UASDAC: An Unsupervised Adaptive Scalable DDoS Attack Classification in Large-Scale IoT Network Under Concept Drift

Abstract

Read online

Day by day, the number of devices in IoT networks is increasing, and concurrently, the size of botnets in IoT networks is also expanding. Currently, attackers prefer IoT-based botnets to launch DDoS attacks, as IoT devices offer a vast attack surface. Many researchers have proposed machine and deep learning-based classifiers to classify DDoS and benign network traffic in online streams from IoT devices. However, the performance of the traditional machine and deep learning algorithms deteriorates when sudden concept or data drift occurs in the online streams and the volume and velocity of IoT network traffic increases. To address these challenges, we propose UASDAC, an adaptive and scalable data pipeline designed specifically to handle concept drift and detect DDoS traffic in real-time in massive online streams originating from IoT devices. UASDAC incorporates three key components: an online network stream collector for data collection, an online network stream analyzer with an unsupervised drift detector for detecting drift and DDoS traffic, and an online network stream repository for storing streams for future analytics. UASDAC leverages big data technologies to implement all the three components to achieve scalability. Additionally, UASDAC introduces an effective and efficient retraining technique to adapt to novel patterns in online streams in the presence of concept drift. We evaluated the performance of UASDAC in different concept drift scenarios using the benchmark dataset NSL-KDD and the latest IoT dataset IoT23. Our results demonstrate that UASDAC effectively identifies DDoS traffic in the presence of concept drift, achieving an accuracy range of 99.7% to 99.9%.

Keywords

• Attacks
• big data
• botnet
• concept drift
• DDoS
• IoT