Recently, D/DoS attacks have been launched by zombie IoT devices in smart home networks. They pose a great threat to network systems with Application Layer DDoS attacks being especially hard to detect due to their stealth and seemingly legitimacy. In this paper, we propose ForChaos, a lightweight detection algorithm for IoT devices, which is based on forecasting and chaos theory to identify flooding and DDoS attacks. For every time-series behaviour collected, a forecasting-technique prediction is generated, based on a number of features, and the error between the two values is calculated. In order to assess the error of the forecasting from the actual value, the Lyapunov exponent is used to detect potential malicious behaviour. In NS-3 we evaluate our detection algorithm through a series of experiments in flooding and slow-rate DDoS attacks. The results are presented and discussed in detail and compared with related studies, demonstrating its effectiveness and robustness.
Smart Homes consist of a great number of different devices, all deployed in a single network monitoring the environment, collecting and sharing important data and information with the owners and other smart IoT devices and external services through internal and external networks. The node responsible for this communication is the Energy Services Interface (ESI). It acts as a bidirectional interface where information can be exchanged between the Smart Home and external domains. Furthermore, it protects internal energy resources from security failures and ensures secure internal communication between the devices deployed in the Smart Home. ESI’s importance to the Smart Home and in the outside domains makes it an excellent target for cyberattacks.
DDoS attacks can be conducted across all the layers of the TCP/IP model. Application layer DDoS attacks are much harder to be detected efficiently and accurately than their perspective ones in lower layers as they do not violate any protocol rules or make usage of malicious behaviour. The TCP connections are established successfully and normal requests are sent to the target, in contrast to DDoS attacks in lower layer such as the TCP Flooding which sends a burst amount of SYN packets without acknowledging the SYN,ACK packets sent from the server. The Application Layer Flooding instead sends a burst amount of legitimate requests to the server, which the server cannot refuse but to reply. As a result, it becomes unresponsive due to great amount of incoming requests.
On the contrary, Slow-Rate Application Layer DDoS attack exploits a server’s ability to wait for connections to be completed in a range of time, if the incoming connection is legitimately slow. As long as the client manages to send a subsequent packet in an attempt to complete the request the server is obliged to keep the connection open. Based on that, the slow-rate attack opens a great number of connections and initiates requests that never complete them. As time is passing by, more and more connections are open and that results in the target becoming once again unresponsive.
Such attacks can be changed in their form of conduction as there is no fixed behaviour. As a result, traditional signature-based Detection Techniques should fail. Anomaly detection is the obvious solution for detecting Application Layer DDoS attacks, both flooding and slow-rate, in heterogeneous networks such as the Smart Home network. The potential security system must be able to identify large deviations in the traffic behaviour from the normal behaviour that it is expected but also being robust against temporary normal spikes.
One way of detecting such attacks is to have a holistic behaviour of the attack in terms of time. “Time” is what differentiates this malicious behaviour from normal and can classify it as an attack. The anomaly-detection solution must be able to detect changes in behaviour of the network by monitoring its behaviour over a set of time-series.
Due to the nature of the attacks described above, it is evident that the detection algorithm must monitor closely the present short-term traffic and not base its knowledge on long-term previous behaviour of the system. The reason for this is that due to time being such a volatile entity and the traffic being heterogeneous the network traffic generated can differentiate from to its past history but appear legitimate nevertheless.
Therefore, we must predict what the future short-time-interval traffic is based on present or short-time-interval previous behaviour of the system and not just classify the present network traffic monitoring based on long-term previous fixed behaviour of the system. It is important to avoid incorrectly classifying a behaviour as malicious simply because it is not similar to the history of the network. Our detection algorithm makes use of forecasting techniques to make short-term predictions and identify the attacks through the construction of Lyapunov exponents for every time-series interval.
The remainder of this paper is organized as follows: Section
Various forecasting techniques have been proposed and used in the past for the effective detection of DDoS attacks. The most popular are Moving Average (MA), Weighted Moving Average (WMA), Simple Exponential Smoothing (SES), also called Exponential Weighted Moving Average (EWMA), Double Exponential Smoothing (DES), and Triple Exponential Smoothing (TES) also called Holt’s Winter Smoothing. MA and WMA make a forecast solely based on previous observations only while the rest of the techniques consider both past observations and past forecasts.
The authors in [
The authors in [
Their algorithm after a series of experiments and adjustments (window size of 100 seconds with an overlap of either 50% of 80%) generates no false positives and manages to detect 10 different types of attack scenarios. However, they do not discuss whether their algorithm generates any FNs in the scenarios, which is quite important, especially since in previous experiments their algorithm was not able to detect the attack at its start time but 200 seconds after initiated.
In [
In [
In [
Besides entropy and error to assess the error of forecasts another way to measure error is chaos theory and the Lyapunov Exponents. Chaos theory is an area of mathematics that aims to study nonlinear phenomena that are hard or nearly impossible to predict. More specifically, chaos theory studies dynamic complex systems that are sensitive to initial conditions. A small change in the initial conditions can cause crucial changes in the outcome of the dynamic system. This is also known as the butterfly effect. This highlights that even in deterministic systems, which are entirely dependent on their initial conditions without any random elements involved, their future cannot be predicted. This is described as chaotic behaviour or simply chaos.
In [
The authors in [
As discussed in the studies mentioned above, there are multiple ways of assessing the error forecasting algorithms produced on each forecast with the most popular being mean square error, entropy, and Lyapunov exponents. However, there is a major difference between the Lyapunov exponents and the mean square error and entropy. By using either square error or entropy measures, a threshold is assumed, while positive Lyapunov exponents indicate chaos. In forecasting, a positive Lyapunov exponent indicates that the distance between the actual value and the forecasting one is high. The network traffic orbit is both chaotic and unstable. This means that the nearby points diverge to any arbitrary separation, so the change of traffic is due to an attack. A negative Lyapunov exponent shows that the error is not chaotic because the difference between the forecast and the actual observation is small.
A nonchaotic error indicates normal behaviour. The network traffic orbits are attracted to a stable fixed point from when they diverge due to new legitimate traffic, entering the system. Hence, the change of traffic is not due an attack. On the contrary, in case of an attack, the network traffic orbits are not attracted to a stable fixed point.
Below we explain the basic mathematical concepts that have been used in the structure of ForChaos Algorithm.
Most of the studies using forecasting techniques against DDoS attacks mentioned in the previous section usually make use of a single feature for prediction and detect the possible deviations in the number of packets, the number of packets per IP, the packet flags and so on. However, these studies focus on detecting DDoS attacks on lower layers and not on the application layer. The adoption of one single feature on the application layer is likely not to produce satisfactory results since Application DDoS attacks do not violate any protocol rules and do not produce malformed packets. Therefore we have designed a new set of features to detect Application Layer Flooding and slow-rate DDoS attacks. All of the features (Table
List of features.
| |
---|---|
Requests No | Total number of requests in a time-series interval |
| |
Packets No | Total number of packets in a time-series interval |
| |
Data Rate | Average data rate in Megabits in a time-series interval |
| |
Avg Packet Size | Average packet size in a time-series interval |
| |
Avg Time Betw Requests | Average time between two requests in a time-series interval |
| |
Avg Time Betw Response & Request | Average time between the response and the first requests encountered in a time-series interval |
| |
Avg Time Betw Responses | Average time between two responses in a time-series interval |
| |
Parallel Requests | Total number of parallel requests in a time-series interval |
We choose to exclude MA and WMA because we believe that in order for a forecasting model to make effective and accurate forecasts it must have a balance between past forecasting and observations. Our argument is supported by [
In an observed time series consisting of observations
To measure a system’s sensitivity to initial conditions, Lyapunov exponents are used. A Lyapunov exponent of a dynamical system is a metric that describes incredibly small trajectories that are close. Lyapunov exponent is calculated using (
It is inevitable that every forecasting system will produce a series of errors between their prediction and the observed values. The error at every time interval
At every time interval we will have one forecast for each of the features and therefore an equivalent amount of errors. We define the total error from all the features as
It is important for these errors to be correctly analysed so malicious behaviour can be accurately and quickly identified. When an error occurs between the actual observer value and the perspective forecast it means that either there is an attack or there is just a temporary unexpected value that is still legitimate. We choose the Lyapunov exponent as the mean to analyse the errors encountered and classify them as chaotic and nonchaotic. The local Lyapunov exponent is calculated as shown
A positive Lyapunov exponent indicates a chaotic behaviour at time instant
Based on the previous mathematical concepts described above, we have constructed the ForChaos Algorithm
1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11:
For the simulation of the Smart Home network, Network Simulator 3 (NS3) was used. Network Simulator 3 (NS3) is an open-source discrete-event simulator developed in C++. A summary of the networks’ parameters and protocols used is given in Table
NS-3 protocols used.
| |
---|---|
| SH: 802.11 |
| |
| SH: IPv4 |
| |
| SH: TCP,UDP |
| |
| SH: HTTP, CoAP, MQTT, XMPP, AMQP |
Smart Home architecture in NS3.
Figure
Our simulation has been constructed to represent realistic Smart Home traffic as much as possible. This has been achieved by using the Smart Home traffic dataset generated by [
Our simulation was designed and implemented based on the specifications found in current smart homes. Smart Homes have currently maximum of 100 Mbps bandwidth. To flood such a line, only 10000 compromised machines will be needed, each capable of sending 1Mbps of upstream. These compromised machines are most likely part of a botnet. The target when attacked will immediately start losing its packets and, with such upstream speed data, it will be unavailable after a minute.
NS-3 simulations are not conducted in real-time. From our experiments, we have estimated that one minute in simulation time is about eight to ten minutes of real-time. Therefore, based on these findings, for the 100 Mbps line to be saturated in simulation it will need only 6-7.5 seconds for a flooding attack. This is evident in our simulation traffic generated. Packets start being dropped after about the 6th second. For a slow-rate attack which is not volumetrically high it needs about 10-12.5 of simulation time for packets to start being dropped. Hence, ForChaos is able to detect the malicious behaviour fast. Furthermore, the attacks are considered inside attacks. Hence, the attackers’ capabilities are going to be lighter. The devices compromised are constrained in resources such as memory, processing power, and bandwidth. As a result, an inside attack on the Smart Home will not be able to produce a 1.5 Tbps overhead to the Smart Home network.
Our proposed algorithm’s accuracy is evaluated through experiments. Related DDoS detection studies make usage of popular datasets such as the KDD-99, DARPA, or NSL-KDD Datasets. However, we cannot use these datasets as they do not have IoT traffic nor they contain application layer DDoS attacks. In IoT networks the traffic is highly heterogeneous and therefore harder to detect any malicious behaviour. Hence, we had to create our own synthetic traffic using NS-3. A series of traffic containing normal and attack traffic files was generated. Both flooding and slow-rate attacks were simulated. In every scenario, seven nodes from the Smart Home were generating normal traffic and the remaining two were generating malicious traffic.
In order for both normal and attack traffic to be simulated, degree of randomness was added in the network packet generation from the nodes. Randomness was introduced through Poisson Distribution in the following metrics, at the time a packet was created and sent from the client to the server, at the size of the packet generated from both the client and the server, and at the time the server needed to respond. Different speeds were also applied in IoT nodes to service application layer requests. Hence, we can simulate slow connections that are legitimate.
Most of the DDoS attacks, Flooding types in particular, can be classified as constant rate. In constant rate attacks the attackers generate a high steady rate of traffic towards the target [
To assess the results on ForChaos algorithm’s effectiveness we have calculated the most popular metrics used when assessing a detection algorithm’s accuracy. These are Detection Rate(DR), Error Rate (ER), True Positives (TP), False Positives (FP), False Negatives (FN), and Precision. In intrusion detection positives instances are attacks and negative instances are normal. DR measures the algorithm’s proportion in correctly classifying incoming instances and ER measures the algorithm’s proportion errors in incorrectly classifying incoming instances. DR and ER’s sum equals one. TP measures the proportion of positive instances that are correctly identified as such. FP measures the proportion of negative instances to have been misclassified as positive. FN measures the proportion of positive instances that have been misclassified as negative. Lastly, precision measures the proportion of relevant instances among the retrieved instances. In other words, precision measures the rate of true positives divided by all the positives, both correctly and incorrectly classified.
Experiments are divided according to the type of the attack and the training time. For every scenario, we have examined out different window sizes and alpha,
The window size parameter is the time interval at which the detection algorithm generates a new prediction. So, if the window size is 20 seconds, then the algorithm will calculate a new prediction after every 20 seconds. For alpha we tested values from 0.1 to 0.9 with an interval of 0.1 and multiple window sizes between 10 and 60 seconds at an interval of 10 seconds.
After a series of experiments it was observed that the optimal window size is 30 seconds and
The training time in all of the attack scenarios was selected to 1000 seconds to accurately detect malicious activities. In total, eight types of attacks have been constructed and the scenarios were divided into flooding and slow-rate attacks.
In the flooding attacks, the parameters differentiated were the number of applications used and the time the applications was initiated. Firstly, 5 applications and then 10 applications were used on each attacker. If the time the applications were initiated was set to “constant”, then all of the attackers’ applications were initiated at the start. If the parameter was set to “increasing,” then the attackers’ applications were gradually initiated. Through this differentiation, we aimed to test if our detection mechanism was able to identify the attack, even when the peak time of the attack was not visible.
In the slow-rate attacks, the numbers of applications and slow-legitimate connections were integrated in the network traffic as part of its normal behaviour. The number of applications was differentiated from 20 to 40. Through slow legitimate connections, we could evaluate if the algorithm is able to identify malicious or normal activity. In real-traffic, not all connections are fast and completed at once, especially in a Smart Home IoT environment where there are various physical obstacles (e.g., walls). According to [
In all scenarios, the attack duration lasted for 200 seconds. For every scenario, the attack is initiated either at the 1000th second, 2000th second or 4000th second. Hence, in total twenty-four experiments were conducted. A summary of the flooding experiments with their parameters and the results are found in Table
DDoS flooding experiments results.
| | | | | | |
---|---|---|---|---|---|---|
(sec) | (%) | (%) | (%) | (%) | (%) | |
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 4000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 98.6 | 87.50 | 0 | 12.5 | 100 |
| ||||||
| 4000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 4000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 98.6 | 87.50 | 0 | 12.5 | 100 |
| ||||||
| 4000 | 100 | 100 | 0 | 0 | 100 |
Slow-rate attacks results.
| | | | | | |
---|---|---|---|---|---|---|
(sec) | (%) | (%) | (%) | (%) | (%) | |
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 98.6 | 87.5 | 0 | 0 | 100 |
| ||||||
| 4000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 98.6 | 87.5 | 0 | 12.5 | 100 |
| ||||||
| 4000 | 98.6 | 100 | 1.53 | 0 | 81.82 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 97.2 | 100 | 3.13 | 0 | 83.33 |
| ||||||
| 4000 | 94.9 | 100 | 5.34 | 0 | 66.67 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 4000 | 100 | 100 | 0 | 0 | 100 |
In our attack scenarios, the target of the attack was the ESI, as it is considered the most important node in a Smart Home.
Application Layer Flooding DDoS attacks are very similar to Flash Crowd traffic. Flash Crowd denotes the entrance of sudden burst of legitimate traffic in the network that is legitimate. It is hard to distinguish flash crowd events from Application Layer DDoS attacks because both of them generate a high amount of requests in a relatively short amount of time. We wanted to evaluate ForChaos algorithm through a series of Flash Crowd scenarios. To simulate random FlashCrowd behaviour we used Poisson Distribution. However, the rate of sending packet was increased from the normal behaviour but it is not equal to or exceeding the metrics of the Flooding attack mentioned in Section
Flash crowd false positive results.
| | |
---|---|---|
| 14.29 | 1110 |
| ||
| 12.5 | 1380,1860, 1950,1980, 2160 |
| ||
| 41.12 | 990, 1020, 1110,1170 1260,1380, 1440, 1470, 1500, 1560, 1590, 1620, 1770, 1800, 1830, 1860,1950, 1980, 2040, 2070, 2100,2160, 2190, 2250, 2460, 2490, 2550, 2640, 2730, 2760, 3090, 3210, 3240, 3330, 3390, 3420, 3480, 3690,3750, 3810, 3930, 4020,4110, 4140 |
| ||
| 85.71 | 990,1020, 1050,1080,1110,1140 |
| ||
| 82.5 | 990, 1020,1050, 1080, 1110, 1140, 1170, 1200, 1230,1290, 1320, 1380, 1410, 1440,1470,1500, 1560, 1590, 1620, 1650, 1680, 1710, 1740, 1770, 1800, 1830, 1860,1890, 1920,1980, 2040, 2070, 2100 |
| ||
| 24.30 | 990, 1020, 1080, 1170 1380,1410, 1500, 1650, 1740, 1770, 1830, 1860, 1890, 2100, 2400, 2460, 2550, 2760, 3240, 3420, 3510, 3720, 3840,3900, 4080, 4110 |
From the results of Table
As described in Section
Nature inspired algorithms have an advantage against traditional machine learning algorithms, they focus on optimisation. In detail, nature acts as a method of making something as perfect as possible or choosing the most fitted samples from a population. In practice, this family of algorithms applies these principles in the form of optimisation and finding the best solution to the problem assigned. In anomaly detection, the main objective is to identify the malicious behaviour so these algorithms use their best-fit mechanisms to detect malicious abnormalities. Another beneficial usage of nature/bioinspired algorithms is to optimise the potential features used in attacks detection. In that way, an optimal set of features will be selected for efficient malware detection but also for reducing the complexity and computational burden. Additionally, nature/bioinspired algorithms are highly flexible as they can accept a mixture of variables in terms of type and continuity. This gives us the opportunity to give a variety of different features to the algorithms.
For finding an optimal set of features, we have used the available nature-inspired algorithms provided from Weka toolkit. Specifically, we used evolutionary search, ant and bee search, genetic search, and particle swarm optimisation search algorithms. All of the algorithms used have identified Parallel Requests, Average Data Rate, Average Packet Size, and Packet Number as the optimal features needed. The results of the reduced ForChaos algorithm across all the scenarios are presented in Table
ForChaos reduced flooding and slow-rate attacks results.
| | | | | | |
---|---|---|---|---|---|---|
(sec) | (%) | (%) | (%) | (%) | ||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 98.6 | 87.5 | 0 | 0 | 100 |
| ||||||
| 4000 | 100 | 0 | 100 | 0 | 100 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 98.6 | 87.5 | 0 | 12.5 | 100 |
| ||||||
| 4000 | 98.6 | 100 | 1.53 | 0 | 81.82 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 97.2 | 100 | 3.13 | 0 | 83.33 |
| ||||||
| 4000 | 94.9 | 100 | 5.34 | 0 | 66.67 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 4000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 98.6 | 87.5 | 0 | 0 | 100 |
| ||||||
| 4000 | 100 | 0 | 100 | 0 | 100 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 98.6 | 87.5 | 0 | 12.5 | 100 |
| ||||||
| 4000 | 98.6 | 100 | 1.53 | 0 | 81.82 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 97.2 | 100 | 3.13 | 0 | 83.33 |
| ||||||
| 4000 | 90 | 100 | 11.2 | 0 | 33.33 |
| ||||||
| 1000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 2000 | 100 | 100 | 0 | 0 | 100 |
| ||||||
| 4000 | 99.3 | 100 | 0.75 | 0 | 87.5 |
As it can be seen from Table
Throughout the experiments, we proved that our proposed ForChaos algorithm is able to detect malicious activity, with small training time using eight features. However in some experiments, false negatives were identified from our algorithm. Also, certain false alarms were raised under certain experiments.
Related studies have been briefly discussed in Section
Related studies results.
| | | | | Features |
---|---|---|---|---|---|
| 3200 | 600 | 100 | UDP Flood | Inc. bytes, |
| |||||
| 3194 | 60 | 99 | SYN Flood, | pckts No |
| |||||
| 86400 | 300 | 100 | KDD99 | Bytes |
| |||||
| 86400 | 900 | 100 | SYN Flood | packet |
| |||||
| - | - | 94 | KDD99 | pckts No |
| |||||
| 6000 | 60 | 99.5 | KDD99 | pckts No |
| |||||
| - | - | 93.75 | DARPA | packets |
| |||||
| - | - | 98.4 | KDD99 | pckts No |
| |||||
| 1000 | 30 | 98.61-100 | App. Flood | Table |
ForChaos algorithm combines multiple mathematical concepts together to perform detection. To the best of our knowledge, no other study has considered the simple exponential smoothing algorithm and lyapunov exponents to detect DDoS attacks. Therefore, we compare our results with notable studies that make usage of forecasting algorithms or Lyapunov Exponents.
In chaos theory, lyapunov exponents are used in combination with neural networks as a replacement to forecasting. The detection rates from the related studies were between 94.05% and 99.5% against DDoS attacks from DARPA and/or KDD-99 dataset. Our various experiments proved our algorithm to have better detection rates across both application layer attack scenarios. Our algorithm has a 94.93-100 % detection rate.
We strongly believe that the main reason for our algorithm’s high detection rate with less training time and smaller window-size is the higher number of features used. The studies presented use between one and four features while we use a total of eight features. This of course increases the complexity of our solution, but we have considered two types of DDoS attacks that are not by any means similar to each other. On the contrary, other studies achieve the same result, making a server unavailable to legitimate requests, by having a vastly differentiated behaviour. All the proposals presented in Section
Therefore, we need to monitor more metrics in order to make accurate classifications about the state of the network, whether it is under attack or not. Application Layer DDoS attacks can have vastly differentiated behaviour, always with respect to time. Therefore, even a large dataset that is going to be used to train the neural network might not be effective when detecting a new type of attack in terms of time. It is essential for the IDS system to be fast and lightweight so it will not constrain the network. Also it is important for the IDS System to be trained with a small dataset fast so it can construct a detection model fast based on the current behaviour of the system and not just its history as the application layer attacks exploit the variable of time and not any protocol rules. Additionally, our algorithm does not need any attack-based dataset to make correct predictions, it just needs a small amount of normal behaviour to be able to detect malicious behaviour as it was illustrated in our results section.
Our algorithm is less complex, as it can be seen from the algorithm pseudocode in Section
To make accurate classification, Artificial Neural Networks need to be trained with both normal and abnormal behaviour in order to distinguish between the two. In addition, our system, as it has been illustrated throughout the diverse experiments, is able to detect various intensities and sizes Application Layer Flooding and Slow-Rate DDoS attacks. On the other hand, Forecasting algorithms do not need both normal and abnormal behaviour to detect malicious behaviour. However, the related studies need much more time than ForChaos. It can be observed from Table
In Intrusion Detection machine learning algorithms form a popular set of techniques, since they can discover patterns in data without any sort of predefined monitored behaviour. Hence, they can perform anomaly detection of unseen attacks without any type of signature. However, no studies have been conducted against Application Layer DDoS attacks in IoT using any Machine Learning Algorithms. Therefore, we have created a dataset of Application Layer DDoS attacks in IoT to evaluate a set of Machine Learning algorithms provided by Weka. The dataset was consisted of the scenarios we have used for the ForChaos algorithm’s evaluation. Each raw data scenario was split in 30-second instances and was labelled according to its behaviour (either as malicious or benign). All instances were processed through a feature extraction algorithm to create the dataset. The final dataset file was fed into Weka with the following machine learning algorithms used: Bayesian Networks (BN), Naive Bayesian (NB), Support Vector Machine (SVM), Decision Tree (DT), Random Forest (RF), and Artificial Neural Networks with the Multilayer Perceptron architecture (MLP). Two series of experiments were conducted. In the first series the dataset was randomised, using the “randomisation” filter provided by Weka, before being split into training and test set, with 138 attack instances and 365 normal instances. In the second series of experiments, duplicated instances were removed, through removing “duplicates filter” and then it was randomised through the “randomisation” filter. The dataset consisted of 125 attack instances and 182 normal instances after the duplicates removal. For the training process, in both of the series of experiments, half of the data were used for training the algorithms to construct the models. The results are presented in Table
Machine learning algorithms results against application layer DDoS attacks IoT dataset.
Alg (Dataset) | | | | | |
---|---|---|---|---|---|
| 95.6 | 86.7 | 1.6 | 13.3 | 94.5 |
| |||||
| 92.4 | 85 | 5.2 | 15 | 83.6 |
| |||||
| 95.2 | 76.7 | 0 | 13.3 | 100 |
| |||||
| 98.4 | 96.7 | 1 | 3.2 | 96.7 |
| |||||
| 98.8 | 96.7 | 0.5 | 3.2 | 98.3 |
| |||||
| 98.8 | 96.7 | 0.6 | 3.2 | 98.3 |
| |||||
| 92.8 | 80.7 | 0 | 19.3 | 100 |
| |||||
| 87.6 | 76.7 | 5.4 | 13.3 | 90.2 |
| |||||
| 87.6 | 68.3 | 0 | 23.7 | 100 |
| |||||
| 96.7 | 95 | 2.2 | 5 | 96.6 |
| |||||
| 90.2 | 86.7 | 7.5 | 13.3 | 88.1 |
| |||||
| 94.1 | 88.3 | 2.2 | 11.7 | 96.4 |
| |||||
| 94.3 | 87.5 | 5.34 | 12.5 | 81.82 |
As expected, machine learning algorithms’ accuracy was decreased against Application Layer DDoS attacks as opposed to DDoS attacks in lower layers. This is due to the attacks’ great similarity to legitimate behaviour and the exploitation of time factor.
In the second series of experiments, MLP performed best with 95% followed by RF, 88.3%, and DT, 86.7%. MLP is proved to be robust with its TP rate being dropped by only 1.7% while DT and RF had a higher drop rate. RF performed better than DT as expected due to RF’s being an “improved” DT version. Also, this difference in the TP rate across the two datasets highlights that the tree or forest being constructed is not as effective as understanding the various types of attack behaviour and their versatility Hence, they fail in correctly classifying them.
For the second series of experiments, the BN and NB methods follow with 80.7% and 76.7% prospectively. From both series of experiments it is evident that probabilistic approaches fail to identify the attack instances. This occurs because probabilistic models need a large dataset to construct accurate and robust probabilities. Also, the removal of duplicates greatly affects their performance as well.
The worst algorithm for TP was SVM with 68.3%. SVM performs worse in both of the experiments. This is due to the small dataset being not enough for the SVM to construct an effective hyperplane.
In the first series of experiments MLP, DT, and RF performed best with 3.3% FN rate. They were followed by BN with 13.3%, NB with 15%, and SVM 23.3%. In the second series of experiments MLP performed best with 5% FN, followed by RF with 11.7%, DT with 13.3%, BN with 19.3%, NB with 13.3%, and SVM with 21.7%.
A high FN rate is a major disadvantage for any IDS system as it means it is unable to identify when an actual attack occurs. The only algorithm that has an “acceptable” FN rate in both series of experiments was MLP. In the first series of experiments RF and DT did well in the first series but their FN rate was vastly increased in the second series. This indicates that their tree and forest is unable to identify the versatility of the attacks when duplicates are removed. Also, due to the versatility of the attacks and possibly the dataset not being large enough, probabilistic approaches (BN and NB) fail to detect the attacks. Lastly, SVM performs worse as it is unable to construct an optimal hyperplane between the attack and the normal class.
In this paper, we have presented a novel Application Layer DDoS attacks detection algorithm using simple exponential smoothing and chaos theory. Our approach is able to detect both Flooding and Slow-Rate Application Layer DDoS attacks in the Smart Home IoT network. Our proposal is fast and accurate in detecting the attack (10 to 40 seconds after the attack has started), generating a very low number of false positives and it does not require a large dataset to construct the model.
Although, our algorithm proved to have good results there is always room for improvement. Future directions include on attempting to reduce the complexity of our detection method. As already stated, a Smart Home IoT network, or any IoT network for that matter, is low in memory and power so the more lightweight the solution the better. Furthermore, the most false positives generated from our detection engine were under the slow-rate attack scenarios. In particular, a possible future direction is to add more features that have to do more with detecting the slow-rate attack.
Smart Home communicates with many networks and critical infrastructures such as the Smart Grid and VANETS. Each network produces its own heterogeneous traffic so malicious behaviour is going to be different depending on the type, size, and intensity of the attack and what the target is. Hence, cross-network attacks are a likely scenario since so many networks are interconnected together and communicate with each other on a constant and continuous way. Therefore, the Smart Home can be a target of attacks from other networks but it can also participate in large-scale attacks against a Smart City’s critical infrastructure, the Smart City itself, or even another country’s important assets.
In the future, we aim to protect the communication between the Smart Home and the Smart Grid. It is essential for the Smart Home to be protected from external threats but also from internal threats that aim to abuse its normal functioning and force it to participate in large-scale DDoS attacks that aim to threaten the target critical infrastructure and the Smart City in general.
The data for constructing the Application Layer DDoS attacks dataset have been generated through simulation tools techniques, specifically NS3. More details on the actual implementation of our simulated environment have been given in Section
There is no conflict of interest.