CYBERSECURITY: RESEARCH ON METHODS FOR DETECTING DDOS ATTACKS

Abstract

This article describes the problem of DDoS attacks, analyzing their nature and consequences. The paper covers common DDoS attack types, such as SYN flood, ICMP flood, UDP flood. Existing methods for detecting attacks from literature are reviewed, including machine learning approaches, including artificial neural networks, support vector machines and decision trees. The paper introduces a decision tree-based machine learning model for the detection of DDoS attacks. The model is trained and tested on a publicly available dataset. The dataset consists of 1,04,345 rows of data, where every row includes 23 features, such as source IP, destination IP, port number, number of bytes transferred from the switch port, etc. A similar set of characteristics can be obtained on a real network hardware using simple calculations, which makes it possible to approximate the model evaluation to real operating conditions. SYN flood, ICMP flood and UDP flood attack types are present in the data, as well as legitimate traffic. To avoid overfitting, only some columns were used, and columns such as IP addresses were discarded. The field “label” in each row of the dataset contains either 0 or 1 where 0 corresponds to legitimate traffic and 1 to malicious one. The problem of DDoS attack detection is therefore formally reduced to the task of binary classification of each row from the dataset. The constructed model achieves an average classification accuracy of 0.94 with a standard deviation at the level of 0.06 in detecting the above mentioned types of attacks. To objectively assess the effectiveness of the model and avoid distortion of the results, stratified 5-fold cross-validation was used. The developed model can be applied in the real world network hardware to filter malicious packets or as a tool for warning the administrator about an attack. This research advances cybersecurity by enhancing DDoS attack detection.