models need to be trained in advance before they are used for detection. If the network environment changes, the current network traffic may not follow the data distribution of the pretrained model. At this time, the traditional methods need to retrain the model to maintain high accuracy. However, in the scene of attack detection in the backbone network of operators, it is very difficult to obtain labeled data and retrain the model frequently. In addition, it is also difficult to determine the right time to update the detection model. (c) For DDoS attack detection method design and performance evaluation, most of the methods only consider the detection accuracy, false alarm rate, and false alarm rate but do not consider the real-time performance and resource consumption of the method. Although their methods can work in small DDoS attacks simulated by tools such as hping3 [5] and LOIC [6], they did not consider the performance of such methods in the real-world high-speed network environment, like the ISP network.
In order to adapt to various types of DDoS attacks in the high-speed network environment, we propose an real-time adaptive DDoS detection method based on sketch for ISP network. e method implements dynamic adjustments of parameters of the detection model according to the current network situation, and realizes the real-time adaptive DDoS detection in a high-speed network. Compared with the previous DDoS attack detection method, the main contributions in this paper are as follows: (1) We proposed an adaptive DDoS attack detection algorithm, which can update the model adaptively according to the network situation without manually setting the detection threshold parameters in advance. (2) We collected high-speed network traffic from the real-world backbone network boundary. In addition, we sampled the network traffic at different rates to make it closer to the real-world network detection environment. (3) We evaluated our detection method in comprehensive aspects, including the resource consumption, the real-time performance which rarely appeared in previous work. e rest of this paper is arranged as follows: Section 2 describes the related work. Section 3 introduces the attack detection method. Section 4 is the experiment and verification. Section 5 is the summary and prospect.

Related Work
DDoS attack detection is different from the deployment of detection points, which can be divided into source detection, intermediate network detection, and victim detection. Some of the work is summarized as follows: (1) For the scene of DDoS attack detection at the attack source, Mergendahl et al. [7] proposed an improved FR-WARD method based on D-WARD for IoT environment, which can accurately detect and defend DDoS attacks and reduce the retransmission overhead of benign IoT devices. Tang et al. [8] proposed a framework FDDA for fast detection and defense of DDoS attacks in the web application environment. ey used the DBSCAN method to establish the blacklist in the scanning stage, which makes attack mitigation faster. Biswas et al. [9] proposed a DDoS attack detection method based on behavior similarity between virtual machines for DDoS attacks in the data center.
(2) For the scene of DDoS attack detection at the victim end, Rahmani et al. [10] proposed a statistical method based on network anomaly and joint entropy of multiservice distribution, which judges the occurrence of attacks by measuring the statistical correlation between the time series of the number of IP flows and the total traffic size. Compared with some methods only using the traffic size, the method has fewer false positives. Mallikarjunan et al. [11] used PCA to reduce the dimension of features and tested the accuracy of machine learning algorithms such as naive Bayes, j48, and random forest on the data set created by the author. e results show that the performance of naive Bayes is better. Aamir et al. [12] used a semisupervised machine learning method to cluster the data using traffic rate, processing delay, and CPU utilization information collected by the victim.
(3) For the scene of DDoS attack detection at the intermediate network, Barati et al. [13] proposed a DDoS attack detection algorithm based on hybrid machine learning. e method uses a genetic algorithm to select features and the multilayer perception (MLP) in ANN to detect attacks. e accuracy of the algorithm is higher than that of the simple machine learning algorithm. Yusof et al. [14] proposed a method of attack detection of PTA-SVM, by com-biningSVM with data packet threshold algorithm (PTA). Compared with the improved k-means and logistic regression technology, the PTA-SVM method has a smaller false alarm rate and higher accuracy.
Attack detection in ISP level large-scale network environments is a typical example of intermediate network detection. Compared with the other two attack scenes, more network traffic data can be obtained in intermediate network detection, which makes the detection more accurate and flexible. However, at the same time, the network traffic collected in the intermediate network is larger and the network flow rate is faster, which puts forward higher requirements for the feature storage and calculation.
Many researchers focus on sampling technology for the measurement and statistics of the high-speed network. Ujjan et al. [15] used deep learning, with sFlow sampling and adaptive polling sampling, to detect DDoS attacks. Biswas et al. [9] proposed a flow grouping method based on the behavior similarity between virtual machines and combined with the optimization solver to specify a better sampling rate. e main work of our paper is to focus on the use of light features and based on sketch to achieve high-speed network traffic processing.
In the implementation of DDoS attack detection methods, most of the methods are based on machine learning. Zekri et al. [16] proposed an attack detection algorithm based on decision tree in the cloud environment. Both Hou et al. [17] and Filho et al. [18] used the random forest method to identify attacks. e method proposed by Idhammad et al. [19] combines entropy estimation with Extra-Trees to detect DDoS attacks.
In addition, some researchers have compared different machine learning methods. For example, Priya et al. [20] used three classification algorithms KNN, Random Forest, and Naive Bayesian to detect DDoS Attacks based on the features of incremental time and packet size. Saini et al. [21] used random forest algorithm, Naive Bayes algorithm, and j48 algorithm to detect attacks, and the j48 algorithm produced the best results.
ere are also some works based on deep learning. e method proposed by Doshi et al. [22] uses a combination of deep learning and support vector machine to detect attacks. Yuan et al. [23] proposed a DDoS attack detection method based on the recurrent neural network (RNN).
Since most of these methods are supervised or semisupervised, it is time-consuming to training the classifier on a large amount of network traffic data. erefore, real-time detection is not guaranteed if the algorithm is deployed in a high-speed network.
Given above, we propose a real-time sketch-based adaptive DDoS detection method. We address more practical issues in real-world detection, such as real-time performance and adaptive ability in the high-speed network environment.

Real-Time Sketch-Based Adaptive DDoS Detection
In this paper, we designed an adaptive DDoS attack detection method named RT-SAD, which is based on the asymmetry of network traffic when DDoS attacks occur. is section is divided into four parts. Firstly, we will describe the overall framework of the detection method. Secondly, we will explain the principle of attack detection. Finally, we will introduce the realization of two core functions: feature statistics and model updating.

Overview.
e overall architecture of this DDoS detection system is shown in Figure 1. e system is mainly composed of the feature statistics module, the attack detection module, and the model updating module, which is implemented based on sketches.
In the detection process, multiple flow records in fixed time intervals will form a time window. When each flow record in the time window arrives, it will go through the feature statistics module first. Two sketch tables in the module work together to realize the statistics and update asymmetric flow features. After the feature statistics, the attack detection module will use three sketch tables to detect the attack. e three tables used in the detection module are dynamically updated. After the detection module detects all the flow records in a time window, the model updating module will start to work. e module updates the predictive value and threshold of the current window by learning the features of the history window. e predictive value and threshold used in the next time window for attack detection are the updated predictive value and threshold. e meanings and functions of the five sketch tables in the detection system are shown in Table 1.
In the next part of the article, we will introduce the principle of attack detection in detail.

Attack Detection.
In the network communication model of client-server, there should be both requests and responses. When the server suffers a DDoS attack, the request traffic sent by the botnet will be much larger than the response traffic returned by the server. Because the attacker wants to exhaust the resources of the server as much as possible, the network traffic between clients and the server will show the phenomenon of asymmetry.
In order to quantify the asymmetry of network flow, we propose a quantitative method of asymmetry. We use a pair of IP addresses to represent the flow record. As shown in Figure 2, there are bidirection data transfers between IP-A and IP-C, so it is considered that the request from A to C is normal. As for IP-B and IP-C, there is only traffic from B to C and no traffic from C to B, it is considered that traffic between IP-B and IP-C is asymmetric. And in the current time window, the asymmetric flow feature of IP-C will be increased by 1.
After the analysis of real network traffic, we found that when a DDoS attack occurs, the victim server usually cannot respond to all the clients. ere will be a large number of one-way traffic whose destination address is the victim host.
at is, when a DDoS attack occurs, the value of asymmetric feature corresponding to some IP addresses will be significantly higher than the normal situation, as shown in Figure 3. In this paper, we mainly use asymmetric of traffic to detect DDoS attacks. e complete attack detection process is shown in Figure 4. ere are two important parts during the detection process. One is the feature statistics and attack detection when each flow record arrives, and the other is the model updating process, including predicted value update and threshold update at the end of the current time window.   (1) When a flow record (SIP and DIP) arrives at the detection system, the system will first update the feature corresponding to the DIP in the current window. And then the system will use the feature of DIP, the predicted value, and the threshold calculated according to the feature in the history window, to identify whether the destination IP address in the current flow record is suffering from DDoS attacks. e system will give an attack warning of the victim IP if the detection result is true.
(2) At the end of the current time window, the system will update the predicted value and threshold of the feature corresponding to the flow records, and the update is only for the normal IP without attack warning, while the feature of attacked IP will not be updated until they return to normal. e specific detection method is shown as Algorithm 1. e next part of this paper will describe the algorithm and implementation of feature statistics and model updating. Figure 1, we use two Sketch tables, Stat_Asym and Stat_Exist to record and update the features of asymmetric flows corresponding to IP in the current time window. More specifically, Stat_Asym is used to record the actual asymmetric flow value of each IP, and stat_ Exist is used to record the existence of IP pairs (SIP and DIP). Figure 5 shows the statistics and update rules of the features. When the flow record arrives, the system will update the Stat_Asym according to the existence of IP pairs recorded in Stat_Exist.

Sketch-Based Estimation of Asymmetric Flows. As shown in
More specifically, for arriving flow record (SIP and DIP), the system finds the values of Stat_Exist[SIP|DIP] and Stat_Exist[DIP|SIP], respectively, which represents the existence of two tuples (SIP and DIP) and (DIP and SIP), and updates the current asymmetric feature according to the different existence conditions of these IP pairs. e value of Stat_Exist represents the existence of IP pairs. If Stat_Exist [SIP|DIP] is 0, it means that the traffic corresponding to the tuple (SIP and DIP) has not appeared in this time window. If the value is greater than 0, it means that the traffic corresponding to the tuple (SIP and DIP) has appeared in this time window.
ere are four combinations of Stat_Exist[SIP|DIP] and Stat_Exist [DIP|SIP]. In the attack detection process, we mainly focus on whether the destination IP is attacked; that is, we mainly consider the asymmetric feature of DIP, so only in some cases, the system needs to update the Stat_Exist. e specific update algorithm is shown in Algorithm 2.
After the above steps, the statistics and updates of features are completed. Sketch Stat_Asym[DIP] represents the feature value corresponding to DIP in the current time window.

Model Updating.
At the end of the current time window, the detection system will update the predicted value, threshold, and model parameters. In the system implementation, the sketch table Detect_ ld is responsible for the storage of threshold, and the calculation of threshold is related to the sequence of historical residuals (res 1 , res 2 , . . . , res n ).
e residuals of an IP in the time window m, res m , means the difference between the feature value and the predicted feature value.
e threshold corresponding to an IP in the current window is calculated by three-sigma rule, as shown in the following equation: where residual refers to the sequence of historical residuals (res 1 , res 2 , . . . , res n ). e mean (residual) is the average value of the historical residual sequence. e std_dev(residual) is the standard deviation of the historical residual sequence.
For the storage and update of dynamic threshold, if the historical values of residuals corresponding to all IP in the past n windows are completely recorded and then the mean and variance of residuals are calculated, too much storage space will be consumed. erefore, in order to save resources as much as possible, the residual values in all the latest n historical time windows are not directly recorded, but the threshold values are updated by rolling update. And the variance and mean values in multiple historical windows are replaced by progressive variance and mean values. In this paper, the online mean and variance algorithm proposed by Welford [24] is used. e specific formula is shown as Security and Communication Networks where X is a random variable, x is the nth number of X, and mean n (X) represents the mean of the first n numbers in X. e progressive variance calculation method is shown as where X is a random variable, x is the nth number of X, mean n (X) represents the mean of the first n numbers in X, and Var n (X) represents the variance of the first n numbers in X.
In order to improve the calculation accuracy, only the intermediate value VarD n (X) is recorded, which will be used to calculate the variance value. erefore, we only need to record the progressive mean value, the progressive variance median value, and the number of cycles to update the mean value and variance.
In the process of threshold calculation, the predicted value used in the calculation also needs to be updated adaptively. e system uses the table Detect_Pred to record and update the predicted value. e update rule adopts a simple and efficient single exponential smoothing method, as shown in where predAsymVal old [IP] is the predicted value of the old asymmetric flow number features of the current IP, and the new one is pred Asym Val New [IP]; currAsymVal is the number of asymmetric flows corresponding to the IP in the current window. e value of parameter α in the single exponential smoothing formula is usually set to a specific value between 0.3 and 0.7, but this setting method does not take into account the changes of the current traffic and detection situation. e method in the paper updates α by learning the historical traffic by adopting a specific strategy. e specific parameter value update algorithm is shown in Algorithm 3. e above strategy, used to update the α parameter, can make the system recover as soon as possible after the occurrence of false positives, to reduce the possibility of continuous false positives caused by one false positive.

Dataset.
e experiment dataset is a mixture of the background network traffic collected from the real-world backbone network and the attack traffic generated by stress testing tool: (1) In the mixed traffic, the background traffic data are collected from the CERNET backbone network for 60 minutes. In addition, we only intercepted the first 64 bytes of each packet. e intercepted data are about 83 GB, the total amount of original data is about 1373 GB, and the actual flow rate is about 3 Gbps.  Table 2.

Evaluation Criteria.
Our solution uses the sliding window method in the detection process, so we use the time window as the unit to evaluate our experiment result. In the whole attack detection process, there are four kinds of detection results corresponding to the actual data for the current window, as shown in Table 3.
In each subsequent experiment, we use three indicators to evaluate the effectiveness of the method, namely, accuracy rate (AR), false positive rate (FPR), and false negative rate (MR).

Resource Evaluation.
In this paper, the sampling technique and probability data structure in high-speed network measurement are used to optimize the cost of storage and computing resources. In order to evaluate the resource cost of the proposed algorithm, we conducted two experiments, sampling rate experiment and sketch size experiment. e sketch experiment is to evaluate the detection performance of the algorithm when using different sizes of sketch data structures. e sampling rate experiment evaluates the detection performance of the algorithm for network traffic data with different sampling rates. e size of the sketch will have an impact on the accuracy of the detection algorithm. erefore, our sketch resource consumption experiment mainly compares the detection performance of the algorithm by setting a fixed sampling rate and selecting different sizes of the sketch. e sampling rate of the experiment data is 10 : 1, and the size of the sliding window is 1 second. Under this configuration, the number of flows per second is about 9000 without attack and 17,000 under attack. erefore, the sketch size is set to the following five groups, ranging from 2 12 (4K) to 2 15 (32K). e experiment results are shown in Table 4.
Under this condition, when the sketch size is 2 13 or higher, the algorithm can achieve better results. At the same time, if we want to get better performance, we need to consume more storage resources. In practice, we need to select an appropriate sketch size according to current network flow speed and current hardware performance.
In the case of a high-speed network, the performance of the detection algorithm not only depends on the complexity of its own algorithm but also has a great relationship with the current flow speed. In order to make the network flow speed match the processing flow speed of the algorithm as much as possible, we conducted four groups of experiments using the mixed network flow with different sampling rates: 10 : 1, 20 : 1, 100 : 1, and 200 : 1.
e size of the sketch is 2 15 , and the size of the detection window is 1 second. Table 5 shows the performance results of the detection algorithm under different sampling rates.
It can be seen from the experiment results that when the algorithm configuration is appropriate, it has good detection performance for different sampling rates of network traffic.

Real-Time DDoS Detection.
In order to evaluate the realtime performance of the algorithm for DDoS attack detection, we design a real-time evaluation experiment. We take the time from attack occurrence to detection algorithm alarm as the experiment measurement criteria. eWe tested the detection time of the current algorithm for different sampling rates, and the experiment results are shown in Table 6.
From the experiment results, it can be seen that in the current experiment, the algorithm has good real-time performance for the different sampling rates of network traffic. In addition, as the sampling rate increases, the number of flows per unit time decreases, so the processing efficiency of the algorithm increases and the detection time decreases.

Results on Different DDoS Attack Detection.
In order to evaluate the applicability of our algorithm for different DDoS attacks, we designed an attack detection applicability experiment. In this experiment, we generate attack traffic for each attack and then mix it into the background traffic separately to detect the performance. e results of the performance for different attacks are shown in Table 7, with the sketch size of 2 15 and sampling rate of 10 : 1.

Conclusions
Given the current threat of DDoS attacks, we propose a realtime DDoS attack detection method based on sketch for intermediate networks. In this paper, the sketch is used to record and update the features which are needed for attack detection, and the adaptive threshold of the feature is dynamically updated by the historical network traffic. e experiment results show that the method has good performance in accuracy, resource consumption, and real-time performance. At the same time, there are still some improvements in this method, such as adaptive network traffic sampling and adaptive size adjustment of sketch structure changed with the network situation. is is also the content of our following work.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.