Signature detection methods

Signature Detection Methods
The signature detection techniques entail a repository of DDoS attack signatures, and
makes the comparison of the network traffic against the identified repository of signatures. If
the comparison finds a match, then the detection alert is raised. This form of prediction can
effectively detect the known attacks, in which the signatures are stored within the system’s
repository, however cannot be used in predicting the zero day or even novel attacks, and is
perceived to be ineffective against prediction of the existing attack mutations (Kumar et al.,
2021). According to the research conducted by Thamilarasu and Chawla (2019) suggested the
application of an artificial immune system, AIS, to be used in overcoming the limitations
established through the application of signature-based strategies. Further, this method
established predictor founded on the DDoS attack signature using the immune cell model that
can be used in assessing if the received packet is malicious or authentic mainly based on its
cataloguing as either a self or non-self-component. Additionally, the system can promptly
adopt novel patters due to the continuous monitoring of the system. Nevertheless, within a
resource constrained internet of things setting, the possibility of such prediction method is
uncertain. However, Vaccari, Aiello and Cambiaso (2020) attempted to resolve the issue on the
resource constraint within a signature-based IDS by utilizing a separate Linux machine with
an adopted version of the Suricata-based signature IDS. The research did not establish a
strategy of updating the attack signatures. On the other hand, Chawla and Thamilarasu (2018)
attempted to develop Vaccari, Aiello and Cambiaso’s research primarily by presenting certain
transformations to the technique of signature matching. Additionally, Huda et al. (2018)
attempted to address the limits established in the IoT processing power primarily by merging
the auxiliary shift value with the numerous pattern prediction approach to reduce the number
of the necessary matching operations amid the network traffic packets and the DDoS attack
signatures. The researchers applied the signature repositories of the open-source antivirus,
ClamAV, and the open-source IDS, snort. Ioulianou et al (2018) in their research applied the
proposed signature-based IDS in the prediction of the DDoS attacks established in the IoT
networks. Further, it used a hybrid deployment, which contained two main units, the IDS
routers and IDS detectors. The IDS router applied in the research is essentially a firewall and
prediction device, which is hosted within the border gateway. Hence, the sensors monitor the
internal was utilized by the IDS predictors. The results of the study shown that the scheme
identifies the change in version number and hello flooding attacks.
Anomaly Detection Methods
The anomaly prediction technique mainly depends on the monitored environment’s
baseline profile for the typical behavior. In the research by Keshk et al. (2019) indicated that
this typical baseline is then applied in the comparison of the activities of the network at any
specific moments of attack. Also, all the deviations from the authentic threshold are all
documented through the use of an alarm, however, no cataloguing for any form of DDoS
attack predicted is offered. Further, other studies have attempted to utilize the behavioral
prediction techniques that is based on the machine learning theories that is trained to
differentiate between the authentic and attack network traffics. Nevertheless, the challenges
encountered in such studies is that creating the normal profiles is usually desirable compared
to learning the authentic and attack activities that cannot essentially encompass the novel
DDoS attacks activities within the real-world systems. Moreover, the anomaly-based
prediction strategies are established to be more efficient in discovering new DDoS attacks
than the application of the signature-based prediction approach. Additionally, the algorithms
of machine learning are utilized in the anomaly-based prediction techniques for the creation
of a baseline normal profile used in system monitoring. Nevertheless, because of the
substantial resources necessitated to promptly train and test the algorithms of machine
learning, their adaptation in energy and resources constrained IoT settings remained to be a
challenge. Therefore, the study carried out by Jan et al. (2019) suggested the application of a
lightweight IDS scheme for the internet of things. The research presented two core levels to
the scheme proposed, that is the training of algorithms and assessment. Thus, the method is
trained in order to make the system lightweight by utilizing the attributes derived from the
inter-arrival time rate of the packets of the generated and received data in the training stage.
Besides, the scheme applies the use of support vector machine, SVM, classifier to predict an
attack or even abnormal traffics during the assessment phase. Further, in terms of the
precision of detection classification and speed, the lightweight IDS technique was established
to perform efficiently. Another study by Deshmukh-Bhosale and Sonavane (2019) projected a
real-time scheme to effectively predict wormhole attack within the RPL-based internet of
things. The technique predicts the malicious nodes and users through routing data and the
received signal strength indicator, RSSI. Overall, in both the dispersed and centralized
installations, the real-time IDS systems are assessed and acquired the prediction accuracy rate
of about 90%.
Statistic-based DDoS Detection Methods
The statistical techniques are the strategies that applies the mathematical models in
their detection. Hence, they mainly search to establish common links amid a single or more
non-random or arbitrary variables. The variable connections are applied in the prediction of
the results. Therefore, the statistical techniques to the prediction of anomalies offers an indepth analysis of each packet within the computer networks. According to Manavi (2018), they
enable for analysis and observation of the data per particular time within an extremely fast
time. Further, numerous researchers have applied such methods in predicting the DDoS
attacks, hence the related literature that have successfully applied the entropy-based
prediction as well as the combination of entropy and other strategies are assessed and
illustrated. The entropy technique is the most universal method of generating essential
attributes that can be utilized in the classification of flows in the network. Further, these
attributes can be extracted mainly based on the calculation of entropy for the packet fields
like the destination IP, protocol name, source IP, destination port, and source port among
others. Lately, the technique has been extensively applied in the prediction of the DDoS
attacks. The entropy calculations are utilized in the discovery of randomness of traffic within
the network. Therefore, if the results show a high value of the entropy, then the packets are
arbitrary, and when the entropy values are low then the packets assessed are nor random. As
established by Mousavi and St-Hilaire (2015), the arbitrariness of the packets is mainly an
indicator of the benign behavior. Hence, the entropy-based prediction strategy is considered
to be better compared to other strategies in the identification and classification of the DDoS
attacks for several reasons, which includes that fact that it entails simple calculations. Also, it
offers a high prediction rate, high precision, and a low fall-out rate.
Koay et al. (2018) in their study proposed an approach of extracting several attributes
from the packets and to promptly calculate entropy for these attributes to increase both the
recall and precision. On the other hand, David and Thomas (2019) presented a strategy to
predict anomalies through the application of the entropy chaos assessment and the Lyapunov
exponent. The research showed that the strategy has two phases, in which the initial step
entails monitoring of the IP pertaining to the source and destination for the incoming packets
and calculates the Tsallis entropy for the two field. Generally, the method of entropy-based is
core dependent on the values calculated regarding the traffic fields and essentially ignores
any relationships between the fields. To correct the issue and enable the consideration of the
relationships between the fields, the authors proposed the second phase that applies the
Lyapunov exponent. The technique of Lyapunov exponents is applied in the determination of
the distribution rate of two routes. David and Thomas (2019) in their course of the research
validated that their technique utilizing the MIT dataset, they established that their strategy
had an FPR of about 0.42 and a TPR of 98.56.
The study conducted by Hoque, Bhattacharyya and Kalita (2016) assessed and proposed a
technique based on the statistics referred to as the Feature Feature Score, FFS, strategy,
which they established to have two primary advantages. The first advantage shown by the
research is attributed to its capability of recognizing the DDoS attacks and authenticated
traffics. The second advantage is its ability to differentiate between the low-rate and normal
traffics. Additionally, the technique has three phases, in which the fist step entails attributes
from the normal traffic like the rates of packet, the diversity of the source IP, and the entropy
of the source IP, which are extracted and saved as the normal profile of the traffic. In the
second phase, the similar calculations from the previous stage are executed for all the new
incoming packets. In the last phase, the strategy is used establish any similarities and
differences between the generated normal profile in the first phase and the generated profile
in the second phase, through the utilization of deviation vector and the mean of the extracted
attributes. Hence, if the values attained in the last step is higher than a particular threshold,
then the assessed traffic is considered as normal, however, if the result is not aligned then
there is an attack. Additionally, the low and normal rates can be differentiated by utilizing a
standard deviation vector, which describes the variation within the extracted attributes for a
particular sampled dataset. Also, the normal samples possess a predicted number of traffics,
while the attack sample set have an unpredicted number of samples (Hoque, Bhattacharyya and
Kalita, 2016). The research by Dong et al. (2016) employed both the SPRT and entropy in the
prediction of the DDoS attacks in the SDN environments. The strategy was tested by utilizing
the dataset sample that was generated through the Scapy tool. The study established that the
strategy necessitated certain adjustments to effectively avert and eliminate any incorrect
positive rates.
Machine Learning-Based DDoS Attack
The strategy of machine learning entails the application of algorithms and methods of
training the machines using the historical dataset samples to execute detection analysis or
cataloguing of novel dataset. This approach is applicable in the prediction of the DDoS
attacks. for instance, Polat, Polat and Cetin (2020) assessed and suggested a technique of
predicting the attack on the DDoS in the SDNs, in which they extracted the essential features
from the SDNs for sampled of dataset with and without the DDoS attacks and saved the
results in a novel dataset. After which, Polat, Polat and Cetin (2020) tested the new dataset with
the attributes and the old dataset sample without the features on numerous distinct strategies
of machine learning to establish their prediction capabilities. The authors applied the Knearest neighbor, KNN, and naïve Bayes, NB, cataloguing strategies, and the artificial neural
network, ANN, and support vector machines, SVM, techniques. Based on the results attained
from the study, the authors established that KNN classifier possessed the utmost prediction
results, which was approximated at 98.3%.
On the other hand, Abreu Maranhão et al. (2020) suggested a new technique of
identifying the DDoS attacks based on two stages. The first phase entailed filtering out the
mean values of popular attributes from the dataset utilizing the higher order singular value
decomposition, HOSVD. Thus, the output of the first phase was utilized as an input for the
machine learning strategies to come up with an informed decision concerning the anomaly
availability. Further, they utilized CICIDS2017 and CICDDoS2019 dataset samples in their
assessment, and equally established that the precision of their suggested prediction technique
was roughly 98.94%. hence, the rate of prediction for their proposed technique was
approximately 97.7%, while they found a false positive rate of about 4.35%.
Alternatively, the algorithms of machine learning can be perceived to be vulnerable to
adversarial examples (Taheri et al., 2020). Generally, the adversarial examples can be formed
by adding subtle perturbations for the training dataset to mislead the machine learning and
essentially avert it from making the right decisions. Also, this can be attained via other
several strategies like changing the set of training, creating a backdoor anomaly in the
training stage, and inserting poisoning anomalies into the training dataset. Taheri, Javidan, and
Pooranian (2021) in their study proposed a defense strategy with two phases for the
identification of anomalies concerning the adversarial examples within the dataset. They
assessed their technique based on the distinct dataset samples, in which they established that
the rate of prediction improved to 50% when they utilized the generative adversarial network,
GAN, approach. Further, Taheri, Javidan, and Pooranian (2021) suggested two strategies for the
phone programs in the internet of things environment against the adversarial anomalies to a
virus prediction system. The first proposed strategy is a mixture of the ConvNet, CNN, and
nearest neighbor, C4C, techniques. The other tactic proposed is the Robust-NN. They
established that the precision metrics increased to about 95% and 96% when they applied
their prediction strategy.
Deep Learning-Based DDoS Detection Method
The deep learning technique is a form of machine learning; however, it mainly utilizes
intricate techniques, which was inspired by how the human brain functions. The technique
can handle a very huge number of unstructured data and generate a precision output without
being trained on which features to assess. Nonetheless, the users are required to convert
unstructured dataset to structured data, and the data take a long period to be processed within
the machine learning. Nazih et al. (2020) in their research proposed a strategy of predicting the
DDoS anomalies based on the application of token embedding to enhance the elicited
attributes from the session initiation protocol, SIP, messages within the VoIP. The study also
discussed the notion of recurrent neural networks, RNNs, which essentially is a deep learning
approach that is designed to classify the DDoS anomalies. The extracted features in the
previous phase offered the require input for their RNNs. The research established that the
proposed strategy can be effectively conducted within a short time, and had a higher
prediction precision. On the other hand, Wang and Liu (2020) suggested a technique that is
based on a mixture of the data entropy and deep learning for the prediction of the DDoS
attacks in the SDNs. The proposed technique entails two level system of predication, in with
the first level is conducted by the SDN controller to filter all the wary packets to enhance
precision through the calculation of entropy for the significant fields of these packets. The
second phase entails utilizing the deep learning method, the convolutional neural network,
CNN approach, for the separation of authentic traffic from the malicious ones. This strategy
can also be applied in the image cataloguing, nonetheless, in this research, Wang and Liu
(2020) converted the packets to images, after which utilized the CNN to predict the DDoS anomalies.
The study established that the precision of using this method in the detection of DDoS attack is about
98.99% (Wang and Liu, 2020).
References
Kumar, R., Kumar, P., Tripathi, R., Gupta, G.P., Kumar, N. and Hassan, M.M., 2021. A privacypreserving-based secure framework using blockchain-enabled deep-learning in cooperative
intelligent transport system. IEEE Transactions on Intelligent Transportation Systems.
Thamilarasu, G. and Chawla, S., 2019. Towards deep-learning-driven intrusion detection for the
internet of things. Sensors, 19(9), p.1977.
Vaccari, I., Aiello, M. and Cambiaso, E., 2020. Slowtt: A slow denial of service against iot
networks. Information, 11(9), p.452.
Chawla, S. and Thamilarasu, G., 2018, April. Security as a service: real-time intrusion detection in
internet of things. In Proceedings of the Fifth Cybersecurity Symposium (pp. 1-4).
Huda, S., Miah, S., Yearwood, J., Alyahya, S., Al-Dossari, H. and Doss, R., 2018. A malicious threat
detection model for cloud assisted internet of things (CoT) based industrial control system
(ICS) networks using deep belief network. Journal of Parallel and Distributed Computing, 120,
pp.23-31.
Ioulianou, P., Vasilakis, V., Moscholios, I. and Logothetis, M., 2018. A signature-based intrusion
detection system for the Internet of Things. Information and Communication Technology Form.
Keshk, M., Turnbull, B., Moustafa, N., Vatsalan, D. and Choo, K.K.R., 2019. A privacy-preservingframework-based blockchain and deep learning for protecting smart power networks. IEEE
Transactions on Industrial Informatics, 16(8), pp.5110-5118.
Jan, S.U., Ahmed, S., Shakhov, V. and Koo, I., 2019. Toward a lightweight intrusion detection system
for the internet of things. IEEE Access, 7, pp.42450-42471.
Deshmukh-Bhosale, S. and Sonavane, S.S., 2019. A real-time intrusion detection system for
wormhole attack in the RPL based Internet of Things. Procedia Manufacturing, 32, pp.840847.
Manavi, M.T., 2018. Defense mechanisms against distributed denial of service attacks: A
survey. Computers & Electrical Engineering, 72, pp.26-38.
Mousavi, S.M. and St-Hilaire, M., 2015, February. Early detection of DDoS attacks against SDN
controllers. In 2015 International Conference on Computing, Networking and Communications
(ICNC) (pp. 77-81). IEEE.
Koay, A., Chen, A., Welch, I. and Seah, W.K., 2018, January. A new multi classifier system using
entropy-based features in DDoS attack detection. In 2018 International Conference on
Information Networking (ICOIN) (pp. 162-167). IEEE.
David, J. and Thomas, C., 2019. Efficient DDoS flood attack detection using dynamic thresholding on
flow-based network traffic. Computers & Security, 82, pp.284-295.
Hoque, N., Bhattacharyya, D.K. and Kalita, J.K., 2016, January. A novel measure for low-rate and
high-rate DDoS attack detection using multivariate data analysis. In 2016 8th International
Conference on Communication Systems and Networks (COMSNETS) (pp. 1-2). IEEE.
Dong, P., Du, X., Zhang, H. and Xu, T., 2016, May. A detection method for a novel DDoS attack
against SDN controllers by vast new low-traffic flows. In 2016 IEEE International Conference
on Communications (ICC) (pp. 1-6). IEEE.
Polat, H., Polat, O. and Cetin, A., 2020. Detecting DDoS attacks in software-defined networks through
feature selection methods and machine learning models. Sustainability, 12(3), p.1035.
Abreu Maranhão, J.P., Carvalho Lustosa da Costa, J.P., Pignaton de Freitas, E., Javidi, E. and
Timóteo de Sousa Júnior, R., 2020. Error-Robust Distributed Denial of Service Attack
Detection Based on an Average Common Feature Extraction Technique. Sensors, 20(20),
p.5845.
Taheri, R., Javidan, R., Shojafar, M., Vinod, P. and Conti, M., 2020. Can machine learning model with
static features be fooled: an adversarial machine learning approach. Cluster computing, 23(4),
pp.3233-3253.
Taheri, R., Javidan, R. and Pooranian, Z., 2021. Adversarial android malware detection for mobile
multimedia applications in IoT environments. Multimedia Tools & Applications, 80(11).
Nazih, W., Hifny, Y., Elkilani, W.S., Dhahri, H. and Abdelkader, T., 2020. Countering DDoS Attacks in
SIP Based VoIP Networks Using Recurrent Neural Networks. Sensors, 20(20), p.5875.
Wang, L. and Liu, Y., 2020, June. A DDoS Attack Detection Method Based on Information Entropy
and Deep Learning in SDN. In 2020 IEEE 4th Information Technology, Networking, Electronic
and Automation Control Conference (ITNEC) (Vol. 1, pp. 1084-1088). IEEE.
…