Data mining techniques for effective detection of distributed denial-of-service attacks
A study on using data mining techniques on classification of Distributed Denial-of�Service (DDoS) attacks is carried out by first performing preliminary classification of DDoS attacks using five (5) selected classifiers available on the Waikato Environment for Knowledge Analysis (WEKA), namely Naive...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Year Project / Dissertation / Thesis |
| Published: |
2024
|
| Subjects: | |
| Online Access: | http://eprints.utar.edu.my/6333/1/MIS%2D2023%2D2100893%2D2_(2).pdf http://eprints.utar.edu.my/6333/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| id |
my-utar-eprints.6333 |
|---|---|
| record_format |
eprints |
| spelling |
my-utar-eprints.63332024-04-14T09:54:16Z Data mining techniques for effective detection of distributed denial-of-service attacks Lee, Yuen Hui QA75 Electronic computers. Computer science T Technology (General) A study on using data mining techniques on classification of Distributed Denial-of�Service (DDoS) attacks is carried out by first performing preliminary classification of DDoS attacks using five (5) selected classifiers available on the Waikato Environment for Knowledge Analysis (WEKA), namely Naive Bayes, J48, Random Forest, JRip and K-Nearest Neighbour (KNN/IBk), among which, the J48 Classifier was selected to further test different values of confidence factor (C) and minimum number of objects per leaf (M) parameters of the J48 Classifier to observe the results obtained from classification on a sampled data set created from the Consolidated DDoS Data Set (created from both the CICIDS2017 and the CIC-DDoS2019 data sets). Two types of classification (and optimisation via testing different values of C and M in both the Experimenter and the Explorer module in WEKA) were performed, preliminary ungrouped classification and simplification of classification via hierarchical grouped classification (with the hierarchy being defined by Sharafalddin et. al., originally made for the CIC-DDoS2019 data set and grouping from the top three (3) levels of the hierarchy). The first grouping (Level 0 Grouped Classification) involves reducing the classification from multi-class classification to bi-class classification between Normal/BENIGN and DDoS attack instances. In Level 1 Grouped Classification, DDoS attacks are grouped based on whether they are Exploitation, Reflection or HTTP/WebDDoS attacks, while in Level 2 Grouped Classification, DDoS attack labels are grouped into TCP (Reflection), TCP (Exploitation), UDP (Reflection), UDP (Exploitation), TCP/UDP (Reflection) and WebDDoS (all while BENIGN instances are relabelled Normal). Evidently, Level 1 Grouped Classification emerged as the winner in terms of overall TPR and GMEAN, while being only second in terms of overall F-Measure to Level 2 Grouped Classification, and performed worse in terms of PREC and had the highest overall False Positive Rates (FPR) among all classifications done. While preliminary ungrouped classification does highlight the problems of unbalanced data sets with only marginal changes in True Positive Rates (TPR) for individual DDoS attack labels for different values of C and M tested (with the highest increase being TPR for SSDP attacks increasing from 2.0% at C = 0.25 to 4.2% at C = 0.5), hierarchical grouped classification, while shows marginal increase in overall TPR for DDoS attacks, still show errors in classifying certain DDoS attacks like Portmap, SSDP, UDPLag, DNS and LDAP, as other DDoS attack types (especially true in Level 1 and 2 Grouped Classification, where the errors are predominantly between separate DDoS attack groups), while potentially resulting in oversimplification of classifying DDoS attacks (especially true for Level 0 and 1 Grouped Classification), as grouping DDoS attacks this way increases overall TPR of classification by including DDoS attacks classified as other DDoS attacks into the calculation of TPR. 2024 Final Year Project / Dissertation / Thesis NonPeerReviewed application/pdf http://eprints.utar.edu.my/6333/1/MIS%2D2023%2D2100893%2D2_(2).pdf Lee, Yuen Hui (2024) Data mining techniques for effective detection of distributed denial-of-service attacks. Master dissertation/thesis, UTAR. http://eprints.utar.edu.my/6333/ |
| institution |
Universiti Tunku Abdul Rahman |
| building |
UTAR Library |
| collection |
Institutional Repository |
| continent |
Asia |
| country |
Malaysia |
| content_provider |
Universiti Tunku Abdul Rahman |
| content_source |
UTAR Institutional Repository |
| url_provider |
http://eprints.utar.edu.my |
| topic |
QA75 Electronic computers. Computer science T Technology (General) |
| spellingShingle |
QA75 Electronic computers. Computer science T Technology (General) Lee, Yuen Hui Data mining techniques for effective detection of distributed denial-of-service attacks |
| description |
A study on using data mining techniques on classification of Distributed Denial-of�Service (DDoS) attacks is carried out by first performing preliminary classification of DDoS attacks using five (5) selected classifiers available on the Waikato Environment for Knowledge Analysis (WEKA), namely Naive Bayes, J48, Random Forest, JRip and K-Nearest Neighbour (KNN/IBk), among which, the J48 Classifier was selected to further test different values of confidence factor (C) and minimum number of objects per leaf (M) parameters of the J48 Classifier to observe the results obtained from classification on a sampled data set created from the Consolidated DDoS Data Set (created from both the CICIDS2017 and the CIC-DDoS2019 data sets). Two types of
classification (and optimisation via testing different values of C and M in both the Experimenter and the Explorer module in WEKA) were performed, preliminary ungrouped classification and simplification of classification via hierarchical grouped classification (with the hierarchy being defined by Sharafalddin et. al., originally made
for the CIC-DDoS2019 data set and grouping from the top three (3) levels of the hierarchy). The first grouping (Level 0 Grouped Classification) involves reducing the
classification from multi-class classification to bi-class classification between Normal/BENIGN and DDoS attack instances. In Level 1 Grouped Classification, DDoS attacks are grouped based on whether they are Exploitation, Reflection or HTTP/WebDDoS attacks, while in Level 2 Grouped Classification, DDoS attack labels are grouped into TCP (Reflection), TCP (Exploitation), UDP (Reflection), UDP
(Exploitation), TCP/UDP (Reflection) and WebDDoS (all while BENIGN instances are relabelled Normal). Evidently, Level 1 Grouped Classification emerged as the winner in terms of overall TPR and GMEAN, while being only second in terms of
overall F-Measure to Level 2 Grouped Classification, and performed worse in terms of PREC and had the highest overall False Positive Rates (FPR) among all classifications done. While preliminary ungrouped classification does highlight the problems of unbalanced data sets with only marginal changes in True Positive Rates (TPR) for individual DDoS attack labels for different values of C and M tested (with
the highest increase being TPR for SSDP attacks increasing from 2.0% at C = 0.25 to 4.2% at C = 0.5), hierarchical grouped classification, while shows marginal increase
in overall TPR for DDoS attacks, still show errors in classifying certain DDoS attacks like Portmap, SSDP, UDPLag, DNS and LDAP, as other DDoS attack types (especially true in Level 1 and 2 Grouped Classification, where the errors are predominantly between separate DDoS attack groups), while potentially resulting in oversimplification of classifying DDoS attacks (especially true for Level 0 and 1 Grouped Classification), as grouping DDoS attacks this way increases overall TPR of classification by including DDoS attacks classified as other DDoS attacks into the calculation of TPR.
|
| format |
Final Year Project / Dissertation / Thesis |
| author |
Lee, Yuen Hui |
| author_facet |
Lee, Yuen Hui |
| author_sort |
Lee, Yuen Hui |
| title |
Data mining techniques for effective detection of distributed denial-of-service attacks |
| title_short |
Data mining techniques for effective detection of distributed denial-of-service attacks |
| title_full |
Data mining techniques for effective detection of distributed denial-of-service attacks |
| title_fullStr |
Data mining techniques for effective detection of distributed denial-of-service attacks |
| title_full_unstemmed |
Data mining techniques for effective detection of distributed denial-of-service attacks |
| title_sort |
data mining techniques for effective detection of distributed denial-of-service attacks |
| publishDate |
2024 |
| url |
http://eprints.utar.edu.my/6333/1/MIS%2D2023%2D2100893%2D2_(2).pdf http://eprints.utar.edu.my/6333/ |
| _version_ |
1797547661223526400 |
| score |
13.18916 |