Deep learning model for distributed denial of service (DDoS) detection

Distributed denial of service (DDoS) attacks is one of the serious threats in the domain of cybersecurity where it affects the availability of online services by disrupting access to its legitimate users. The consequences of such attacks could be millions of dollars in worth since all of the online services are relying on high availability. The magnitude of DDoS attacks is ever increasing as attackers are smart enough to innovate their attacking strategies to expose vulnerabilities in the intrusion detection models or mitigation mechanisms. The history of DDoS attacks reflects that network and transport layers of the OSI model were the initial target of the attackers, but the recent history from the cybersecurity domain proves that the attacking momentum has shifted toward the application layer of the OSI model which presents a high degree of difficulty distinguishing the attack and benign traffics that make the combat against application-layer DDoS attack a sophisticated task. Striding for high accuracy with high DDoS classification recall is key for any DDoS detection mechanism to keep the reliability and trustworthiness of such a system. In this paper, a deep learning approach for application-layer DDoS detection is proposed by using an autoencoder to perform the feature selection and Deep neural networks to perform the attack classification. A popular benchmark dataset CIC DoS 2017 is selected by extracting the most appealing features from the packet flows. The proposed model has achieved an accuracy of 99.83% with a detection rate of 99.84% while maintaining the false-negative rate of 0.17%, which has the heights accuracy rate among the literature reviewed so far


Introduction
*In the cutting-edge web age industries like ecommerce, banking, news, social networking, and plenty of many more conveyed their services through the Internet. Disrupting the common accessibility of a system for its legitimate users is called the Denial of Service (DoS) attacks.
The Distributed Denial of Service (DDoS) attacks are a type of DoS attacks carried out by multiple infected series of IP addresses that can be span over massive geographical locations. The DDoS attacks disrupt the regular traffic of a service like a business server or website by overwhelming the particular target with an array of Internet traffic (Chio and Freeman, 2018). Zombies and Botnets are utilized to dispatch DDoS attacks that can cause genuine harm to a business organization's operability and accessibility by its operations to shut down or slow down. In the competitive global business world, these slow down or shut down can seriously damage the business growth and its reputation. Political, Economic, Cybercrime, and Terrorism are the motives for DDoS attacks.
The year 2002 is the first recorded DDoS (Norton, 2020) attack, and there were many such incidents recorded after that. The DDoS attack on domain name provider DYN in the year 2016 was a massive one where it crippled leading web-based businesses like CNN, Airbnb, Netflix, The New York Times, Spotify, Amazon, GitHub, PayPal, Reddit, and Visa (Norton, 2020;Asad et al., 2020). The Mirai botnet was responsible for carrying out the attack that exploits the weakness found within the IoT devices. The attack reflected that these DDoS attackers used evolving strategies to achieve massive bandwidth (Petters, 2019).
Based on the DDoS taxonomy depicts in Fig. 1, there are two main types of DDoS attacks as Reflection and Exploitation (Sharafaldin et al., 2019).
The reflection type of DDoS keeps the identity of the attacker hidden by utilizing the legitimate third party to carry out the attack. These types of attacks are carried out through the application layer protocols with the aid of transport layer protocols such as Transmission control protocol (TCP), User datagram protocol (UDP), or both. The exploitation DDoS attacks are very similar to the reflection attacks where the identity of the attacker remains hidden. These types of attacks are utilizing both TCP and UDP to carry out an attack. SYN flood, UDP flood, and UDP lag are fallen into the exploitation attack category.
The DDoS attacks can be seen targeting the Transport layer and Network layer of the OSI model. Now it has shifted to the application layer as well that perceived to be sophisticated and provides greater challenges when dealing with it (Asad et al., 2020). The DDoS attackers have ceaselessly rummaged around for new vulnerabilities so that they alter their way of attacking from one attack to another. These evolving various attacking strategies have the trend of inclined frequency of DDoS attacks as well as the magnitude of such attacks. The DDoS attack forecasted from the year 2018 to 2023 is depicted in Fig. 2 and it demonstrates that the number of DDoS attacks from each year keeps increasing (Cisco, 2020).
Infrastructure approaches like Firewalls and Load balancers are been used to mitigate the DDoS attacks, but provide their own limitations. Both firewalls and load balancers are stateful inline solution devices that are vulnerable to stateexhausting attacks. Therefore, they are limited and partial solutions for the customers who are demanding best-of-breed DDoS protection. Further to infrastructure approaches, anomaly-based, and signature-based (Gupta, 2018) approaches have been employed for DDoS detection. The signaturebased way of detection is likely to be obsolete quickly. Anomaly-based detection has a higher rate of false-positive. So, both approaches present the reliability issues of such detection solutions. To prevent or minimize the DDoS attack damage the false positive and false negative rates need to be kept at near-zero.
The most recent drift in identifying DDoS assaults is utilizing Machine Learning (ML). The capacity to adjust or change the approach as the information evolves is the strength of the ML. It can be seen that both unsupervised and supervised models have been utilized for DDoS detection approaches. Since the batch stream carries the majority of the negative class, to detect the DDoS attack, accuracy alone cannot be used as the measurement criteria. Therefore, while maintaining the high accuracy rate, the key is the recall rate of the DDoS. Indeed, in spite of the fact that the machine learning approaches are exceptionally prevalent in many of the DDoS detection models. But the main obstacle is to take care of false-positive to close zero while maintaining the high recall rate for the DDoS discovery.
The application-layer DDoS detection model proposed by this study is based on the deep learning techniques utilizing the capabilities of Autoencoder and the Deep neural network. The packet information related to traffic flow from a network adaptor captures through the PCAP file and significant features are identified by using the packet parsing techniques. The autoencoder is used for the feature extraction before being fed into the deep neural network model for classification. The new feature vector generated by the autoencoder fed into the deep learning model for final prediction. The proposed model has achieved an accuracy rate of 99.83% with a detection rate of 99.84%. Further to that model was able to achieve a low false alarm rate which is key for any detection model. Model's false positive rate is recorded as 0.18% while maintaining the false-negative rate at 0.17%. To evaluate the developed model, GANs were designed to simulate the future DDoS attack and the proposed model was able to detect those unseen attacks. This study has achieved the accuracy of the height against the dataset CIC DoS 2017 dataset as per the current literature review.
The rest of the paper is organized as follows. In section two, the paper discusses the background theories very briefly. Section three discusses past approaches with regards to DDoS detection using machine learning approaches and section four describes the proposed solution while section five describes how the experiment was done. The results obtained are discussed in section six. Finally, the conclusion and possible future enhancements are discussed in section seven.

Deep learning
Natural Language Processing and Computer Vision have a noteworthy impact from Deep Learning approaches.
Containing many layers to learn from, identifying the significant feature set from the feeding data, and on top of it adjusting capability with the novel data are key characteristics of the Deep learning models (Bediako, 2017).

Autoencoder
Working with datasets that contain hundreds of features is becoming common nowadays where the number of observations in a dataset sometimes leads to a machine learning model to be suffering from overfitting (Ippolito, 2019). Regularization and dimensionality reduction are the techniques that have been employed to overcome the overfitting problem of machine learning. Creating new features by reducing the number of features in a dataset is called feature extraction.
Autoencoder is a specific type of feedforward unsupervised learning technique in which seeks to learn from a compressed representation (Jordan, 2018;Rupak, 2020  The autoencoder contains three components as encoder, code, and decoder where the autoencoder compresses the input into lower-dimensional called code and reconstructs the output from this code representation (Dertat, 2017).
There are many types of autoencoders are available that suited different types of scenarios. But the common usage of autoencoders is for feature extraction or dimensionality reduction. Fig. 3 demonstrates the basic structure of an autoencoder model (Rupak, 2020).

Generative adversarial networks (GANs)
The GANs are neural network architecture which is generative models that are capable of producing or generating new content that resembles the training data. The generation of new data/content hugely benefited the data-limited situations as well as generating a new pattern of data. GANs have two components as generator and discriminator. The generator generates the data while the discriminator determines whether the generated data looks real or not. So, the two networks compete with each other to improve the realistic nature of the generated data (Nash, 2019) and Fig. 4 shows how the basic flow of generative adversarial networks works.

State of the art
It can be seen that many of the researchers have done their research using machine learning approaches to build models to detect DDoS attacks accurately. Especially the deep learning techniques fashionable among those researchers. As per the latest findings, Asad et al. (2020) from their research proposed a model to detect application-layer DDoS attacks, and the model was based on a seven-layer Deep Neural network with feed-forward and backpropagation. They used batch normalization at the Kim (2019) proposed a supervised learning approach to detect DDoS attacks using a basic neural network and LSTM using Tensor Flow for feature extraction. Both pre-processing methods and hyperparameters optimization were investigated against three datasets which are CAIDA, DARPA, and dataset collected by Alkasassbeh et al. (2016). The Box-Cox transformation and min-max transformation methods were used for preprocessing. From the research Kim (2019) argued that for the DDoS detection pre-processing methods, neural network architecture and hyperparameters, and the optimizers are appropriate. Revathi and Malathi (2014) proposed a DoS attack detection model using Random Forest (RF) classifier, and Principal Component Analysis (PCA). The dataset NSL-KDD was used and applied PCA to reduce attributes to avoid dimensionality problems. The reduced 14 attributes were used for the classification in the RF classifier. In the research, Revathi and Malathi (2014) used the Weka tool for experimental analysis and were able to achieve 99.9% accuracy. Filho et al. (2019) from their research proposed a model with an RF Tree algorithm that classified network traffic based on samples taken from the sFlow protocol directly from the network devices. After the performance calibration, the model was evaluated against three benchmark datasets CIC-DoS, CIC IDS 2017, and CSE-CIC-IDS2018. The evaluation demonstrated an accuracy rate of 93%.
A model that consists of the stacked autoencoder and One-class SVM (SAE-1SVM) was proposed by Mhamdi et al. (2020). The main focus of Mhamdi et al. (2020) was to handle an imbalanced dataset that is the common case of most of the datasets that are available for DDoS detections. The size similarity can be observed from both encoder and decoder in the Autoencoder proposed by Mhamdi et al. (2020). On the other hand, OC-SVM is an unsupervised learning approach that tries to learn a hyperplane that best separates all the data points in the origin. CIC IDS 2017 dataset was used as the benchmark dataset for their research. Even though Mhamdi et al. (2020) demonstrate 99.35% accuracy, their false positive rate was quite high.
A comparison study conducted by Wankhede and Kshirsagar (2020) used Multi-Layer Perception (MLP) neural network and RF with the use of the benchmark dataset CIC IDS 2017 with the help of the Weka tool concluded that RF outperformed MLP with the accuracy of 99.95%.
In the past, most of the significant researchers were based on KDD CUP 1999 dataset (Table 2). Imamverdiyev and Abdullayeva (2018) conducted their study on the application of the deep learning methodology-based Gaussian-Bernoulli type restricted Boltz-Mann machine (RBM) to DDoS detection. To achieve higher detection accuracy, during the training the hyperparameters were adjusted. SVM (epsilon-SVR), Decision Tree, Deep belief network, Bernoulli-Bernoulli RBM, Gaussian-Bernoulli RBM, and SVM radial basis models were used for comparative study by Imamverdiyev and Abdullayeva (2018) and concluded that the multilayer deep Gaussian-Bernoulli RBM is a better model than other models that selected for comparative study and used the NSL-KDD as the experiment dataset. Kale and Choudhari (2014) from their comprehensive set of evaluations that used the KDD CUP 1999 dataset argued that Resilient Back Propagation (RBP) is the best classifier. Further optimization was done to improve the RBP performance by combining Neyman Pearson cost minimization strategy and ensemble of classifier output. For their simulation experiments, DARPA 1999, CONFICKER, and DARPA 2000 were used. The model that was based on the Genetic Algorithm proposed by Paliwal and Gupta (2012) to detect DDoS attacks with the help of dataset KDD CUP 1999, was able to record 97% intrusions detection accuracy. Douligeris and Mitrokotsa (2004) from their study form a model to detect DDoS attacks based on Kohonen's Self-Organizing Maps (KSOMs). There was a limitation of the proposed model that the demand of high computational power when the dataset exceeds the number of records 10,000. For the model experiment, they used the dataset KDD Cup 1999. In the recent past literature, a different approach has been proposed by Noh et al. (2003) where they employed a traffic analysis mechanism based on ratio calculation. The ratio was formed by the number of flag TCP to the total of TCP packets. The particular ratio was then used for DDoS detection by using state-action rules with the help of the ML algorithm. Noh et al. (2003) used their own simulated network environment for the model experiment. Reinforcement Learning-based based on Q-Learning was proposed by Phan et al. (2019) from their research study which utilized the MaxiNet emulation framework for runtime evaluation of the model. By applying an optimal policy from the Q-Learning agent the model was able to achieve higher DDoS detection performances.

Overview of the solution
The overview of the proposed solution depicts in Fig. 5. The packet information flows in and out from a network adapter can be captured through a PCAP file. The PCAP file that contains mentioned packet information is the data source for the proposed solution. The PCAP file contains many packets and those packets are analyzed using the PCAP Extractor before being fed into the autoencoder for feature extraction. The feature vectors generated from the autoencoder are used as the input to the detection model for classification as benign or DDoS attacks. The solution contains three main components as PCAP Extractor, Autoencoder, and Detection model.

Attribute extraction-PCAP extractor model
The packets that are flowing in and out from a network adaptor can be captured through a PCAP file. A given PCAP file contains many packets. The information contains in a stream of packets of one specific connection between source IP and destination IP provides attributes that aid to describe the nature of the connection. There are many packets parsing techniques available. This research has used the concept employed with the pyFlowMeter to build the PCAP extractor model that enables packet parsing and understanding the significant attributes. The PCAP extractor was able to identify 56 such attributes. The identified features from the PCAP extractor model are then fed into the Autoencoder model. Fig. 6 shows the proposed network architecture for the detection model.

Autoencoder model
The attributes that are extracted from the PCAP extractor model are fed into the autoencoder to perform the feature extraction. The encoder part of the autoencoder has the input shape of 51 which is equal to the number of features in the dataset after dropping insignificant attributes. The input later contains 27 neurons. The last layer of it has 20 neurons which is the end dimension. The decoder section of the autoencoder is designed with 20 neurons and the output layer with 51 neurons. For all the layers in the autoencoder, it has used ReLU as the activation function.

Detection model
The DDoS detection model is built using deep neural networks with four dense layers. The features extracted from the autoencoder are used as the input shape of the initial layer of the deep neural networks with 20 neurons. The remaining three layers contain 10, 5, and 1 neuron respectively. Fig. 6 shows the network architecture for the proposed model. The initial layers of the model use ReLU as the activation function while the output layer uses sigmoid as the activation function. The early stopping technique is used to judge the best number of epochs that the model should train.
For the hyperparameter tuning, it is decided to use the trial and error approach since the particular approach provides more insight about the given parameter adjustment and its output result rather than the grid search approach for the purpose. Batch size, weight initialization, activation function, optimization function, learning rate, and loss function are adjusted during the experiment and their results are compared. The final deep neural architecture is implemented using the hyperparameters given in Table 1.

Experiment environment
The experiment is performed on an Asus machine with Core i7-8550U CPU @ 1.8GHz, 16GB memory. The TensorFlow open-source library with Keras in the python language environment is used for all the implementation.

Benchmark dataset-CIC DoS 2017
Many intrusion detection datasets are publicly available. But it is important to understand their strengths and weaknesses as well as their validity to the current context. Table 2 provides the information about the key benchmark datasets that are identified from the literature reviews (Behal and Kumar, 2016;Jazi et al., 2017).
The study aimed to build a machine learning model to detect application-layer DDoS attacks. Hence when selecting the benchmark dataset, the priority was given to whether the traffic contents were generated purely using the application layer DDoS attacks so that data prep reparation can be kept at the minimum level. In addition to that, the dataset's age is also given the weightage due to the fact of the importance of having the latest attack patterns. Most of the datasets that are listed under Table 2, were containing mixed attack types. Not purely the application layer attacks. But CIC DoS 2017 contains only the application layer DDoS attacks (Jazi et al., 2017), which is matching the purpose of the study.
Further to that, there are many variants of application-layer DDoS attacks have used while creating the CIC DoS 2017 dataset (Jazi et al., 2017) that helps the proposed model to learn from different application-layer attacking patterns. Table  3 shows the different type of application layer attack labels consists in the dataset. Therefore, considering all these positive points. CIC DoS 2017 dataset is selected as the benchmark dataset for the study.

Performance metrics
The model predicts whether the network traffic is benign or a DDoS attack. Therefore, the confusion matrix is used to analyze the results obtained during the experiment analysis. The confusion matrix applicable to the study is shown in Table 4. In addition to that, standard measurements like accuracy, precision, and f1-score are used for the model evaluation. The confusion matrix statistics are used to calculate different indicators about the model performances based on the following formulas.

Experiment analysis
During the experiment analysis, the model was able to achieve 99.83% accuracy. Fig. 7 shows the confusion matrix obtained from the model training. The DDoS classification recall can be termed as the detection rate or sensitivity indicator of the model. Based on Eq. 1, the model managed to achieve a 99.84% detection rate. The false-positive rate can be specified as Eq. 2 and the model managed to achieve a false-positive rate of 0.18%. Eq. 3 specified the false-negative rate and the model managed to achieve a false-negative rate of 0.17%. Eq. 4 specifies the false alarm rate and the model managed to achieve an overall false alarm rate of 0.18%.

Evaluation with MazeBolt PCAP files
To access the effectiveness of the proposed detection, model the MazeBolt PCAP files were tested by using the model. MazeBolt is a cybersecurity firm that offers the latest different types of application-layer DDoS attack PCAP files under their knowledge base (MazeBolt, 2020). They have provided 24 types of application-layer DDoS attack PCAP files that contain a specific category of application-layer DDoS attack type in each PCAP file.
The traffic information contained in those PCAP files is extracted and tested using the proposed model. The model was able to detect all the different attack types except Apache Benchmark HTTP application layer DDoS attack. Table 5 shows the experiment results.
Detecting of new patters or unseen patterns of application-layer DDoS attack capability of the model is tested by using the GANs power. The GANs are built to generate new application-layer DDoS attack patterns using the existing application layer DDoS patterns in the dataset. The model was able to detect new patterns generated by the GANs.

Comparison evaluation
For the comparison evaluation, it has selected six experiments that have been done to detect application-layer DDoS attacks from the literature reviews. The selected experiments have used different approaches for the detection. Table 6 shows the details of each experiment study.
There are a couple of studies that have achieved a similar detection rate. Yadav and Subramanian (2016) have achieved a detection rate of 98.99%, but the false-positive rate is 1.27. A similar feat was achieved by Singh and De (2019) with a detection rate of 98.04% but the false-positive rate is unknown from their study. The proposed model has achieved a detection rate of 99.84% while maintaining a falsepositive rate of 0.18%. The comparison proved that the model able to achieve a high detection rate while maintaining the low false-positive rate. Even though other studies that are listed in Table 6, not reveal the overall false alarm rate that is an important indication for a detection model the proposed model was able to achieve a 0.18% overall false alarm rate.

Conclusion and Future work
In this paper, an approach to detect applicationlayer DDoS attacks is proposed by using autoencoder as the feature selection technique and deep neural networks as the attack classifier. The proposed model provides a detection rate of 99.84% while maintaining a false positive rate of 0.18% and a false-negative rate of 0.17%.
Based on the business impact of the problem both false positive and false negative rates are important. False-negative will allow the attackers to reach the intended endpoint which will inversely impact the business availability. The reduction of availability will impact the business's bottom and the top lines. False-positive will block the legitimate users from being able to obtain the service they looking for which impacts the brand quality of the business while reducing the bottom and the top lines. Hence any type of false alarm has its impact on the business. The model managed to achieve an overall false alarm rate low as 0.18%.
The model is capable of detecting most of the latest application layer DDoS attack types available. The new attacking pattern generated by GANs using the existing attack patterns is also detected by the proposed model.
The model uses a PCAP file to extract packet information. But in the future, techniques like NetFlow, J-Flow, or s-Flow can be used as mentioned techniques provide faster performances to extract packet information when it comes to live traffic monitoring. Since the model has a higher detection rate with a low false alarm rate, can be applied in the actual network for application-layer DDoS detection.

Conflict of interest
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.