DDoS attacks detection using machine learning and deep learning techniques: analysis and comparison

ABSTRACT


INTRODUCTION
Numerous significant websites have recently been subjected to outside attacks. Because they cannot afford any neglect, not even for a brief period, many large corporations and government agencies are exposed [1]- [4]. The present network services should be less susceptible to attacks as a result of any flaws that could result in significant losses for both customers and businesses. Not all modern attacks have the same old goals as making money or getting sensitive information. Some of them are designed to halt services so that users can no longer use the intended service as long as the attacker can do so [5]- [7].
A single botmaster can command a large number of bots (zombies) to transmit a large volume of messages that completely consume the bandwidth in a distributed denial of service (DDoS) assault [8]- [10]. The primary target of a DDoS attack is the central service point. This kind of attack happens extremely quickly. As a result, detecting DDoS attacks is a significantly better security tactic than detecting crackers. DDoS attacks, however, are also updated in tandem with the development of security measures [11]- [13]. Since the former relies solely on the detection of anomalies or anomalous behavior, anomaly-based detection is thought to be more modern than signature-based detection in response to that [14]- [16]. The main motivation of this paper is to investigate the most often used machine learning (ML) and deep learning (DL) techniques for intrusion detection system (IDS), as well as to discuss when it is appropriate to employ each type of technique. The major contributions of this work are listed as follows: i) we present and analyze the related work based on ML and DL to detect DDoS attacks in detail; ii) we display the outcomes of both DL and ML methods based on IDS or DDoS attack detection; and iii) we draw attention to the clear distinctions between DL and ML methods. The remainder of this paper is structured as follows. Section 2 describes IDS and DDoS attacks in details. We present the summaries of ML and DL approaches based on related works in sections 3 and 4, receptivity. Section 5 discuss the related work based on ML and DL approaches. Finally, section 6 concludes this paper.

BACKGROUND 2.1. Intrusion detection system
Strategically designed IDS watch network traffic for signs of attacks. IDS will examine the packets to find any potential risks after gathering information from networks and watching the traffic. The IDS can be categorized in a variety of ways, according to various studies, including Debar et al. [17] and Hindy et al. [18]. They have previously developed questionnaires and taxonomies to categorize IDS. This study will be based on the classification of [19], where they combined a sober classification with earlier trustworthy classifications and added DL to it. Host-based, network-based, or a hybrid of the two are the three types of data collection. On the basis of location, these sources are grouped. The IDS come in two different models. First, IDS is based on signatures (SIDS), which is reliant on appearances prior to attacks. Without possessing the attacks' specific signatures, this style cannot detect attacks. Anomaly-based IDS (AIDS), the second approach, does not rely on plans of attack, in contrast to the signature-based model. This paper will focus on anomaly-based IDS, which is the most effective strategy. One of AIDS's most frequently cited benefits is its capacity to identify previously unidentified attacks by spotting an anomaly in network traffic. From a different angle, AIDS might be an IDS that is either self-learning or programmed. By developing a method for the fundamental operations with the allocated network traffic accumulated over a constrained period of time, self-learning AIDS is accomplished [20]. More specifically, users are the ones who decide how out of the ordinary a behaviour is in the system [21].

Distributed denial of service attack
DDoS attacks intimidate networks at the moment since they target sensitive and significant centers. Furthermore, DDoS attacks are growing quickly, leaving little time for a proper response [22], [23]. New DDoS launch platforms, such Ox-booter, appeared in late 2018, according to Kaspersky Lab. These services support attacks with additional bandwidth of up to 420 Gb/s and more than 16,000 infected bots. Due to its simplicity and low price, this platform is extremely risky. Anyone can use this straightforward interface to execute one of numerous attacks against their target for only $20 to $50. Due to the low cost, attackers today do not need specialised tools or extra effort to damage their target. To put it another way, these illicit platforms that promote DDoS attacks were using internet of things (IoT) devices to conduct this attack [24]. Additionally, a DDoS attack is simple to execute because to the IoT, which allows the Internet to pervade practically every aspect of human existence [25].

DDoS attack
DDoS attacks are currently regarded as the most dangerous assaults on the internet. DDoS attack perpetrators try to stop authorised users from using services. These attacks pose a risk due to the possibility of simultaneous attack from multiple sources. Therefore, until it is blocked, it will be hard to reveal the actual IP address that causes this harm. DDoS assaults also use legitimate channels to send a tonne of messages. When this happens, the packets will come from trustworthy websites like colleges or companies that cannot be censored or shut down [26]. DDoS assault is simply depicted in Figure 1. Think of the hypothetical situations where victim 'Y' has an IP address of 2.2.2.2 and attacker 'X' has an IP address of 1.1.1.1. Using IP address 'Y,' 'X' can send request packets to example.com. Then, "X" requests information from example.com, such as "tell me all you know about "Z," in addition to saying "hello." Following that, example.com will give 'Y' IP address a tonne of information that the attackers don't actually need. Additionally, an attacker "X" can request that example.com, example1.com, and example2.com give him or her "Y's IP address with a massive data set that is larger than "Y's" actual storage space." One outcome is that "Y" might not be able to respond to inquiries or carry out his duties [27]. Figure 2 illustrates the types of DDoS attacks with their examples. DDoS assaults typically fall into one of three categories: i) volume-based attacks, attacks that flood a target with a large volume of traffic in an effort to take advantage of its bandwidth; ii) protocol-based attacks, attacks that take advantage of a layer 3 or layer 4 vulnerability by consuming the processing power of the attacker target or middle-level crucial resources like a firewall, which can result in service interruption; and iii) application layer attacks, attacks that connect to a victim in a reasonable way to take advantage of a vulnerability in layer 7 and use transactions and monopolising processes to overtax the server's resources.

MACHINE LEARNING BASED FOR IDS
Because a signature-based IDS takes a long time to develop, test, and deploy everytime an unexpected assault happens, there is an urgent need to rely on less human reliant solutions in IDS. By offering a system that can learn from data and deliver predictions about the unseen data by employing the learnt data, anomaly-based IDS based on ML technology provides a solution for this problem [28]. The most typical use of ML techniques will be covered in the sentences that follow. Additionally, a detailed description of each approach used in IDS will be added along with recent relevant publications [29]. The several types of ML IDS are shown in Figure 3. Table 1 lists the method and advantage of ML approaches in details.

Naive Bayes
The classification procedure is carried out using this technique, which is based on bayesian networks. Naive Bayes (NB) is regarded as the simplest and most straightforward method for creating classifiers. Class labels for issue scenarios are specified by the classifiers. The classifier then displays feature value vectors. The class labels will have been drawn based on a few particular sets. Fadhil et al. [30] suggested a method for developing DDoS attack detection that involved statistically analysing network traffic using NB. As a properly designed, practically implemented model for DDoS attack detection, in [31] also used the NB classifier. Anticipated to function in conjunction with IDS to forecast the occurrence of DDoS attacks. Ye et al. [32] It is followed by the extraction of the switch flow table's 6-tuple characteristic values and the creation of a DDoS attack model.
Our work is useful for identifying DDoS attacks in software defined networking (SDN).
Lucky et al. [33] Deployed in low-cost settings for effective, speedy detection and mitigation of DDoS attacks.
The design is examined, and the findings demonstrate that the new architecture adds no extra burden to the monitored network.
Putri et al. [34] On the testbed ISCX dataset, Snort finds up to 42 alerts of a DoS assault.
Because of the disparity in accuracy between value and the clustering tool WEKA, mneg-cluster data packets are randomly chosen from a data value pack and utilised to calculate the centroid's value. Chaudhary and Shrimal [35] The goal of this study is to create a genetic algorithm-based IDS for DDoS attacks in MANETs.
According to the implementation results, the suggested IDS, which is based on evolutionary algorithms, can effectively identify DDoS attacks on MANETs.

Support vector machine
Vapnik was the first to suggest this approach, and since then it has shown excellent outcomes to garner more interest in ML research. SVM can perform regression and classification using supervised learning [36]. A dataset that includes the DDoS assault was produced by Subbulakshmi et al. [37] who subsequently worked to identify this attack using enhanced support vector machines (ESVM). By merging the SVM classification techniques, Ye et al. [32] created a model for DDoS attack detection in 2018.

Decision tree
One of the most popular and basic methods used in data mining and ML is the decision tree. The category-targeted value is determined using observations about a category and a decision tree as a protection mechanism. As a result, it will categorise data in accordance with the previously learnt dataset [38]. A decision tree-based method was created by Zekri et al. [39] for automatically and successfully identifying signature-based DDoS flooding assaults. A ML model capable of learning from assault patterns according to both anomaly-based DDoS attack detection and signature-based DDoS attack detection were created in [32] as well, taking advantage of both of their advantages.

Artificial neural network
In order to execute computational tasks, a set of basic neurons were originally introduced to artificial neural network (ANN) in 1943 by McCulloc and Pitts. These neurons had functioning that was identical to that of biological neurons, and they resembled biological networks [40]. In order to identify and mitigate known and unidentified DDoS attacks in a real-time setting, Saied et al. [41] developed a model. Seven writers created a paradigm for danger assessment of IoT utilising ANN to counter these attacks within the framework of [42].

K-mean clustering
One of the most popular methods for dividing a dataset into K groups is clustering. This approach refines the K initial cluster centers in a data set by each case that will enter the nearest cluster center after first identifying the initial cluster centres. To identify DDoS attacks of unknown sessions, Hao et al. [43] developed a detection algorithm. Suggested a method for identifying DDoS attacks using the clustering algorithm of K-means, and they attained a 97.83% accuracy rate [33].

Fuzzy logic
This method was developed using fuzzy set theory. This theory's reasoning, which is based on conventional predicate logic, is approximate rather than precise. In order to distinguish malicious packets from legitimate traffic and take appropriate action to prevent DDoS attacks, Iyengar and Ganapathy [44] developed a fuzzy logic model according to a set of predetermined rules. A mechanism for anticipating and detecting DDoS assaults in IEEE 802.15.4 was developed by an author of Balarengadurai and Saraswathi [45] by utilising fuzzy logic algorithm.

Genetic algorithms
One of the most common ML methods that is according to evolutionary concepts is this algorithm. To put it more plainly, this method approaches problem-solving much like a biological examination [46]. A developed method based on evolutionary algorithms for DDoS attack detection in mobile ad hoc networks was proposed by Chaudhary and Shrimal [34] in 2019. A scalable, real-time traffic mode analysis based on  [47] for the detection and mitigation of DDoS assaults on the Hadoop distributed processing infrastructure.

DEEP LEARNING BASED FOR IDS
As an early technique to identify aberrant behaviour in a network, ML-based intrusion detection methods were criticised for their shortcomings, including low throughput and high false positive rates. It has been demonstrated that deep networks offer benefits through the traditional detection based on ML techniques in hodo's study of intrusion detection technologies [19]. A method is utilised to train layers of hierarchical networks utilising unsupervised learning greedily with prehensility, taking inspiration from the human brain. Other methods that rely on the fundamentals of DL have been developed since the discovery of deep networks. Deep networks architecture has typically been divided into two categories: generative architecture and discriminative architecture [19]. The two primary structures and the included approaches are shown in Figure 4. Table 2 lists method and advantage of DL approaches in details.   [48] An IDS for SDNs that is enabled by gated recurrent unit RNN (GRU-RNN) Our test findings demonstrate that the proposed GRU-RNN does not impair network performance Farahnakian and Heikkonen [49] A strategy that uses DL for IDS. One of the most well-known DL models is used in our method, called DAE To prevent overfitting and local optimum, the proposed DAE model is trained in a greedy layer-wise manner Elsaeidy et al. [50] A system for smart city intrusion detection based on restricted boltzmann machines (RBMs) The effectiveness of the suggested method in very accurate attack detection. Additionally, the suggested approach performs better than the classification model used without the features learning stage Imamverdiyev and Abdullayeva [51] Comparison of the suggested method's accuracy with that of gaussian-bernoulli RBM, DBN type DL approaches, and bernoullibernoulli RBM on DoS attack detection is provided The suggested multilayer deep gaussianbernoulli type RBM yields higher accuracy.
Liu et al. [52] To increase the validity and effectiveness of feature extraction, a convolutional neural network (CNN) modelling approach for intrusion detection was applied. The convolution kernel was chosen and convolved with the data to extract local correlation The new approach can raise classification accuracy for jobs involving intrusion detection and recognition Mohammadpour et al. [53] Suggest using DL to create an efficient and adaptable network intrusion detection system (NIDS) The learning process for IDS can be used with CNNs (IDSs)

Generative architecture
The goal of generative models is to depict the existing systems graphically. These graphical representations show distributional dependence. These graphs have nodes and arcs in them. The relationships between the nodes, which can have millions of parameters, are represented by arcs, which stand in for random variables [54], [55]. The shared statistical distribution thus represents the nodes' and their associated variables' products [56]. In addition, there are factors that are hidden from view in the graphical models. The labels of the data are not necessary for generative model training. These models are therefore connected to supervised learning. For classification purposes, these models go through an unsupervised learning pre-training stage. The lower layers were taught separately from the other layers during a pre-training step, enabling the other layers to be trained one layer at a time, starting at the bottom and working up. After pre-training, all subsequent layers will be trained [56]. Deep auto-encoders (DAE), recurrent neural networks (RNN), deep belief networks (DBN) and deep boltz-mann machines (DBM) are the four sub-classes of generative models.

Recurrent neural network
Both supervised and unsupervised deep generative networks fall under this category. In order to boost model dependability, the RNN model uses a sort of architecture called a feedback loop that links layers one after another in addition to storing the data from the most recent input [57]. IDS was trained using KDD Cup'99 by [58] utilising RNN with long short-term memory (LSTM) architecture. In SDN-based networks in 2018, Tang et al. [48] used RNN for IDS.

Deep auto-encoder
One of the categories of generative models is DAE. There are various variations, including stacked auto-encoder and denoising auto-encoder [59]. To avoid learning its identity function, the auto-encoder trains in a bottleneck structure where the hidden layer is more tethered than the input layer [60].
The proposed method, which relies on a DAE to detect attacks, was tested using the NSL-KDD dataset in [61]. In order to aid in the detection of intrusions, this experiment employed bottleneck characteristics to the dimensionality reduction of the large amount of data. Using a DAE, Farahnakian and Heikkonen [49] developed a solution for an IDS in 2018.

Deep boltzmann machine
When trained on a large volume of unlabeled data and fine-tuned with labelled data, DBM is one of the generative architectures that is regarded as a decent classifier. A link exists between the input units and the hidden units in DBM but not between units on the same layer. DBM is therefore a unidirectional graphical model [62]. Deep RBM was used by Elsaeidy et al. [50] in 2019 to extract high-level characteristics. After that, apply the newly learnt features to the identification of various DDoS attacks. The deep RBM model's learned features were quite useful and noteworthy. An approach to identify DoS attacks based on a deep RBM model was proposed in 2018 by Imamverdiyev et al. [51].

Deep belief networks
DBN is created by stacking DBM with one or more hidden layers. Using data that has been labelled, RBMs can learn a common probability distribution of training data. It is regarded as a probabilistic generative model as a result [63]. To minimise the dimensionality of the features in this work [64], they have chosen features layer by layer using the DBN technique. The capabilities of DBN were used by Alom et al. [65] for intrusion detection. The proposed approach, which was evaluated on the NSL-KDD dataset, is capable of both detecting and categorising assaults.

Discriminative architecture
The second class of deep network architecture is discriminative architecture. The discriminative power of this model, which is determined by describing the posterior distributions of conditioned classes from the input data, determines how well it can classify data. Discriminative architecture has two subclasses: RNN and CNNs.

Recurrent neural network
In order to convert the output of an RNN employed as a discriminative model for training data into labelled data, pre-segmentation and post-processing are necessary. When the output data explicitly follows the input data sequence and is labelled, RNN also uses the discriminative power for classification [66].

Convolutional neural network
CNN is the second kind of discriminative deep networks, along with several convolutional and gathering layers stacked in an array to produce a multi-layer neural network [65], [67]. The max pooling layer should come after each convolutional layer. Finally, the fully-connected layer is formed nonlinearly by stacking various traditional and max pooling layers in the neural system [68]. KDD Cup'99 was utilised by Liu et al. [52] to test the CNN-based suggested model. A powerful and adaptable NIDS that uses CNN was proposed by Mohammadpour et al. [53] for use with the NSL-KDD dataset.

RESULTS AND DISCUSSION
In this section, we present the summaries of ML and DL approaches based related works mentioned in sections 3 and 4, respectively. The papers that use ML approaches to detect DDoS assaults are compiled in Table 3. While, the related works that based on DL techniques are summarized in Table 4.  Additionally, DL and ML methodologies diverge significantly. The situations in which ML or DL approaches are most appropriate could be determined with the help of these points. After summarising related works based on both ML and DL method, significant points have been identified. For instance, when the amount of data was larger, DL approaches outperformed ML techniques in terms of accuracy. The key distinctions between DL and ML are outlined in Table 5. With a large amount of data, DL exhibited good accuracy and detection rates Faster to train a model highly computational More human engagement and effort are needed for ML Human effort and involvement are reduced with DL Various characteristics and classifiers must be tried in order to get the best results automatically picks up classifiers and features The output is typically a numerical number, such as a score Anything from a score, an element, or free text can be the output

CONCLUSION
More than 25% of internet users in 2018 used IPv6 networks, according to the internet society. As a result, IPv6 networks will be completely dependent on the internet, particularly in light of the IoT and its enormous IP requirement. This indicates that future networks' data will be larger than IPv4 networks' data. IPv6 networks are additionally quicker than IPv4 networks. DL approaches are anticipated to yield higher accuracy and detection rates in the new networks as a result of the comparison in this research. In spite of everything, ML techniques have been fully applied to the detection of DDoS attacks, and they have produced the above-mentioned excellent results. DL methods are still thought to be superior methods for handling larger amounts of data. Additionally, assaults have their own ever evolving defences against IDS. Although not on IPv6 networks, DL techniques have been employed for DDoS attack detection. The outcomes of both ML and DL strategies based on DDoS attack detection or IDS are shown in this paper's conclusion. This paper also emphasises the clear distinctions between DL and ML methods. In future work, we extend this work by proposing new model to detect DDoS attacks for IDS.