Deployable Machine Learning for DDoS Defense
Explore the innovative approach of utilizing machine learning for detecting and classifying Distributed Denial-of-Service (DDoS) attacks, focusing on explainability and adaptability. The method proposed enhances DDoS prevention and mitigation by employing a modified k-nearest neighbors algorithm for threat detection and fine-grained traffic classification. This approach ensures efficiency through grid-based risk degree sorting and k-dimensional tree partitioning, offering a highly explicable and adaptive solution for DDoS security.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
MLHat: The First International Workshop on Deployable Machine Learning for Security Defense Toward Explainable and Adaptable Detection and Classification of Distributed Denial-of-Service Attacks Yebo Feng, Jun Li University of Oregon {yebof, lijun}@cs.uoregon.edu
Distributed Denial-of-Service (DDoS) attack Distributed Denial-of-Service (DDoS) attacks, by attacking (e.g., flooding) the bandwidth or resources of a victim (e.g., a web server) on the Internet from multiple compromised systems (e.g., a botnet), disrupt the services of the victim and make it unavailable to its legitimate users. The key to effectively preventing and mitigating DDoS attacks is prompt and accurate DDoS detection and classification. 2
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS Detection & classification of DDoS Decades of research and industry efforts have led to a myriad of DDoS detection and classification approaches. Nowadays, many researchers begin to harness machine learning in classifying DDoS attacks. However, such methods have two negative aspects: 1. The prediction results are inexplicable. An unexplainable result may lead to unexpected collateral damage when conducting access control. 2. Learning-based methods are not adaptive. A model trained in one environment cannot easily apply to another environment. 3
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS Overview of our work In this paper, we propose a learning-based DDoS traffic detection and classification method. 1. It utilizes a modified k-nearest neighbors algorithm to detect DDoS threats. 2. It then conducts fine-grained traffic classification using risk degree sorting with grids. 3. To improve efficiency, we use a k-dimensional tree to partition the searching space, shortening the time for queries significantly. Compared with the previous learning-based approaches, this method is highly explicable and adaptive. 4
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS Methodology Our approach has two phases, which are DDoS detection and classification. It monitors the traffic in batches. Each batch t is a uniform time bin. During each batch t, our approach extracts features to form a traffic profile S (S = { ?1, ?2,?3, ...,??}) and input it into the detection module. In the classification phase, our approach generates traffic profile p (p = { ?1, ?2,?3, ...,??}) for each source IP and determines whether it is malicious according to the features. 5
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS Phase one: detection of DDoS traffic We use k-nearest neighbors (KNN) algorithm in the detection of DDoS traffic. Although it takes no time to train the model, the prediction requires a time complexity of O(nlogn) to complete. Hence, we leverage the KD tree to partition the searching space, reducing the number of data points to enumerate. Furthermore, our approach generates a decision-tree liked structure out of the KD tree, reducing the time complexity for traffic monitoring to nearly O(d). 6
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS f e a t u r e 2 f e a t u r e 2 f2 f1 Bu i l d t h e KNN se a r c h i ng sp a c e KD t r e e p a r t i t i o n e f e a t u r e 1 f e a t u r e 1 f e a t u r e 2 f2 f e a t u r e 2 < f 1 > f 1 Be ni g n f e a t u r e 1 f1 > f 2 T r e e g e ne r a t i o n a nd p r u nni ng e < f 2 Ar e a sc a n Se a r c h i ng M a l i c i o u s f e a t u r e 1 Co nf i r ed a r e a ( b e ni g n) Co nf i r ( ma l i c i o u s) ed a r e a m Be ni g n p r o f i l M a l i c i o u s p r o f i l m Unc o nf i r ed a r e a m 7
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS Phase two: DDoS classification Design philosophy: the traffic profile is currently in a malicious position, and we need to conduct access control on some of the sources, so that the traffic profile can return to a benign area. First step: calculate the shortest distance p from the current position to a benign area. f e a t u r e 2 f e a t u r e 2 t r a f f i c p r o f i l e f o r i nf e r e nc e sh o r t e st p a t h p f 2 f 2 f 3 f 3 8 f 1 f e a t u r e 1 f 1 f e a t u r e 1
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS We conduct the classification for malicious sources by building traffic profiles for each IP address. Then, mark IP as malicious in a particular order (according to p) until the overall traffic profile returns to a benign area. We also need to minimize the impact on other features of the overall traffic profile S when determining the malicious IPs. We consider this as an optimization problem with two constraints 9
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS Deriving the optimal solution of this optimization problem is expensive. We conduct the grid partitioning on the searching space to accelerate the IP classification. It can drive a near-optimal solution. 10
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS Adaptability Users do not need to retrain the proposed model to fit it into a different network environment. They can easily use some prior knowledge to refit the model: If we have the traffic measurement information about the new environment, we can normalize the KNN searching space from the trained environment to the new environment according to the two networks traffic distributions. If the traffic monitoring system can obtain labeled traffic with the system running, we can efficiently conduct online learning on the proposed model. In some circumstances, the user of this method may know some incomplete threshold values or rules in the new network environment. They can then build a decision tree based on the preliminary knowledge and merge it with the trained classifier, a tree-like data structure. 11
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS Evaluation We trained our method with four DDoS datasets (DRAPA 2009, CAIDA 2007, FRGP NTP Flow Data, and DDoS Chargen 2016). The detection and classification accuracies outperform FastNetMon. It can detect and classify DDoS traffic with a delay of around 5 seconds (tested on a 50Gbps link). 12
Yebo Feng, Jun Li Toward Explainable & Adaptable Detection & Classification of DDoS Thanks! This project is the result of funding provided by the Science and Technology Directorate of the United States Department of Homeland Security under contract number D15PC00204. The views and conclusions contained herein are those of the authors and should not be interpreted necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security or the US Government. 13
