LSTM-Based Collaborative Source-Side DDoS Attack Detection

Sungwoong Yeom; Chulwoong Choi; Kyungbaek Kim

doi:10.1109/ACCESS.2022.3169616

IEEE Access (Jan 2022)

LSTM-Based Collaborative Source-Side DDoS Attack Detection

Sungwoong Yeom,
Chulwoong Choi,
Kyungbaek Kim

Affiliations

Sungwoong Yeom: Department of Artificial Intelligence Convergence, Chonnam National University, Gwangju, South Korea
Chulwoong Choi: Department of Artificial Intelligence Convergence, Chonnam National University, Gwangju, South Korea
Kyungbaek Kim: ORCiD; Department of Artificial Intelligence Convergence, Chonnam National University, Gwangju, South Korea

DOI: https://doi.org/10.1109/ACCESS.2022.3169616
Journal volume & issue: Vol. 10
pp. 44033 – 44045

Abstract

Read online

As denial of service attacks become more sophisticated, the source-side detection techniques are being studied to solve the limitations of target-side detection techniques such as delayed detection and difficulty in tracking attackers. Recently, some source-side detection techniques are being studied to use an adaptive attack detection threshold considering seasonal behavior of network traffic. However, because patterns of network traffic usage have become irregular with increased randomness and explosive traffic, the performance of the adaptive threshold technique has deteriorated. In addition, by limitations of the local view of a single site, distributed attacks from multiple sites may not be detected. In this paper, we propose a LSTM (Long Short Term Memory) based collaborative source-side DDoS (Distributed Denial of Service) attack detection framework which provides the attack detection result of a collaboration network in a global view. The proposed framework applies LSTM-based adaptive thresholds to each source-side network to mitigate performance degradation caused by irregular network traffic behavior. Also, in order to overcome the limitation of performance caused by the local view of single source-side network, the proposed framework constructs a collaborative network through multiple detection sites and aggregates feedback from each site, such as detection rates, local traffic patterns, and timestamp. The collaborative attack detection technique uses the aggregated feedback to determine whether the attack is finally detected and shares the finial detection results with multiple sites. Depending on this final detection result, the adaptive thresholds of each site are reset. Through extensive evaluation of actual network traffic data, the proposed collaborative source-side attack detection technique shows around 15% lower false positive rate than the single source-side attack detection technique while maintaining a high detection rate.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords