SALVA DANESHGADEH ÇAKMAKÇI, A NOVEL ONLINE APPROACH TO DETECT DDOS ATTACKS USING MAHALANOBIS DISTANCE AND KERNEL-BASED LEARNING

PhD Candidate: SALVA DANESHGADEH ÇAKMAKÇI 
Program: Information Systems
Date: 22.11.2019 10:00
Place: Conference Hall 1

Abstract: Distributed denial-of-service (DDoS) attacks are constantly evolving as the computer and networking technologies and attackers’ motivations are changing. In recent years, several supervised DDoS detection algorithms have been proposed. However, these algorithms require a priori knowledge of the classes and cannot automatically adapt to the frequently changing network traffic trends. This emphasizes the need for the development of new DDoS detection mechanisms that target zero-day and sophisticated DDoS attacks. To fulfill this need, an online sequential DDoS detection scheme that is suitable for use with multivariate data was proposed. The proposed algorithm utilizes a kernel-based learning algorithm, the Mahalanobis distance, and a chi-square test. The algorithm is fully automated and does not require a pre-defined setting of any thresholds or baseline normal network traffic for training. Initially, four entropy-based and four statistical features were extracted from network flows as detection metrics per minute. Then, the kernel-based learning algorithm was employed to detect entropy-based input feature vectors that were suspected to be DDoS. This algorithm assumes no model for network traffic or DDoS; then, it constructs and adapts a Dictionary of features that approximately span the subspace of normal behavior. Every T minutes, the Mahalanobis distance between suspicious vectors and the distribution of Dictionary members is measured. Subsequently, the chi-square test is used to evaluate the Mahalanobis distance. The proposed DDoS detection scheme was applied to the CICIDS2017 dataset and the performance of the algorithm was measured using different performance metrics including accuracy, recall, precision and ROC-Curve. Finally, the results were compared with those by existing algorithms. It was demonstrated that the proposed online detection scheme outperforms almost all available DDoS classification algorithms with an offline learning process.