Detecting Distributed Denial Of Service Based On Machine Learning

Due to its distributed characteristic, Distributed Denial of Service (DDoS) attacks possess more attack resources and have more destroying power than single-point Denial of Service attacks. The detection of DDoS attacks is also very difficult, and recently, it has become a hotspot in network security fields. Because of the limitation of current intrusion detection techniques, DDoS attacks are bringing great threats to Internet security, and it is very necessary for new DDoS detection methods to be developed.Based on an analysis of DDoS attacks and defense technologies, this dissertation proposes a detection mechanism based on machine learning and source IP monitoring, with an emphasis on the detection model using Hidden Markov Models (HMMs) and a distributed detection mechanism based on adaptive learning. The main research work and contributions of this dissertation are as follows:(1) The theory of HMMs is analyzed and a DDoS detection mechanism based on HMMs and source IP address monitoring is proposed. The sequences of packets'source IP addresses are chosen as the characteristic description of network traffic, which has been analyzed as an intrinsic feature of DDoS attacks. An IP address database is used to learn frequent IP addresses in normal environment, and then an HMM of the normal traffic is built on the basis of the sequences of source IP addresses. After learning in normal environment, the HMM-based detection model can detect DDoS attacks by computing the anomaly likelihood of observation sequences of source IP addresses. Moreover, the IP address database is updated online to keep its effectiveness.(2) To solve the problems in a typical distributed detection mechanism for DDoS attacks, a distributed cooperative mechanism is proposed based on a distributed adaptive learning strategy. The mechanism can detect DDoS attacks based on data fusion. An adaptive learning algorithm based on evaluative rewards is used for decreasing the communication costs and ensuring high detection rate.(3) A DDoS detection prototype system based on machine learning is designed and implemented, which consists of a detection module based on the HMM and a distributed cooperative detection mechanism based on adaptive learning. Experiments using simulated DDoS attacks demonstrated the feasibility and validity of the proposed methods.The research work is supported by National Natural Science Foundation of china. Compared with existing DDoS defense technologies, the proposed methods have the advantages of high detection rate, easy deployment, and adaptive learning ability, and their applications are very promising.