Man-in-the-middle and denial of service attacks detection using machine learning algorithms

,


INTRODUCTION
The internet of factors (IoT) is a idea of connecting thousands and thousands of devices over the net to exchange and percentage facts between those devices, like sensors, mobile phones, laptops, or actuators [1], [2].These gadgets can interact with each other the use of many one-of-a-kindwireless verbal exchange strategies like Bluetooth, c084d04ddacadd4b971ae3d98fecfb2a, and ZigBee [1], [2].The IoT has evolved because many a couples of technologies are converging, which includes commodity sensors, machine gaining knowledge of, embedded structures, and ubiquitous computing [3], [4].Its miles stricken by several sorts of attacks to obtain and thieve statistics, like man-in-the-middle (MTM), adware, sq.injection, denial of provider, social engineering, and ransomware [3].The man-in-the-center MTM is a 9aaf3f374c58e8c9dcdd1ebf10256fa5 assault, and its miles a cyber-attack in which the attacker discreetly transmits and may alternate the communications among two sufferers who expect they're interacting without delay with each different because the attacker has positioned himself among sufferers [5]- [8].Simplest whilst the attacker mimics every sufferer nicely wi-fi to satisfy their expectancies can MTM defeat mutual authentication in any community [5]- [8].So, this assault could be very risky if it attacks the community that has critical information on its linked devices [5]- [8].Every other 9aaf3f374c58e8c9dcdd1ebf10256fa5 assault that attacks the community known as denial of service (DoS).DoS is a cyber-assault that the attacker attempts to render a device or community supply inaccessible to stop-customers by using disrupting the host offerings, which are linked to the net whether forever or momentarily [9], [10].Denial of provider is commonly executed by inundating the targeted laptop or aid with needless requests in try to overload structures and prevent some or all the multiple requests from being fulwirelesslled.As a result, if this attack goals a network with sensitive records on its related devices, it's miles extremely dangerous [9], [10].
The contribution to this paper is to build 4 machine learning algorithms which can be intense: i) gradient boosting; ii) random forest (RF); iii) decision tree (DT); and iv) gradient boosting, to detect two assaults received from the datasets on the Kaggle website.Those building algorithms may be used to lessen and defend the linked gadgets in any community.After obtaining the dataset, we follow preprocessing steps like wirelesslling in the lacking fee and changing some columns to numerical statistics kinds due to the fact these algorithms can cope with numeric data.Then, we use four classification metrics to evaluate the algorithms' performance: precision, accuracy, consider, and f1-rating.The remainder of this paper is as follows: segment 2 offers a few related paintings about detection of assaults.Section 3 describes the proposed method used on this paper.segment four presents the experimental results and discusses them.Section 5 wireless presents the realization of the paper and some future work.Plenty of researchers studied the detection of several IoT assaults from numerous sources the usage of gadget learning algorithms like DoS and MTM attacks.This segment describes the preceding associated work to stumble on DoS and MTM attacks the use of one of a kind device gaining knowledge of algorithms.
Rathee and Mann [11] used several gadget studying algorithms to be a malicious interest detector for DoS attacks.They accrued a dataset for 2 weeks, that is referred to as Canadian institute for cybersecurity (CIC) DoS dataset in-store customer experience (ISCX).This CIC dataset was gathered by using the University of New Brunswick in Canada and incorporates a variety of attributes like: i) the quantity of sent push acknowledgment (ACK) packets in a time-window, the ratio of reset packets in a time-window; ii) the quantity of despatched push ACK packets in a time-window; iii) the wide variety of despatched reset packets in a time-window; iv) the range of packets in a time-window; and v) the relationship duration.These algorithms are random wooded area, DT, Gaussian Naïve Bayes, logistic regression, k-nearest neighbour, guide vector system, and linear discriminant evaluation.To evaluate these algorithms, they used three evaluation metrics: accuracy (ACC), region below the relative operating characteristic (ROC) area under curve (AUC), and root imply rectangular blunders root mean squared error (RMSE).They've shown that the random woodland gave the first-class overall performance in detecting the DoS attack as follows: ACC=0.985,AUC=zero 0.972, and RMSE=0.030.
The have a look at [12] used a hard and fast of category algorithms to detect DoS assaults at the SNMP-MIB dataset.This dataset incorporates several statistics as follows: i) hypertext transfer protocol (HTTP) flood attack; ii) regular; iii) brute force attack; iv) the internet control message protocol (ICMP)-echo assault; v) user datagram protocol (UDP) flood attack; vi) slowpost attack; vii) transmission control protocolsynchronize (TCP-SYN) assault; and viii) slowloris assault.Then, they used twelve device gaining knowledge of algorithms: Naïve Bayes, J48, logistic model tree (LMT), random tree, logistic, Bayes net, sequential minimal optimization (SMO), multilayer perception, RF, instance based learning (IBK), simple logistic, Naïve Bayes, Naïve Bayes updatable, and multiclass classifier.They've proven that each one the algorithms except Naïve Bayes and Naïve Bayes updatable gave an excessive accuracy of 99.7.
The observe [13] cautioned a detection gadget to lessen and mitigate distributed (DDoS) assaults in the cloud computing surroundings.This gadget is based totally on a gadget mastering algorithm, which is referred to as the C.4.5 set of rules, and it makes use of different algorithms to validate its system, along with Naive Bayesian and ok method.They amassed a dataset associated with DoS assaults that includes the following attributes: land, provider, protocol, flag, initial time to live (TTL), and class (normal or DoS attack).they have got proven that the C.4.5 gave a better accuracy of 98.8% within the detection of DoS techniques.
The have a look at [15] used neural networks and system studying methods to detect the DoS assault.They trusted many packages layer protocols including HTTP, file transfer protocol (FTP), hypertext transfer protocol secure (HTTPS), and secure shell (SSH), in addition to the CIC intrusion detection system (IDS) 2017 MLP and random woodland are the algorithms hired MLP.In evaluation to MLP, which had a 99.9563% accuracy, the RF had a better accuracy.
Wu et al. [16] proposed a new technique to locate and stumble on the MTM attack that came about in a wireless community amongst two nodes.They used a residual sum of squares (RSS) dataset that became acquired from a constructing, that is known as densely populated metropolitan.Then they used many device studying algorithms to do the detection technique: help vector device, Gaussian Nave Bayes, and k-nearest neighbor.The consequences showed that the Gaussian Nave Bayes and k-nearest neighbour gave the better prediction accuracy.Jones and Kumar [17] used a deep getting to know set of rules with network simulator 2 (NS2) simulation platform to hit upon the MTM attack, that's called synthetic artificial neural networks (ANN).They used a dataset with mobility styles and network-numerous site visitors conditions for a couple of attacks.They hired 4 assessment metrics to evaluate the ANN model: precision, accuracy, f1-score, and recall.They determined that the ANN had an accuracy fee of 88.235%.The study [18] proposed a detection version based totally-system mastering techniques to detect MTM from business manage structures.They accrued real-time data related to MTM that consists of many functions like temp max, cntt avg, cntt stdev, temp stdev, temp min, and temp avg.The version that the device is based on is ok-nearest neighbor.They have proven that the usage of the model primarily based on k-nearest neighbor gave the quality performance for detecting the MTM assault.The internet protocol (IP) spoofing guy-in-the-center category and identification detection system became evolved by the study [19] to discover the MTM version.They used the MTM dataset from Kaggle, which incorporates the following features: protocol type, duration, service, Dst bytes, land, incorrect fragment, pressing, Src bytes, flag, and hot.Then they applied a deep mastering technique referred to as the multilayer perceptron neural community, and that they evaluated it the use of a ramification of measures, which include accuracy, precision, and F1-score.They confirmed that this set of rules may want to stumble on the MTM with an accuracy of 83%.Banerjee and Chakraborty [20] proposed a version based on a supervised gadget getting to know technique to discover the MTM from an encrypted network.They accrued information regarding the MTM from three resources: Skype (63,782 packets), YouTube (113,146 packets), and WhatsApp (19,935 packets).Then, inside the identification section, they implemented 3 machines getting to know algorithms: first-rate Tree, 3-okay-nearest neighbor, and linear discriminant.The first-rate tree has the highest accuracy in 3 sources, with 96.7%, 99.3%, and 97.2%, respectively, as shown in Table 1.Accuracy is 83% [20] 2020 Fine tree, 3-K-nearest neighbour, and linear discriminant Fine tree gave the higher accuracy in three sources

METHOD
Figure 1 shows the flow-chart of the proposed methodology to detect two well-known IoT attacks: DoS and MTM attacks; and which both contain several steps.The first one, we collected two datasets for DoS and MTM.In the second one, we applied several preprocessing steps to the collected dataset to make it more understandable for both humans and machines.The third one, we classified the MTM dataset into samples containing MTM attacks or normal samples, and we classified the DoS dataset into samples containing DoS attacks or normal samples.The fourth one, we used several machine learning algorithms to detect MTM and DoS attacks.In the final step, we used many classification metrics to assess the performance of the algorithms.We will explain the steps in more detail in the following subsections.

Dataset collection
In this paper, we used the dataset from the Kaggle website that related to two well-known IoT attacks.The MTM attack and the DoS attack [1].This dataset contains many features, and each attack has different features based on the nature of the attack, as shown in Table 2.  2. While the DoS dataset contains 643,722 samples and 23 features with labels that classify them as normal samples or DoS samples, as shown in Figure 3.

Pre-processing dataset
To make the dataset more readable, understandable, and to not contain any null values, we applied two steps.In the first one, we fill missing values in the dataset of the mean value for certain columns.The second is that we use the label encoder method to convert the data types for specific columns to numeric data types because machine learning algorithms can only deal with numeric data types.Now the dataset is ready to be used as an input to the algorithms.

Machine learning models
After pre-processing the dataset, it is ready to be fitted into machine learning algorithms for prediction and detection purposes.Then, we used the Hold out method to divide the dataset into training dataset (training the model) that is 0.70 of all dataset and testing dataset (assessing the algorithms' performance) that is 0.30 of all datasets.The number of samples in all datasets, training and testing is shown in Table 3.So, we used four famous algorithms used in IoT attack detection: eXtreme gradient boosting (XGBoost), RF, DT, and GB.In the following subsection, we will present an overview of these algorithms and what the parameters are that they use.

Gradient boosting
The GB is an ensemble algorithm that was developed to solve classification and regression tasks [21], [22].It merges several weak learners into a single strong learner.These are GB-DTs, in which each tree is run separately, producing independent forecasts, which are then combined to make a final model's prediction.The number of weak learners is determined as number of estimators parameter [21], [22].The model's prediction is integrated in classification problems like detecting the MTM attack or DoS by selecting the class label (MTM, normal in MTM dataset or DoS, normal in DoS dataset) with the most votes from all trees [21], [22].In our experiment for both datasets, we used the following parameters of GB: i) n_estimators=100; ii) learning_rate=0.1;iii) max_depth=3; and iv) random_state=42.

eXtreme gradient boosting
The XGBoost is an ensemble model built to solve classification and regression problems [23], [24].It combines a number of weak learners into a single strong learner.These are GB-DTs, in which each tree is run separately, producing independent forecasts, which are then combined to make a final model's prediction.Unlike GB, it uses the gradient descent technique to reduce the difference between actual and anticipated results, improving speed and performance [23], [24].In classification tasks such as predicting or detecting an MTM attack or a DoS, the model's predictions are merged by choosing the class label (MTM, normal in the MTM dataset or DoS, normal in the DoS dataset) with the most votes from all trees [23], [24].We utilized the ISSN: 2302-9285  Man-in-the-middle and denial of service attacks detection … (Sura Abdulmunem Mohammed Al-Juboori1)

Random forest
The RF is a supervised ensemble model comprised of many DTs created for regression and classification tasks, each of which is carried out by a single individual and yields a prediction [25], [26].Then, in classification problems, the class with the most votes become the model's forecast like predict or detect the MTM attack or DoS, while in regression tasks, the model's prediction is computed as the average of all trees' predictions (MTM, normal in MTM dataset or DoS, normal in DoS dataset), because the label in classification is discrete while the label is continuous in regression task.The number of estimators supplied as a parameter in the RF model determines the number of trees [25], [26].In our experiment for both datasets, we used the following parameters of RF: i) n_estimators=500; ii) max_features=log2; and iii) random_state=42.

Decision tree
The DT is a member of the supervised learning algorithm family, which the algorithm developed based on a training dataset that has a class label [23], [27].By generating a tree in order to forecast the value, DT is used to solve numerous classification and regression challenges.This tree contains many parts: root node, splitting criteria (i.e., entropy, information gain, gini index, gain ratio, reduction in variance and chisquare), internal node, and leaf node (act a target value) [23], [27].The tree is splitting the input dataset or training dataset (MTM dataset and DoS dataset), constituting a root node and children's nodes.This process is still in each child until the tree finishes all the samples in the training dataset [23], [27].We used the following DT parameters in our experiment for both datasets/criterion: gini, min_samples_split=2, and random_state=42.

RESULTS AND DISCUSSION
For the machine learning algorithms based on the evaluation metrics, we present the evaluation metrics utilized and the outcomes in both datasets in this section.The Anaconda tool and the Python programming language are used for all experimental outcomes.Four well-known classification metricsaccuracy, precision, recall, and F1-score-were utilized in our studies to assess the effectiveness of machine learning algorithms [28], [29].That accuracy is determined by dividing the total number of guesses by the number of right forecasts (1): precision is a measure of a positive example's likelihood of being truely positive, as indicated in (2): In our experiments, we applied four machine algorithms on the MTM dataset and DoS dataset with specific parameters as we mentioned in the previous section, and the performance results as shown in.Table 4 shows the results of aforementioned algorithms in terms of four classification metrics.All the algorithms have almost the same results in all metrics, which means that these algorithms can detect the MTM attack.

Table 4. MTM dataset results
Algorithm Accuracy Precision Recall F1-score XGB 99.9 99.9 99.9 99.9 RF 99.8 99.6 99.9 99.7 DT 99.9 99.9 99.9 99.9 GB 99.9 99.6 99.9 99.8 Table 5 shows the performance results of four algorithms in terms of four classification metrics.The XGB has slightly better results compared with the other algorithms, which means that the XGB algorithm has a better ability to detect DoS attacks compared with the others.Finally, the aforementioned machine learning techniques are quite good at detecting MTM and DoS assaults, motivating us to deploy them to protect devices from these types of attacks.

CONCLUSION
In this paper, we develop four machine learning algorithms to detect two well-known attacks that attack the connected devices in any network by obtaining related datasets from the Kaggle website.The algorithms that are used are: XGBoost, RF, decision tree, and GB.We then used four classification metrics to assess these algorithms: precision, accuracy, f1-score, and recall.We achieved the following results: i) all algorithms detect the MTM attack with a performance greater than 99% in all metrics and ii) all algorithms can detect a DoS attack with a performance greater than 97% in all metrics.So, these four algorithms can be relied on to detect MTM and DoS attacks very well for both datasets, prompting us to use their effectiveness in protecting devices from these attacks.In future work, we plan to collect datasets related to other attacks and use another machine learning algorithms.In addition, we will also apply deep learning algorithms, pre-trained models, and all state-of-the-art models to future datasets.

Figure 2 .
Figure 2. MTM dataset Figure 3. DoS dataset indicated in(3), recall estimates the chance of actual positives being accurately classified as positive.: as indicated in (4), this is the weighted mean of precision and recall, which includes both erroneous positives and false negatives.

Table . 1
Previous research paper in detection DoS and MTM attacks

Table 2 .
Dataset features, description, and the types So, we have saved each attack in a separate excel file to use it in the next step.The MTM dataset contains 336,623 samples and 11 features with labels that classify them as normal samples or MTM samples, as shown in Figure

Table 3 .
Number of samples in both datasets

Table 5 .
DoS dataset results