DDoS Attack Detection and Mitigation using
2021 IEEE International Conference on Computation System and Information Technology for Sustainable Solutions (CSITSS) | 978-1-6654-0610-9/21/$31.00 ©2021 IEEE | DOI: 10.1109/CSITSS54238.2021.9683214
Anomaly Detection and Machine Learning Models
Sakshi Vattikuti, Manjunath R Hegde, Manish M, Vineeth Bodduvaram, Sarasvathi V
Department of Computer Science Engineering, PES University
Bangalore, India
Email: sakshiv700@gmail.com, manjunathhegde500@gmail.com, manishmanikandan2000@gmail.com,
bvineeth2000@gmail.com, sarsvathiv@pes.edu
Abstract—With the increase in cyber-crimes each day, it is
important to build a layer of security to defend against attacks
which can compromise the Confidentiality, Integrity and
Availability (CIA). One of the most dangerous attacks in the
domain of cyber-attack is the Distributed Denial of Service (DDoS)
attack. A DDoS attack can cause a huge disruption of services,
leading to monetary loss as well as loss of reputation in case of
data theft, if an immediate action is not taken. There is a need for
an efficient detection and response for such attacks, with a high
accuracy, low false-positives in a less latency. This paper puts
forth a methodology which could detect attacks and efficiently
mitigate them, all in a seamless fashion. The proposed
methodology relies on machine learning ensemble learning
algorithms and anomaly detection using fast entropy and attribute
thresholding algorithms. The combined results of these algorithms
are used to give a final verdict.
Keywords—Terms—Threat, Security, DDoS, Machine Learning,
Anomaly Detection
I. INTRODUCTION
In the past decade, Distributed Denial of Service (DDoS)
attacks have caused financial losses to companies and
government organizations worldwide. This is expected to
grow with the increasing number of devices that are being
added to the network via the popularization of Cloud
Computing and Internet of Things. These devices interact
with the application and server and also run remotely on the
network, this invites malicious users to cripple or take control
of these devices by launching a DDoS attack which leaves the
server with a resource deficiency to process all the pseudo
requests made leaving the server vulnerable or unusable.
A Denial-of-Service attack can be used to term an action of
flooding the target system with requests higher than what it
can handle, thereby depleting the system’s resources causing
it to disregard any requests from a legitimate user.
While DoS attacks originate from a single attacker system, a
Distributed Denial of Service attack uses multiple sources to
perform the same attack. This increases the rate of requests
being sent to the target system by a large number and causes
a higher damage. In addition to this, since they have different
sources of origin, it is difficult to trace back to the attacker’s
origin.
Thus, a system is proposed to identify a DDoS attack and
mitigate the attack.
A. Types of DDoS attacks
Distributed Denial of Service attacks can be commonly
categorized into Volumetric, Application and Protocol based
attacks.
978-1-6654-0610-9/21/$31.00 ©2021 IEEE
Authorized licensed use limited to: Sri Sivasubramanya Nadar College of Engineering. Downloaded on March 11,2023 at 09:22:00 UTC from IEEE Xplore. Restrictions apply.
Volumetric attacks are the attacks which utilize copious
traffic to saturate the network bandwidth and jam the traffic,
preventing any other requests to go by. Some of the common
volumetric attacks are: UDP flooding, ICMP flooding and
DNS amplification.
UDP (User Datagram Protocol) and ICMP (Internet Control
Message Protocol) are communication protocols used in
services such as DNS, SNMP, RIP, DHCP and ping, trace
route respective, to communicate between two systems over
a network.
In a UDP/ICMP flood, continuous UDP packets or ICMP
request packets are sent to the server up to a point where the
server can not longer respond to any request. These attacks
are generally accompanied with a reflection attack where the
attacker aims at saturating the bandwidth in both directions
by spoofing the packets with the victim's address, and making
the server respond back to itself.
Application attacks are aimed at layer 7 of the OSI model.
They exploit vulnerabilities in this layer and initiate requests
that consume resources like disk, memory etc.
One such attack is the HTTP flood attack, wherein multiple
interactions between the attacker and the website are made to
look like a normal interaction, however in the background,
they're coordinated to utilize maximum number of resources
from the server.
Protocol attacks consume network resources like firewalls
and load-balancers, attacking the different protocol
communications. Two of the most common protocol attacks
are SYN flood attack and Ping of Death. In a SYN flood
attack, the server is weighed down with a large number of
SYN requests from an attacker, causing the server-side
Transmission Control Buffer (TCB) to fill up with half-open
connections, and block the ACK response from the server.
Once this buffer is full, the server will no longer be able to
respond to any legitimate requests.
A Distributed Denial of Service attack is more dangerous
than thought of. In its first glance, it simply implies "denial
of service" to a system or application, however there’s more
to this attack than just breach of availability. In most cases
these attacks can be used to implant malware on the system
and create a botnet using all the available resources.
These botnets are extremely dangerous and can be further
used to launch DDoS attacks of higher magnitudes, evade
spam filters, mine bitcoins and even speed up a brute-force
attack of guessing passwords.
More the stealthy duration of these attacks, more is the
damage caused. It can result in loss of money, time, clients as
 well as reputation. The severity of an attack accounts to the
threat it possesses on the organization. During the attack,
neither the clients nor the employees can access any resources
over that network.
B. DDoS defense mechanism
It is important to safeguard important assets from these
attacks to avoid losses and identity thefts. The DDoS defence
mechanism comprises four major stages: Monitor, Detect,
Mitigate and Prevent.
Monitoring everyday traffic and system activity to detect
malicious activities plays an important role in the "pro-
active" stage of defence. Once an attack is detected,
immediate actions towards the mitigation and prevention of
the next set of attacks are to be taken. Every second lost in
this process could have a huge impact on the server.
DDoS detection can be done in multiple ways using
signature-based detection, anomaly-based detection, and
application/protocol based analysis.
In a signature-based detection, signatures are added to a
database based on the previous set of intrusion on the system.
Every packet signature is compared with existing records,
and upon a match the user is alerted.
In an anomaly-based detection, a performance baseline is
established, to compare the observed activity with the
expected activity in terms of network traffic. Machine
Learning techniques are implemented for a clear
classification of a packet as malicious or benign.
After the detection of an attack, further mitigation has to be
performed.
Mitigation can be done using multiple techniques such as
MDT, Rate Limiting and Black Hole routing. Following
mitigation, the next step is to prevent such attacks by further
updating the existing firewall rules to filter out the packets
before they enter the internal network.
II. LITERATURE SURVEY
The literature survey was carried out in two different
categories; network security and the machine learning
domains.
The authors Idhammad, Karim, Afdel, Belouch, and
Mustapha et al. in [7] proposed a HTTP DDoS attack
detection system using Information Theoretic Entropy and
Machine Learning on the CIDDS-001 dataset.The results
obtained from this had given a higher accuracy percentages
with Random Forest, Naive Bayes, KNN, and decision tree
as compared to Multi-layer Perceptron, which gave an
accuracy of 28%. The authors Deepa, V. and Sudar.K,
Muthamil and Deepalakshmi et al. in [5] compare the
accuracy of different machine learning models using the
CAIDA dataset, both individually and after combining
them(ensemble methods). Ensemble methods turned out to
give a high accuracy and high sensitivity when compared
to traditional DDoS detection and mitigation methods like D-
Ward. The rate of incorrect alarm was comparatively higher
for KNN model. The authors De Assis, Marcos VO,
Anderson H. Hamamoto, Taufik Abrão, and Mario Lemes
Proenca et al. in [6] proposed two systems GT-HWDS which
uses the Holt Winters method and Game theory to mitigate
DDoS attacks. and the Fuzzy-GADS system which uses
Authorized licensed use limited to: Sri Sivasubramanya Nadar College of Engineering. Downloaded on March 11,2023 at 09:22:00 UTC from IEEE Xplore. Restrictions apply.
fuzzy logic.The GT-HWDS system gave an accuracy of 97%,
while the Fuzzy-GADS system gave an accuracy of 95%. The
authors Başkaya, Dilek, and Refi Samet et al. in [2] put forth
different machine learning algorithms to detect different
types of DDOS attacks, such as Multilayer Percpertron,
KNN, Support Vector Machines, and Random Forest. All the
algorithms gave a high accuracy in the range of 86% to 99%,
except SVC which gave an accuracy of 36%.
The authors Srinivasan, Karthik, Azath Mubarakali,
Abdulrahman Saad Alqahtani, and A.Dinesh Kumar et al. in
[13] portray the various types of DDoS attack along with
consequences of such attacks on the cloud. Prevention,
detection and mitigation approaches along with strengths,
challenges and limitations of approaches are thoroughly
discussed. The authors Shahil ,Deekshitha, Nuzha A M, and
Mustafa Basthikodi et al. in [12] talk about the detection and
prevention of various DDOS attacks using NEIF and
Honeypots. NEIF helps in prevention of such attacks whereas
honeypots help capture the attacker’s activities as well. There
certainly exist risks in each of the methods, however they
could be refined in order to secure and implement the systems
effectively. The authors Bakr Ahmed, A.A. El-Aziz , Hesham
and A. Hefny, et al. in [1] put forth the different DDoS
mitigation methodologies along with a few commonly used
traceback technologies such as Moving Target Defense,
EDoS, Resource Quota, sPoW, IP Traceback, Packet
Marking and Logging, and SBTA. The authors Nsaif M
Ridha, MF Abbood, Abbas F Mahdi, et al. in [8] talk about
the detection and mitigation of DDoS attacks. It employs two
algorithms, one for the detection and the other for mitigation
of DDoS attacks. The detection algorithm uses various kinds
of lists to track the incoming IP and MAC addresses, and
detect an attack. In summary, the following can be derived
from the conducted literature survey:
1. DDoS Attacks on the cloud are dangerous and need to be
prevented. Higher priority must give to decrease the false
negatives as it can cause serious damage to applications.
2. Attacks must be detected with low latency and high
accuracy, and the defence mechanism must be lightweight,
transparent, and precise.
3. Honeypots and NEIF techniques can be used as a
preventive approach towards DDoS defence mechanisms.
4. Random Forest and Multi-Layer Perceptron are found to
be the best suited machine learning models for the detection
of DDOS attack with a high accuracy rate.
 1)
III. PROPOSED METHODOLOGY
The proposed methodology follows a client-server
architecture. It is composed of multiple components which
work in parallel and communicate with each other in a
network. For simplicity, it is assumed that the entire set-up is
in a NAT network, for easier data transfer between the
components of the system. The idea behind this approach is
to not rely on a single classification/ prediction result, but
instead combine the results from different classifiers based on
anomaly detection and machine learning algorithms. Based
on the accuracy of the classifiers, weights can be assigned
while aggregating these results, for a final verdict on the
packet.
The different components of this system as seen in Fig1 are:
A. Client
A client in this system’s perspective refers to the attack
initiator, or the attacker. This client starts a DDoS attack on
a target server which is to be brought down. The attack is
assumed to be from one system with various spoofed IP
packets, and not a botnet which is trying to attack the target
server.
B. Server
Authorized licensed use limited to: Sri Sivasubramanya Nadar College of Engineering. Downloaded on March 11,2023 at 09:22:00 UTC from IEEE Xplore. Restrictions apply.
The server is a hosted web-application or any hosted service
which is sought to be brought down by the attacker. This
server will have a designated IP address, MAC address and
a port assigned to the running application.
C. Attacker Proxy node
The attacker proxy node is a black-hole node, to which all
the malicious packets are routed and discarded after further
analysis. This is a node on the network that routes nowhere.
It is essentially the systems dead-end.
D. Head Proxy node
The Head proxy node is an intermediate node between the
external internet and the internal servers which are to be
safeguarded. This component can also be called the
scrubbing station.
Within the scrubbing station, multiple filters and detection
algorithms are run, in order to classify a packet as a
malicious packet or benign packet.
The scrubbing station has a series of events that occur in the
following order:
1. Data collection and Filtering: The network traffic is
captured using a sniffer code written using raw sockets in
python. The collected data is sent to a filter where the data is
normalized, feature extracted, and redundant or unnecessary
data is removed. This real-time data is plotted on a
 dashboard in terms of graphs and other visualizations. The
filtered data is sent to the next phase of scrubbing called the
Proxy-Tail. Within the proxy-tail are four different
components which perform different activities.
2. Classifier: The classifier is a trained Machine
Learning Algorithm which uses Ensemble Learning to
classify a given packet as malicious or benign.
3. Traffic Monitor: The traffic monitor tracks
network traffic and establishes an expected pattern in the
network traffic on a daily basis. For any new incoming
packet, it compares the observed traffic activity with the
expected activity and gives an appropriate result.
4. MAC-IP: The MAC-IP layer is used to establish a
relationship between a MAC address and the IP addresses
associated with that MAC address over a short period of
time. An assumption made here is that, when the number of
IP addresses corresponding to one MAC address is beyond a
threshold value, it is considered that the IP addresses are
spoofed and are malicious.

E. Anomaly Detection
Two approaches to anomaly detection are implemented, one Algorithm 2: Fast Entropy
being static threshold based detection and the other dynamic
threshold which is updated based on the previous results. F. Machine Learning
1) Attribute Threshold [4]: This algorithm relies on Two machine learning models are employed,
four different attributes of a packet identified as: independently detect TCP and ICMP flood attacks.
a1 = Total number of packets in a window
a2 = Total number of unique source IP address packets in a Layers Activation Func No. of Neurons
window
a3 = a2/a1 Bidirectional LSTM tanh 64
a4 = Total number of protocols (2 in this case) Dense CNN(i/p) relu 128
Dense CNN(o/p) sigmoid 1
The weights for each attribute are set in the ratio of:
a1:a2:a3:a4 = 1:1:3:1. TABLE I
RNN SPECIFICATIONS

Algorithm: See Algorithm 1 TCP SYN Flood: Bidirectonal LSTM Neural Network [11]:
An LSTM cell contains weights and gates; the gates being
the distinguishing feature of LSTM models. There are three
gates inside of every cell namely, input gate, forget gate,
and output gate. The main advantage of using an LSTM
neural network is that it eliminates the vanishing and
exploding gradient problem.

G. Analyser

The next stage in scrubbing is the analyser. An analyser

employs an algorithm to read results from the previous three
Algorithm1: Attribute Threshold activities and give out a verdict on whether the packet is to be
classified as a malicious packet or a benign packet. If the
2) Fast Entropy [3]: This algorithm works on 2 packet is not malicious, then it is directly routed to the
attributes: destined target server. If the packet is analysed to be
Average entropy for a time interval t. malicious, the attacker proxy node is activated, and all the
The standard deviation of entropy for a time interval. subsequent requests are black hole routed to this node. At this
node, further trace back can be done (which is not in the scope
(Assumed window size = 10 seconds) of this project) and are finally discarded from the system.
H”(i, t): Average entropy H. Dashboard
x(i, t): Flow count per connection
(i,t): Factor that depends on previous flow count and current A dashboard is an interface between the administrator and the
flow count at a given interval system. It is used to keep track of the system’s status and any
previous attack histories. Different network monitoring
Algorithm: See Algorithm 2 graphs are plotted in a real time basis to make it visually easy
to understand and make sense of.

Authorized licensed use limited to: Sri Sivasubramanya Nadar College of Engineering. Downloaded on March 11,2023 at 09:22:00 UTC from IEEE Xplore. Restrictions apply.
 Each component in the system would run producer and
consumer threads. These threads are used to perform
computation in parallel, and also act as a medium of
communication between the components of the system. A
real time channel is important for security detection systems.
These channels are set up using Apache Kafka queues, which
help in seamless flow of data from one process to another. All
the components would be deployed individually deployed on Fig. 2. BRNN accuracy
docker containers, each of which would have an isolated
environment, separating one component from the other, and
also help in easy packaging of the product.
IV. IMPLEMENTATION AND RESULTS
A. Data

Various data sets have been examined for the purpose of

TCP SYN and UDP flood classification.
1. CIDDoS2019 [10]: This is a data set generated by
the Canadian institute of cyber-security, University of New
Brunswick. It contains necessary features to train the LSTM
model for TCP SYN flood detection.

2. WISENT-CIDDS: CIDDS-001 (Coburg Network

Intru-sion Detection data set) data set was formed using an
anomaly-based network intrusion detection system using Fig. 3. BRNN Loss
Nmap and python scripts.
The model gave an accuracy of 87.3% on real-time data.
3. CSE-CIC-IDS2018 on AWS: Uses profiles to
generate a dataset in a systematic manner, which could be Models Accuracy
used by operators to generate events on the network.
K - Nearest Neighbours 99.16%
B. Anomaly Detection Decision tree 99.89%
1) Attribute Threshold: Achieved an accuracy of 84%. XGBoost Classifier 99.92%
2) Fast Entropy: Achieved an accuracy of 91%. Random Forest 99.95%
MLP Classifier 99.14%
Based on the results obtained, Fast Entropy algorithm is TABLE III
chosen for anomaly detection. ACCURACY OF ML ALGORITHMS FOR ICMP PACKETS

C. Machine Learning Classifiers

3) ICMP Packets: The results from Table III shows that the
model is over-fitting to the data. This is due to the nature of
Models Accuracy ICMP packets as they carry very less information since
Bidirectional LSTM 97.29% they’re mainly used to communicate problems with data
Support vector machines 87.45% transmission. Therefore, a Machine Learning model cannot
Random Forest 89.23% distinguish individual packets as ”Benign” or ”Attacker”
Decision tree 72.48% based on the packet itself. The best way to counter a ICMP
K - Nearest Neighbours Failed* DDoS is by using Anomaly Detection by measuring the
volume of incoming packets and reject them when it crosses
*Failed due to too many dimensions. a certain threshold.
TABLE II
ACCURACY OF ML ALGORITHMS FOR TCP PACKETS
2) TCP Packets: According to the results in Table II, the
model which provided the highest accuracy was Bi-
Directional LSTM with an accuracy of 97.29% on 100 epochs
with the following results when run on the UNB ISCX 2012
[9] Intrusion Detection Evaluation data set.

Authorized licensed use limited to: Sri Sivasubramanya Nadar College of Engineering. Downloaded on March 11,2023 at 09:22:00 UTC from IEEE Xplore. Restrictions apply.
 [13] Karthik Srinivasan, Azath Mubarakali, Abdulrahman Saad
Alqahtani, and A Dinesh Kumar. A survey on the impact of ddos attacks in
cloud computing: Prevention, detection and mitigation techniques. In
Intelligent Communication Technologies and Virtual Mobile Networks,
Fig. 4. BRNN Confusion matrix pages 252–270. Springer, 2019.

D. Conclusion
A system is proposed to be deployed as a proxy server, to
sniff packets and analyse them. The packets are then sent
through the Machine Learning classifier, Anomaly Detection,
and MAC/IP relationship detector systems to categorize the
packet. The aggregated results of the three systems are used
to categorize whether the packet is “Normal” or “Malicious”.
The malicious packets are then discarded via Black-Hole
routing while the Benign packets are routed to the host server.
This proposed methodology does not solely rely on one
single detection mechanism. Instead, it combines the
results from a Machine learning based classifier and
entropy-based algorithms, which reduces the
probability of false positives, and also increases the
accuracy.
In the near future, the aim is to implement the above model
in an efficient way to test the model capabilities and its
effectiveness in detecting and mitigating DDoS attacks.

REFERENCES

[1] Ahmed Bakr, AA Abd El-Aziz, and Hesham A Hefny. A survey

on mitigation techniques against ddos attacks on cloud computing
architecture. International Journal of Advanced Science and Technology,
28(12):187–200, 2019.
[2] Refi Samet Baskaya, Dilek. Ddos attacks detection by using
machine learning models. UBMK Journal, pages 52–57, 2020.
[3] Jisa David and Ciza Thomas. Ddos attack detection using fast
entropy approach on flow-based network traffic. Procedia Computer
Science, 50:30–36, 2015.
[4] Jisa David and Ciza Thomas. Efficient ddos flood attack
detection using dynamic thresholding on flow-based network traffic.
Computers & Security, 82:284–295, 2019.
[5] V. Deepa, Muthamil Sudar.K, and P. Deepalakshmi. Design of
ensemble learning methods for ddos detection in sdn environment. pages 1–
6, 03 2019.
[6] Anderson Hamamoto, Luiz Carvalho, Lucas D. H. Sampaio,
Taufik Abrao, and Mario Proenc¸a. Network anomaly detection system using
genetic algorithm and fuzzy logic. Expert Systems with Applications, 92, 09
2017.
[7] Mohamed Idhammad, Afdel Karim, and Mustapha Belouch.
Distributed intrusion detection system for cloud environments based on data
mining techniques. volume 127, 03 2018.
[8] Abbas Fadhil Mahdi Mohammed Ridha Nsaif, Mohammed Falah
Ab-bood. Detection and prevention algorithm of ddos attack over the iot
networks. TEM Journal, 9:899, 2020.
[9] visualization images and deep learning. Computers & Security,
77:871– 885, 2018.
[10] Markus Ring, Sarah Wunderlich, Dominik Grudl,¨ Dieter
Landes, and Andreas Hotho. Flow-based benchmark data sets for intrusion
detection. In Proceedings of the 16th European Conference on Cyber
Warfare and Security. ACPI, pages 361–369, 2017.
[11] M. Schuster and K.K. Paliwal. Bidirectional recurrent neural
networks. IEEE Transactions on Signal Processing, 45(11):2673–2681,
1997.
[12] UM Shahil, Ms Deekshitha, Nuzha Anam M, and Mustafa
Basthikodi. Ddos attacks in cloud computing and its preventions. JETIR-
International Journal of Emerging Technologies and Innovative Re-search
(www. jetir. org), ISSN, pages 2349–5162, 2019.

Authorized licensed use limited to: Sri Sivasubramanya Nadar College of Engineering. Downloaded on March 11,2023 at 09:22:00 UTC from IEEE Xplore. Restrictions apply.