A DDoS Attack Detection Using Deep Learning - A Review

: In this review article, the distributed denial of service (DDoS) assaults are the main topic since they offer a substantial danger to systems linked to the internet and can cause large losses in terms of money, bandwidth and downtime. In this review paper discuss the detection approaches, which are used in traditional methods for identifying and mitigating these assaults, have a limited capacity to identify fresh and changing attack patterns. In this review paper, we provide a deep learning-based DDoS assault detection method. Also discuss the different methods presented by different researchers in the last decade for detection of DoS attack in network.


I. INTRODUCTION
Attackers that utilize DDoS (Distributed Denial of Service) techniques try to overwhelm a server, website, or network with traffic or requests to ensure that approved individuals cannot access information. DDoS assaults may have a significant negative impact on enterprises, leading to downtime, lost income, and reputational harm [10]. It can be difficult to tell attacker-generated traffic from legal traffic, making DDoS attacks harder to detect. However, there are a number of methods that may be used to identify and stop DDoS assaults, including as [11][12][13][14]: • Network traffic analysis: This entails keeping an eye on network traffic for any unusual patterns that could point to a DDoS assault. This may be accomplished via network surveillance instruments and intrusion detection systems (IDS). • Anomaly detection: To do this, algorithms based on machine learning are used to find behavioral patterns that deviate from those found in regular traffic. This may be accomplished by checking for unusual traffic patterns in traffic log analyses. • Rate limiting: To do this, algorithms based on machine learning are used to find behavioral patterns that deviate from those found in regular traffic. This may be accomplished by checking for unusual patterns of traffic in traffic log analyses.
• Blacklisting: This involves blocking traffic from known sources of DDoS attacks. This can be done by maintaining a blacklist of known malicious IP addresses or by using a service that provides real-time threat intelligence.
• Cloud-based DDoS protection: This involves using a cloud-based service that provides DDoS protection. These services can analyze traffic in real-time and automatically block traffic from sources that are identified as malicious. Overall, detecting and mitigating DDoS attacks requires a combination of techniques and technologies. To reduce the impact of these assaults, a thorough DDoS security plan must be implemented.
DDoS (Distributed Denial of Service) DDoS attacks on a server, website, or network are identified and mitigated through the process of recognizing an attack. By detecting and blocking malicious traffic before it reaches the target, detection of DDoS attacks aims to stop or reduce the impact of the assault [15]. DDoS assaults are conducted by a team of assailants or a network of bots, which is a collection of infected machines. These attacks can be challenging to identify and stop since the attacker's traffic is sometimes impossible to differentiate from legal traffic [18]. DDoS assaults may be detected and mitigated using a variety of methods and tools, including network traffic analysis, identification of anomalies, rate restriction, getting placed on a whitelist and based on the cloud DDoS protection. These methods include keeping an eye out for unusual patterns in network traffic, spotting behavior patterns that are not typical of regular traffic, limiting the quantity of traffic that can be sent to a server or network, obstructing traffic from known DDoS attack resources, and using a cloud-based service that offers protection against DDoS attacks [16] [17]. In order to identify DDoS attacks effectively, a complete approach combining various methods and tools is needed. Organizations may lessen the effects of DDoS attacks and guarantee the safety and accessibility of their online services and websites by spotting and countering these assaults.

I.1 D-DoS Attack and SDN
Distributed denial-of-service (DDoS) attacks have been a real threat for network, digital, and cyber infrastructure .These attacks are capable to cause massive disruption in any information communication technology (ICT) infrastructure. There could be numerous reasons for launching DDoS attacks [18]. These include financial gains, political gains, and disruption. DDoS attacks can paralyse networks and services by overwhelming servers, network links, and network devices (routers, switches, etc.) with illegitimate traffic. They can either cause degradation of service or a complete denial of service resulting in huge losses. Increasing reliance on Internet and data centres has aggravated this problem. Effective solutions for security against DDoS assaults are now required due to the rising reliance of a nation's vital infrastructure on ICT. For instance, in order to continue providing very dependable services, data centres hosting important services, like the smart grid, needs to be safeguarded [19].
For the identification and prevention of DDoS attacks, a variety of proprietary and open-source solutions are available. On the other hand, these attacks are becoming more frequent, sophisticated, and severe. Attackers continue to employ cutting-edge methods to conduct DDoS assaults, making rapid identification and mitigation of these attacks extremely difficult. DDoS attack detection, mitigation, and prevention are now of the utmost importance because of the rising frequency of DDoS assaults and the expanding diversity of their varieties, which are having terrible effects. For instance, one of the top providers of DDoS threat prevention systems, Arbour Networks Inc., reportedly recorded a 334 Gbps assault against a network operator in Asia. Additionally, in 2015 [20], it recorded many assaults with a bandwidth of more than 100 Gbps. numerous cases of this nature clearly demonstrate the necessity for fresh strategies to deal with the DDoS assault issue. The performance and scalability needs of contemporary data centres must be met, and these new strategies must be built to offer the highest levels of security against sophisticated, elusive, and evolving assaults [21][22][23][24].

Software Define Network (SDN)
Many academics have been actively interested in creating SDN-based network security solutions in light of recent developments in software-defined networking (SDN) and its quick and widespread acceptance in the network world. SDN-based approaches have gained increasing attention since being implemented in large-scale wide area networks. Through the SDN controller, the technology enables programmers to centrally manage, programme, and control network assets directly. Routing, policy-based network settings and other persistent networking issues may be solved in unique ways thanks to SDN. While substantial literature is available regarding the security of SDN infrastructure itself, security of SDN-based networks has been a topic of controversy. However, offers an overview of SDN-based DDoS attack detection and mitigation technologies [25] and adopts a favourable stance towards SDN-based security. We discovered that there are several methods for SDN-based detection of DDoS attacks throughout our analysis of the available SDN-based solutions. Based on this research, we classified the current methodologies according to how they identify anomalies. We also pointed out the necessity for an effective DDoS prevention system that can be adjusted to meet the needs of different applications [27].

DDoS
The goal of a DDoS (Distributed Denial of Service) attack is to stop a server, website, or networks from operating normally by flooding it with a lot of traffic or requests. The attack is carried out by a group of attackers or a bonnet, which is a network of compromised devices that are controlled remotely by the attacker. DDoS attacks are often used as a means of extortion, blackmail, or sabotage, and they can have serious consequences for businesses, organizations, and individuals. A DDoS assault may result in downtime, lost sales, reputational harm, and in certain circumstances, legal culpability [26]. DDoS assaults can be difficult to identify and mitigate since the attacker's traffic might be hard to tell apart from genuine traffic. Network traffic analysis, detection of anomalies, rate restriction, blacklisting, and cloud-based DDoS protection are a few of the methods and technologies that may be used to identify and mitigate DDoS attacks. DDoS assaults pose a significant danger to the safety and accessibility of websites and internet services overall. To reduce the effect of DDoS assaults, it is critical for businesses and individuals to have a thorough plan in place for detecting and mitigating them. DDoS attacks, also known as distributed denial of service attacks, aim to render a website or network resource inoperable by saturating it with malicious data [27][28][29][30].

II. Literature Survey C Murugesh et.al. (2023) -
In this research work presented, The use of wireless sensor networks (WSNs), a novel technology with enormous potential, is used in critical situations like battles as well as in business applications like habitat monitoring and smart homes, buildings, and traffic surveillance, among others. Security is one of the key issues WSNs are currently having. However, the use of sensor nodes (SNs) from the unsupervised platform makes the networks susceptible to a variety of potential assaults, and the inherent power and memory constraints of SNs make it hard to use standard security measures. The Spotted Hyena Optimizer with Quantum Neural Network for DDoS Attack Characterization (SHOQNN-AC) approach is developed in this paper for the WSN. The main objective of the SHOQNN-AC approach is to accurately identify attacks utilising DDoS across the WSN successful. The SHOQNN-AC method uses a min-max scalar to do data scaling in order to achieve this. The SHOQNN-AC approach uses a QNN classification model to effectively identify DDoS assaults in the network for DDoS attack detection. The SHO algorithm is used for the choice of parameters process in the SHOQNN-AC approach to increase the attack detection effectiveness. The operational validity of the SHOQNN-AC approach is evaluated using a standard WSN-DS sample. The results of the experiment show how the SHOQNN-AC algorithm is superior to other models [01].

Tariq Emad Ali et.al. (2023) -
In this research work presented, It could be challenging to differentiate between DDoS attacks with different rates and structures and regular traffic. Over the years, several effective ML/DL methods for spotting DDoS attacks are being put forth by different scientists. Unfortunately, the attackers' continual shift in assault strategy greatly limits the utility of these solutions. With each study's pros and weaknesses indicated, the literature has been compiled in line with the recommended taxonomy for DDoS attack detection using ML/DL approaches. Over 99% accuracy rates have been recorded in a large portion of the literature. Because the bulk of this research evaluated and compared their models utilizing offline data analysis, specific performance indicators may differ in real-world or production contexts. Particularly, we point out that comparisons across the results of existing articles are challenging since they often do not use the same DS or assessment procedures [02].

Akshat Gaurav et.al. (2022)
-This research work presented, Due to the DDoS attack's ease of usage and capacity to completely exhaust the resources of the target system, cyber criminals frequently employ it. The victim's system is intended to be brought to a complete stop or have its processing power exhausted by the DDoS assault. The DDoS assault is harder to identify when a flash crowds is present, which happens when actual people create a lot of bandwidth. Due to this, swiftly and reliably recognizing DDoS assaults has long been a significant research topic. DDoS assaults and flash mobs are so similar that it is virtually impossible to tell them apart. In this context, we describe a method in this paper that, for small and medium-sized business owners, successfully recognizes DDoS attacks and separates them from the flash crowds using entropy and machine learning. Six machine learning methods were trained using the dataset, which was created using the OMNET++ discrete event simulator. The effectiveness of machine learning algorithms is assessed using the accuracy, f1,precision, and recall, score. On the data sets, aware models, like LR, fared better than others in terms of accuracy, including DT, SVM, LR, MNB, RF, and GB[03].

Francesco Musumecit et.al. (2022) -In this research work presented, ML-assisted DDoS attack detection
Frameworks for application in SDN environment considering Standalone and Correlated DAD architectures. Leveraging the potential of data-plane programmability enabled by P4 language, we evaluated how detection latency is reduced when performing features extraction at P4 switches. To do so, we compared different ML classifiers in terms of accuracy and computational time, and deployed the algorithms in a real-time scenario in which the P4 switch provides different types of data to the ML classifiers, namely, packet mirroring, header mirroring, and P4-metadata extraction. Numerical results show that attack detection can be performed with classification accuracy, precision, recall and F1-score higher than 98% in most cases, and with drastic time reduction, down to less than 200 sis, in case P4 is used for features extraction. As a future work, we plan to investigate attack-type identification by developing multi-class ML classifiers, and implementing attack detection exploiting ML algorithms which leverage historical data, such as Recurrent Neural Networks of a unique IDS based on AI models that focuses on DDoS and DoS assaults. With our three distinct feature sets, the suggested IDS gives results without favoring more than one class, maintaining an accuracy percentage of >99%, and using the Decision Tree as its tool. Tree being the outstanding anomaly detection model, while being practical to implement in real-time production settings, with a remarkable time accomplishment for busy days (evaluating more than 1681 flows/s). Additionally, we used the Decision Tree and the Random Forest method to obtain 100% accuracy, precision, recall, and F1 score metrics for different combinations of Normal flows vs the DDoS/DoS algorithms [06].

Firooz B. Saghezchi et.al. (2022)
-This research work presented, Industry 4.0 CPPSs can use ML to identify DDoS assaults. For the purpose of detecting anomalies in network data flows, we exported network traffic traces (PCAP files) from a large-scale semiconductor fabrication plant in the real world and used 11 different semi-supervised, unsupervised, and supervised ML methods. Prescribed neural networks for learning outperformed design-supervised and unconstrained ones, according on the results of the test.DDoS attacks were pinpointed by DT, RF, and K-NN with accuracy ratings of 0.999, 0.999, and 0.001 for recall, precision, and false positive rate. Although their performance dramatically fell when the PCA method was applied (even with 95% variance retention), the two applied unsupervised techniques (K-Means and EM) still shown extremely high performance (Accuracy = 0.95, Recall > 0.9, Precision > 0.9, and FPR 0.09). This is a surprising result since, in contrast to supervised learning, unsupervised instruction does not call for data labelling, a laborious operation that in practice necessitates a great deal of human work and involvement [07].

III. TYPE OF DDOS ATTACK
DDoS assaults come in a wide variety, and attackers sometimes combine more than one form to wreak havoc on their targets. Volumetric, protocol, and application-layer assaults are three important categories [08]. All attacks aim to significantly impede or prevent legal traffic from reaching its destination [31][32]. This can entail prohibiting a user from visiting a website, making a purchase, viewing a video, or connecting on social media, for instance. DDoS may also interrupt company operations by degrading performance or blocking access to resources. Employee access to email or online apps may be restricted as a result, which may hinder them from carrying out their regular duties [34]. Let's dissect the many routes that attackers might follow in order to better comprehend how DDoS assaults function. Seven separate layers make up the Open Systems Interconnection (OSI) paradigm, which serves as a layered framework for multiple networking protocols. Similar to the floors of an office block, where distinct business operations are carried out on each level, each layer of the OSI model serves a specific role. Depending on the sort of online or internet-facing asset they want to disrupt, attackers focus on several tiers [35][36][37].

Fig.2 Distributed Denial of Service
A DDoS or DoS attack is comparable, from a high perspective, to an unanticipated traffic bottleneck brought on by a large number of phony ride-share requests. The requests to ride-sharing services seem legitimate, and they send out drivers for pickup, which invariably congests the downtown roadways. This delays the arrival of regular, lawful traffic at its destination [27].

IV. Problem In DDos Attack
DDoS (Distributed Denial of Service) attack detection can provide significant benefits to organizations, there are also some potential disadvantages to consider: • Complexity: DDoS attack detection systems can be complex to implement and maintain, requiring specialized knowledge and expertise. This can add to the cost and time required to deploy and maintain such systems. • Resource consumption: DDoS attack detection systems can consume significant network resources, such as processing power and bandwidth, which can impact overall network performance [35]. • Limited effectiveness: Although DDoS attack detection can aid in attack identification and mitigation, it might not be completely successful against all forms of assaults. Attackers may also employ complex strategies to get around detection systems. • Cost: It can be expensive to implement DDoS attack detection, especially for smaller organizations with constrained resources. Some organizations may find the expense of implementing and maintaining these systems exorbitant.
• Bandwidth saturation: DDoS attacks flood the targeted system with a massive amount of traffic, causing the system's bandwidth to become saturated. As a result, genuine users may experience delayed or unavailable services. • Server overload: The computing power and memory of the targeted server may be overloaded by DDoS assaults, resulting in a crash or unresponsiveness [37]. • Application layer attacks: Some DDoS attacks target specific applications or services running on the server, causing them to become unavailable or perform poorly. • Reputation damage: DDoS attacks can damage the reputation of the targeted system or organization, causing users to lose trust in its services. • Financial losses: DDoS attacks can result in financial losses due to lost revenue, increased operational costs, or the need to invest in additional security measures help stop assaults in the future. Overall, while DDoS attack detection provides significant benefits for organizations, it is important to consider the potential disadvantages as well, such as false positives, complexity, resource consumption, limited effectiveness, and cost. Organizations should carefully evaluate their specific needs and resources before implementing DDoS attack detection solution

V. Conclusion and Future Work
The review paper primarily describes the DDoS assault and the many DDoS attack types that can happen. DDos is a rapidly expanding issue. It also discusses the many available techniques for detecting DDoS attacks, including packet marking techniques like PPM and DPM, trace back methods, IP trace back divided into proactive and reactive approaches, and entropy variation. Another method that aids in detection is the intrusion detection and prevention system. Cyber security experts have a perpetual struggle in identifying and preventing DDoS assaults because attackers are always changing their strategies and methods to get around current defenses. Here are some potential future directions for DDoS attack detection: • Machine learning and AI-based solutions: Machine learning and artificial intelligence (AI) technologies can assist in the real-time detection of DDoS assaults by finding patterns and abnormalities in network traffic due to the rising quantity of data created by networks and systems. • Block chain-based solutions: Block chain technology can provide a distributed and decentralized platform for detecting and mitigating DDoS attacks. By creating a network of nodes that work together to detect and filter out malicious traffic, Block chain-based defenses against DDoS assaults can be more reliable and safe. • Collaboration and information sharing: The early identification and prevention of DDoS assaults can be facilitated through cooperation between various organizations and information exchange.
Organizations may more effectively prepare for and prevent upcoming attacks by exchanging information about previous assaults and identified harmful sources. • Cloud-based solutions: Cloud-based DDoS detection and mitigation solutions can provide a scalable and flexible defense against DDoS attacks. By leveraging the resources of cloud providers, organizations can quickly scale up their defenses to handle large-scale attacks. • IOT-specific solutions: With the increasing adoption of IOT devices, attackers are targeting these devices to launch DDoS attacks. IOT-specific solutions that can detect and mitigate DDoS attacks on these devices can help prevent these attacks from spreading to the larger network.