DETECTION OF DDOS ATTACKS AND FLASH

EVENTS OCCURING SIMULTANEOUSLY IN

NETWORK TRAFFIC USING DEEP LEARNING
TECHNIQUES

CARL EGINALD MIHANJO

MASTER OF SCIENCE IN TELECOMMUNICATION

ENGINEERING
THE UNIVERSITY OF DODOMA
2020
 DETECTION OF DDOS ATTACKS AND FLASH
EVENTS OCCURING SIMULTANEOUSLY IN
NETWORK TRAFFIC USING DEEP LEARNING
TECHNIQUES

By
CARL EGINALD MIHANJO

A DISSERTATION SUBMITTED IN PARTIAL FULFILLMENT OF

THE REQUIREMENTS FOR THE DEGREE OF
MASTER OF SCIENCE IN TELECOMMUNICATION
ENGINEERING,

THE UNIVERSITY OF DODOMA

2020

i
 DECLARATION AND COPYRIGHT

I, Carl E. Mihanjo, declare that this dissertation is my original work and that it has
not has not been presented and will not be presented to any other University for a
similar or any other degree award.

Signature: ……………………

No part of this dissertation may be reproduced, stored in any retrieval system, or

transmitted in any form or by any means without prior written permission of the
author or the University of Dodoma. If transformed for publication in any other
format shall be acknowledged that, this work has been submitted for degree award at
the University of Dodoma

ii
 CERTIFICATION

“The undersigned certifies that he has read and hereby recommend for acceptance by
the University of Dodoma dissertation entitled Detection of DDoS attacks and Flash
Events occurring simultaneously in Network Traffic using Deep Learning in partial
fulfilment of the requirements for the degree of Master of Science in
Telecommunication engineering of the University of Dodoma”.

DR. MONGI, A

Signature…… ……………… Date… ………….

iii
 ABSTRACT

Recently, the advancement of technology and internet contributes to the increase of

the network traffic over the globe. It improves digital services delivery over the
global network such as online shopping, television, and streaming. However, as
digital services become one of the de facto applications over the internet, a number
of attacks on them have been increasing which raise security concerns. Some of the
major attacks are Distributed Denial of Service (DDoS) and Flash Events (FE). One
hand DDoS attacks mainly focus on disrupting the legitimate users to access the
internet. On the other side, FE occurs when there is a rapid growth of legitimate users
that access the service over the internet and overload the system. DDoS attacks and
FE have similar behaviour however, they need different countermeasures. The major
challenge lies in detection the attacks especially when DDoS and FE happen
simultaneously. The study proposed a model to detect the FE and DDoS attacks
when occurring simultaneously in network traffic using deep learning techniques
with three different hidden layers and two optimizers. Validations of the models were
tested with data from the real network traffics and the model with high performance
was selected which was a model with three hidden layer and Adam optimizer. The
result shows a proposed model achieved a good accuracy of 99% and less than 1%
false alarm.

iv
 ACKNOWLEDGEMENT

The success of this dissertation is a result of the valuable contributions of many

people who merit to be mentioned. First of all, I would like to thank the Almighty
God, who gave me guidance and strength to accomplish t h i s accomplish t h i s
dissertation. Second, special thanks go to my supervisor Dr. Alex, Mongi who
willingly accepted to be my supervisor and helped me a lot by giving positive
comments and intellectual guidance. I would like to express my gratitude and
thanks to Dr. Goodeli Moshi who dedicated his time in assisting me for better
accomplishment of the work. Additionally, thanks go to my b e l o v e d father,
Prof. Eginald Mihanjo, and my beloved mother, Editha Nchimbi, for their prayers
and encouragement they gave me throughout the whole time of study. My deepest
gratitude goes to my lovely wife, Lilian Njau, and my son, Ian Mihanjo, for enduring
the loneliness during my study period. Also, thanks go to my siblings, Happy,
Pius, Lily, Eliza and Randy Mihanjo for their prayers during the whole time of my
study.

The space is not enough to mention all who assisted me in accomplishing this
dissertation. My heart is full of gratitude to all staff of the College of Informatics
and Virtual Education for their positive comments that made this piece of work
look as it is today. I pray that the Almighty God bless you all abundantly for your
good services.

v
 TABLE OF CONTENTS

DECLARATION AND COPYRIGHT ........................................................................ ii

CERTIFICATION ...................................................................................................... iii

ABSTRACT ................................................................................................................ iv

ACKNOWLEDGEMENT ........................................................................................... v

LIST OF TABLES ...................................................................................................... ix

LIST OF FIGURES ..................................................................................................... x

LIST OF ABBREVIATIONS AND ACRONYMS................................................... xii

CHAPTER ONE INTRODUCTION .......................................................................... 1

1.1 General Introduction ...................................................................................... 1

1.2 Research Problem Statement ......................................................................... 2

1.3 Research Objectives ...................................................................................... 3

1.3.1 Main Objective ....................................................................................... 3

1.3.2 Specific objectives ................................................................................. 3

1.4 Research Questions ....................................................................................... 4

1.5 Significance of the Study .............................................................................. 4

CHAPTER TWO LITERATURE REVIEW .............................................................. 5

2.1 Definition of Key Concepts ........................................................................... 5

2.1.1 DDoS Attack .......................................................................................... 5

2.1.2 FE ........................................................................................................... 5

2.1.3 Deep Learning ........................................................................................ 5

2.1.4 Deep Learning Classification ................................................................. 6

2.1.5 Logistic Regression ................................................................................ 6

2.1.6 Hidden Layers and Nodes ...................................................................... 6

2.1.7 Activation Function ................................................................................ 7

2.1.8 Loss Function ......................................................................................... 8

2.1.9 Optimizer................................................................................................ 8

vi
 2.2 Related Work ................................................................................................. 8

2.2.1 Research Gap ....................................................................................... 11

CHAPTER THREE METHODOLOGY .................................................................. 13

3.1 Introduction ................................................................................................. 13

3.2 Research Setting .......................................................................................... 13

3.3 Research Design .......................................................................................... 13

3.4 Research Strategy ........................................................................................ 13

3.4.1 Simulation Setup .................................................................................. 14

3.4.2 Manipulation of DDoS and FE in Computer Networks ....................... 14

3.4.3 Experiment Tool ............................................................................................ 14

3.5 Data Collection ............................................................................................ 14

3.5.1 Description of the DDoS attacks and FE in network traffic with

reference to a normal traffic: .............................................................................. 14

3.5.2 Modelling of described pattern using deep learning technique for

detection of DDoS attacks and FE: ..................................................................... 18

3.5.3 Validate performance of the developed model for detection of DDoS

attacks and FE: .................................................................................................... 18

3.6 Data Analysis .............................................................................................. 18

3.7 Model Development .................................................................................... 19

3.7.1 Introduction .......................................................................................... 19

3.7.2 Data Preparation: .................................................................................. 19

3.7.3 Input Design ......................................................................................... 19

3.7.4 Hidden Layer and Nodes ...................................................................... 19

3.7.5 Activation and Loss Function .............................................................. 20

3.7.6 Optimizer.............................................................................................. 20

3.7.7 Output................................................................................................... 20

3.7.8 Design Summary in Table and Deep Neuron Network diagrams ........ 20

3.7.9 Training of the Model .......................................................................... 22

vii
 3.7.10 Model Validation ................................................................................. 23

3.7.11 Introduction: ......................................................................................... 23

3.7.12 Data preparation: with Python Language ............................................. 23

3.8 Ethical Consideration .................................................................................. 24

CHAPTER FOUR RESULTS AND DISCUSSIONS .............................................. 26

4.1 Description of the DDoS attacks and FE in network traffic with reference to
a normal traffic Results and Finding for FE: .......................................................... 26

4.1.1 FE pattern ............................................................................................. 26

4.1.2 DDoS attacks pattern............................................................................ 27

4.1.3 FE and DDoS attacks occur at same time ............................................ 27

4.2 Modelling of described pattern using deep learning technique for detection
of DDoS attacks and FE ......................................................................................... 29

4.3 Validate performance of the developed model for detection of DDoS attacks
and FE..................................................................................................................... 35

CHAPTER FIVE CONCLUSION, RECOMMENDATION AND FUTURE

RESEARCH ............................................................................................................... 40

5.1 Conclusion ................................................................................................... 40

5.2 Recommendations ....................................................................................... 40

5.3 Future Research ........................................................................................... 40

REFERENCES.......................................................................................................... 42

viii
 LIST OF TABLES

Table 3. 1: Computer Specifications .......................................................................... 13

Table 3. 2: Detail of FIFA World Cup 98 FE Dataset Requests ................................ 15

Table 3. 3: Summary of New Dataset from FIFA World Cup 98 FE ........................ 15

Table 3. 4: Server and Network device specifications ............................................... 16

Table 3. 5: DDoS Setup Scenarios with Specification ............................................... 17

Table 3. 6: Summary of Model Design Parameter ..................................................... 21

Table 3. 7: Network data summary from The University of Dodoma ..................... 23

Table 4. 1 Summary of Performance for both Models............................................... 38

ix
 LIST OF FIGURES

Figure 2. 1: Sigmoid activation function...................................................................... 7

Figure 3. 1: Deep Neuron Network Diagram with 3 Hidden Layers ......................... 21

Figure 3. 2: Deep Neuron Network Diagram with 2 Hidden Layers ......................... 22

Figure 3. 3: Deep Neuron Network Diagram with 1 Hidden Layers ......................... 22

Figure 3. 4: Training, Testing and Validation phase flow chart ................................ 24

Figure 4. 1: Network Traffic of FIFA Dataset and FE Generator in 16 Minutes ..... 26

Figure 4. 2: Network Traffic of DDoS Generator for 8 Minutes ............................... 27

Figure 4. 3 Network Traffic of FE with DDoS Attack in 16 Minutes ....................... 28

Figure 4. 4: Network Traffic of FE and DDoS Attack Separated in 16 Minutes ....... 28

Figure 4. 5: Accuracy, Loss of the Model with Learning Rate 0.01 .......................... 29

Figure 4. 6: Accuracy, Loss of the Model with Learning Rate 0.1 ............................ 30

Figure 4. 7: Accuracy, Loss of the model with learning rate 0.01 ............................ 31

Figure 4. 8: Accuracy, Loss of the Model with Learning Rate 0.1 ........................... 31

Figure 4. 9: Accuracy, Loss of the Model with Learning Rate 0.01 ......................... 32

Figure 4. 10 Accuracy, Loss of the model with learning rate 0.1 .............................. 33

Figure 4. 11: Accuracy, Loss of the Model with a Learning Rate of 0.1 ................... 33

Figure 4. 12: Accuracy, Loss of the Model with a Learning Rate of 0.01 ................. 34

Figure 4. 13: Three Hidden Layers, 0.01 Learning Rate on a Real Dataset Detection
.................................................................................................................................... 35

Figure 4. 14: Three Hidden Layers, Learning Rate 0.1 on a Real Dataset Detection36

Figure 4. 15: Two Hidden Layers, 0.01 Learning Rate on a Real Dataset Detection 36

Figure 4. 16: Two Hidden Layers, Learning Rate 0.1 on a Real Dataset Detection .. 37

x
Figure 4. 17: One Hidden layer, 0.01 Learning Rate on a rReal Dataset Detection .. 37

Figure 4. 18: One Hidden Layers, Learning Rate 0.1 on a Real Dataset Detection .. 38

xi
 LIST OF ABBREVIATIONS AND ACRONYMS

ADAM Adaptive Momentum

DDoS Distributed Denial of Services

DL Deep Learning

DOS Denial of Services

FE Flash Events

HR-DDoS High Rate Distributed Denial of Services

KNN K-Nearest Neighbours

KOAD Kernel Online Anomaly Detection

LR-DDoS Low Rate Distributed Denial of Services

QoS Quality of Services QoS

SDN Software Defined Network

SGD Stochastic Gradient Descent

SVM Support Vector Machine

PC Personal Computer

xii
 CHAPTER ONE
INTRODUCTION

1.1 General Introduction

Cisco report shows that the number of devices connected to network IP will be 28.5
billion by 2022 compare to the 18 billion in 2017. Moreover, busy hour for internet
traffic will grow by factor of 4.8 between 2017 and 2022. Also report shows that,
smart phone will dominate PC traffic, as it will account 44 percent of the total
internet traffic, up to 18 percent in 2017 (Cisco, 2019). This increases of network
traffic over the internet pose a threat to the security of the end user and devices
(Daneshgadeh, Kemmerich, & Ahmed, 2019b). The attacks like DDoS tend to
overload the system and server that provide the internet services to end users. DDoS
is an attack that deliberately stops and prevents legitimate network users to access the
services, while FE are events where several legitimate users try to access shared
services. The two phenomena may lead to high network traffic that in turn introduce
response delay (Sahoo, Tiwary, & Sahoo, 2018). DDoS and FE are not desirable in
communication network traffic as they degrade quality of service. Moreover, the
countermeasure techniques are not the same; hence, there is a need of distinguishing
DDoS and FE in network traffics.

In an attempt to distinguish the effect of DDoS and FE in the network traffics over
the internet, Daneshgadeh et al. (2019b) proposed a model that uses Shannon
entropy, Kernel Online Anomaly Detection KOAD algorithms and Mahalanobis
distance metric working with machine learning technique. The author reduced false
alarm and improved detection rate on High Rate and Low Rate DDoS (HR-DDoS
and LR-DDoS) and FE independently. Sun (2019) proposed a method that used K-
nearest neighbours (KNN) which is machine learning approach to detect DDoS and
FE based flow characteristics of the network traffic. The author considered some of
the features of flow characteristics such as protocol type and entropy of
source/destination IP. As a result, the proposed model reduced false alarm and
improved the detection rate. In the other study of Sahoo (2018), the authors
evaluated Shannon entropy and Kullberg-Leibler divergence metrics based on
information metrics to distinguish HR-DDoS and FE in SDN network traffic. The
study used two information theory based on general Entropy and general information

1
distance, both metrics showed can be used to detect and distinguish with great extent
FE from DDoS attack.

It is evident that several studies have been able to detect DDoS and FE
independently. But DDoS and FE may happen at the same time, and hence confuse
the current detection mechanism proposed. Furthermore, following studies
(Daneshgadeh et al., 2019b; Sun et al., 2019) that detect DDoS and FE were done
with focus of machine learning. Nevertheless, there are ongoing arguments in
research community about the efficiency of this strategy in detecting DDoS and FE.
For instance, Imamverdiyev and Abdullayeva (2018) say in machine learning feature
extractions is done by human, this mean for the big data it will be impossible for
human to extract the hidden features and pattern. For that reason, there is a need to
find out a different technique.

Therefore, this study has focused on solving issues that were not covered by the
previous scholars in an attempt to find a way to detect and isolate DDoS and FE
attacks in networks, especially when occurring simultaneously

1.2 Research Problem Statement

Developments of cloud computing, web services, smart devices and internet of things
(IoT) lead to the growth of number of network users. This growth introduces large
traffic volume over the internet. As per e Cisco Visual Network Index (VNI) report,
the global IP traffic will increase threefold over the 5 years from 2017 to 2022. In
2017, the annual rate of global IP traffic was about 1.5 ZB per year or 122 exabytes
per month (Cisco, 2019).

The large traffic volume has been observed to attract attacks to dedicated application
systems from different corners of the globe (Zhang, Zhang, & Yu, 2018). DDoS
utilizes systems bandwidth and other computing resource like CPU and memory that
lead to the degradation of network services (Daneshgadeh, Kemmerich, & Ahmed,
2019a). FE also has similar effects as DDoS to the services (Sahoo et al., 2018).
Thus, several detection techniques were proposed to distinguish these DDoS attacks
from FE as the attacks need different countermeasures.

Daneshgadeh et al. (2019b) proposed a model that uses Shannon entropy and KOAD
algorithms based on machine learning to detect anomaly on network traffic. The

2
study reduced a false alarm and improved detection rate on HR-DDoS and LR-
DDoS. Sun (2019) proposed method that used KNN which is machine learning
approach to detect DDoS and FE based on flow characteristics of the network traffic.
Some of the features of flow characteristics were protocol type entropy of
source/destination IP. The proposed model reduced a false alarm and improved the
detection rate. However, these studies considered only several features found in flow
characteristics. Moreover, proposed model works with separate data that did not
come from same network. The proposed techniques used features like flow
characteristics, information metrics and others, but they all used machine learning as
their key method. The major disadvantage of machine learning in this scenario is that
features extraction is done by human beings which may be a source of error
(Imamverdiyev & Abdullayeva, 2018).

Therefore, this study aimed to develop a model to detect the DDoS attack and FE
occurring simultaneously in network traffic using deep learning techniques. The
selection of deep learning is due to the motivation of overcoming the weaknesses of
traditional machine learning as features extraction is done by human beings while in
deep learning is done by machine (Imamverdiyev & Abdullayeva, 2018).

1.3 Research Objectives

1.3.1 Main Objective

The main objective of the study was to develop a model that detects the DDoS attack
and FE occurring simultaneously in network traffic using deep learning techniques.

1.3.2 Specific objectives

This study was guided by the following specific objectives:

i. To study the DDoS attacks and FE pattern in network traffic with reference to
a normal traffic

ii. To construct a model using deep learning technique for detection of DDoS
attacks and FE

iii. To validate performance of the developed model for detection of DDoS

attacks and FE

3
1.4 Research Questions
i. How does DDoS attacks and FE pattern behave in the network traffic with
reference to a normal traffic?
ii. What model suits a describe pattern using DL techniques for DDoS attacks
and FE in network traffic?
iii. What is the performance of the developed model for detection of DDoS
attacks and FE?

1.5 Significance of the Study

The findings of this study will contribute to the body of knowledge in the research
field of information communication technology as it gives the new way of generating
FE traffic using proposed generator in the study, this help researchers who are
interest of improving or design new techniques for detection of FE and DDoS
attacks. This would help to improve the detection techniques based on FE and DDoS
attacks. The proposed detection technique can be put in the live network for live
detection, as it will improve the network in general. Moreover, it would reduce
tightness of policies among entities and organisation as it stops DDoS attack and
detect legitimate user much early before harmful the network. This study provides
more knowledge and behaviour of DL as it has shown the most layers to improve the
detection. The use of DL in the improvement of the efficiency of techniques, this
would be recommended for many network problems against the old machine learning
techniques.

4
 CHAPTER TWO
LITERATURE REVIEW

This chapter focused on obtaining the information about the study by surveying the
previous written works from different sources of information. The sources include
searching from internet, reports, journals and books. It also consists of several
concepts that have been used in the study namely, DDoS Attacks, FE, Deep
Learning, feature extraction, classification algorithm, and CAPTCHA then followed
by related works. The research gap concludes the chapter by pointing out issues that
need to be addressed by future researchers.

2.1 Definition of Key Concepts

2.1.1 DDoS Attack

Denial of Services (DoS) is a network and application layer attacks that deliberate
stop and prevent legitimate network users to access (Alsirhani, Sampalli, & Bodorik,
2018) the shared services or applications (Daneshgadeh et al., 2019). When attacker
uses several resources to initiate DoS is called DDoS. This damages the service as it
imposes cost. Many cloud applications with payment services suffer from DDoS as
Kaspersky and Semantec concluded that the major attack in internet security is
DDoS (Elsayed & Azer, 2018).

2.1.2 FE
FE occurs when many legitimate users access shared resources lead to the
degradation of services (Bhatia, 2017). According to Sahoo (2018), FE are events
whereby several thousand legitimate users try to access shared services due to
important announcements or breaking news, which lead to high network traffic that
causes response delay.

2.1.3 Deep Learning

Deep learning (DL) is an Artificial Intelligence (AI) function that mimics the
workings of the human brain in processing data for use in detecting objects,
recognizing speech, translating languages, and making decisions. DL is able
to learn without human supervision, drawing from the data that is both unstructured
and un labeled. DL improves resource efficient, quality of services (QoS) and allow
scalability in networks (Chen, Li, Proietti, Zhu, & Yoo, 2019).

5
2.1.4 Deep Learning Classification
Classification is one of the most common and frequently tackled problems in the
machine learning and deep learning domain. It uses the concept of classifying the
entities into categories. When the outcome is multiple then the problem can be
classified in several categories. Binary classification is the simplest form that user
tries to classify an entity into one of the two possible categories/outcomes. For
example, it can be between a cat and a dog, pass or fail and other examples. This
classification problem has been experienced in several researches as reported by
Alkhaleefah & Wu (2019), Rahman, Wang, Sun, & Zhou, (2006) and Shu(2019).
Deep learning has been applied by different prominent scholars namely Harms,
(2019), Li, (2017) and Rymarczyk, Kozłowski & Niderla, (2019). The study was
about classification problem in nature and detection between FE and DDoS attacks.
Classification is more suitable for the kind of a problem study aimed to solve.

2.1.5 Logistic Regression

Logistic regression is machine learning algorithm for classification with a very
important connection with neural networks (Poirot, 2019). It used to classify entities
into one of two outcomes. This algorithm used to classify classification problem like
cats or dogs, Flash events or DDoS attacks and others. Several researches have
applied this algorithm for binary classification.

2.1.6 Hidden Layers and Nodes

In Artificial Neural Network (ANN), hidden layers are the computational engine for
networks with the concept of ANN which mimics human neural network with input
output layer and layer. These layers are called hidden layers. In designing a deep
neural network, the determination of the number of hidden layer has no specific
ways, steps or theories that guide it (Gupta & Raza, 2020). Therefore, it is a trial and
test procedures whereby several attempts have to be conducted until suitable neural
network with certain hidden layers are found. This goes to hidden nodes too. There
are number of neurons in the hidden layer region. These neurons can be different
from one problem to another (Leskovec, Rajaraman, & Ullman, 2020; Zou, Li, &
Tang, 2009).

6
2.1.7 Activation Function
In the scenario of trying to give an output layer of neuron network a value of 1 or 0
activation functions is applied. It’s mathematical functions that play with gradient
descent so that it cannot diminish or saturate towards zero (Leskovec et al., 2020). It
is used to solve nonlinear problems (Wang, Li, Song, & Rong, 2020). In general,
activation function performs mathematical operation on signal output. Moreover, its
choice depends on the type of a problem. Popular activation functions are divided
into linear activation function, Rectified Linear Unit (ReLu), Tangent Hyperbolic
Function and Sigmoid Function. Linear activation function produces a positive
number for all real numbers and Sigmoid function produces a value of 0 for all
values less than 0.5 and produces 1 for a value greater than 0.5 (Mhaskar &
Micchelli, 1994; Panchal & Panchal, 2014). The most used activation function in
neuron network in non saturated is ReLU (Feng & Lu, 2019). Moreover, it is popular
in ANNs mostly in Convolutional Neural Networks (CNN) and Deep Learning.

The ReLU, is defined as:

𝑥, 𝑓𝑜𝑟 𝑥 = 0
f(x) = max (0, 𝑥) = { } …………………………………… (1)
0, 𝑓𝑜𝑟 𝑥 < 0

Output
1

0.5

Activation

Figure 2. 1: Sigmoid activation function

7
2.1.8 Loss Function
The mechanism of checking how far or close a model output to the label or a true
value is achieved by using loss function or cost function. The output of the model is
compared to the label and gets the difference which helps a model to adjust its
weight towards true values (Poirot, 2019). Consider the equation below that shows
cost function with y1 model output with y label

Loss (y1, y) = How much y1 differs from the true y …………………………….. (2)

In logistic regression and other classification, problems uses cross entropy loss
function to calculate loss. Cross entropy (LCE) use negative log likelihood loss
(Keren, Sabato, & Schuller, 2020). Mathematical equivalent for cross entropy loss is
given in equations:

𝑝(𝑦|𝑥) = 𝑦1𝑦 (1 − 𝑦1)1−𝑦 …………………………………………………………. (3)

log 𝑝 (𝑦|𝑥) = 𝑦1𝑦 (1 − 𝑦1)1−𝑦 ……………………………………………………. (4)

= 𝑦 log 𝑦1 + (1 − 𝑦) log(1 − 𝑦1)…………..………………………………………. (5)

𝐿𝐶𝐸(𝑦1|𝑦) = −log 𝑝 (𝑦|𝑥) = −[𝑦 log 𝑦1 + (1 − 𝑦) log(1 − 𝑦1)] …………………... (6)

When plug in: y = s(w_ x +b)

𝐿𝐶𝐸(𝑤|𝑏) = −[𝑦 log 𝑠(𝑤. 𝑥 + 𝑏 ) + (1 − 𝑦) log(1 − 𝑠(𝑤. 𝑥 + 𝑏)]…………………… (7)

2.1.9 Optimizer
After knowing the loss of the model, the next step is to update the gradient (weight)
of the model to a new one that is closer in getting a true label value. This is where
gradient descent is done. Moreover, learning rate parameter is decided by looking at
the size of data and if it is small, it will take a long time however, it can produce
results that are more reliable. The determination on which parameter is suitable for
the model especially neuron network depends on the problem it has.

2.2 Related Work

Considering the main objective of this study, several studies have tried to tackle
problem concerned with detection of DDoS attacks and FE Daneshgadeh et al
(2019b) proposed a model that uses Shannon entropy and kernel online anomaly
detection KOAD algorithms which base on machine learning to detect anomaly on
network traffic. Then, it proposed Mahalanobis distance metric working with

8
machine learning technique to distinguish DDoS from FE. The study reduces a false
alarm and improves detection rate on high rate and Low rate DDoS (HR-DDoS and
LR-DDoS). However, the proposed model works with separate data that did not
come from the same network.

Also, Daneshgadesh et al. (2019a) proposed another model in a different study that
used Shannon entropy and KOAD to detect the anomaly in network traffic similar to
other studies but used Support Vector Machine (SVM) which is machine leaning
methods to distinguish FE from DDoS attacks. In the study, authors detected DDoS
attacks and FE when they occur separately. Nevertheless, this study did not
considered when DDoS attack and FE occur simultaneous.

Dhingra (2018) revealed several parameters that distinguish DDoS from FE. He
asserts that FE needs different countermeasures while those legitimate users should
be allowed and not blocked or treated as attacks. This can only be successful if FE is
separated from DDoS. Moreover, the author continues to distinguish FE from DDoS
by pointing out that DDoS are bots that are pre-programmed. Bots were pre-
programmed for rate of request, payload, and time interval between requests; also,
system under control of botmaster is pre-defined. This concludes that the traffic
generated by bots have the same kind of similarity. While in FE it is totally different
scenarios as genuine requests are difficult to determine. The normal user sends a
request depending on the information he/she seeks. Furthermore, the study gives out
the parameter that can be differentiated as follows: the rate of incoming request, the
number of requests from new IPs, geographical distribution of request sources,
request files and patterns among sources of IPs. Through these parameters the two
traffics can be distinguished.

Sun (2019) proposed a method that used KNN which is machine learning approach
to detect DDoS and FE based flow characteristics of the network traffic. Among the
features of flow characteristics was protocol type entropy of source/destination of IP.
The proposed model reduced a false alarm and improves the detection rate. However,
this study considers only several features found in flow characteristics.

In the study of Sahoo (2018), the authors evaluate Shannon entropy and Kullberg-
Leibler divergence metrics based on information metrics to distinguish HR-DDoS

9
and FE in SDN network traffic. The proposed metrics reduce false alarm. However
study focus only on information metrics to detect HR-DDoS and FE.

With regard to the technique proposed in this study which is DL, majority of
researchers used it for detection of DDoS attacks only in the network traffics and did
not consider FE as it was not their focus. Imamverdiyev (2018) proposes an
application on Deep learning based on Gaussian-Bernoulli type restricted Boltz-
mann Machine (RBM) using NSL-KDD dataset to detect DDoS attack. The
application outperforms a traditional machine learning namely; SVM, Decision Tree
and others. However, this study focused on only DDoS and shows the strength of
deep learning technique.

According to Li (2018), using deep learning technique not only improved accuracy to
detect DDoS attacks but also the dependence of the physical hardware and software
were reduced while the updating mechanism of real-time detection became easy to
do. The author cited achieved high accuracy between 98-99% at training phase using
ISCX dataset on Software Defined Network (SDN). McDermott, Majdani, and
Petrovski (2018) used deep learning technique based on Bidirectional Long Short
Term Memory based on Recurrent Neural Network (BLSTM-RNN) to detect mirai
botnet DDoS attacks and obtained a validation accuracy of 98-99% while reducing
the loss.

On the other hand, Priyadarshini and Barik (2019) proposed a defence mechanism
design using deep learning based on LSTM to detect DDoS attacks on fog
environment and obtain 98.88% accuracy on testing data. According to them, the
model uses 128 input nodes, 3 hidden layers and one dense layer to achieve high
growing accuracy and reduced error.

Currently, the DDoS attack mitigation technique widely used is CAPTCHA (Al-Ali,
Al-Duwairi, & Al-Hammouri, 2016). CAPTCHA stands for Completely Automated
Public Turing test to tell Computers and Humans Apart. It’s used challenge test to
tell apart between humans and computers (Saikirthiga & Vaithyasubramanian, 2016).
The CAPTCHA given out whenever there is anomaly in network traffic. In the case
of both DDoS attacks and FE a CAPTCHA will be given out. However the FE are
legitimate user that should not be tested by CAPTCHA instead they should be
continue to the service requested.

10
Several studies focused on detecting anomalies in network as its important path when
trying to detect DDoS and FE. Chen et al. (2019) used hybrid techniques by
combining unsupervised/supervised machine learning to anomaly in the network
traffic. The study obtained high accuracy on detect and 1% false positive and
negative rates.

Garg et al. (2019) proposed a model using deep learning techniques to detect
anomaly traffic in social media in SDN. The proposed model achieves over 99%
using TIET, KDD99 and CMU dataset. This shows the strength of deep learning
techniques on features extractions.

The previous study obtained high accuracy using computational intelligence and
processing that involve machine learning methods meanwhile deep learning gaining
success for major industrial applications due to ability of learning feature from big
data (Yu & Zhou, 2020). The promise and current well known programming
language used to implement such kind of method is Python, as it has built-in libraries
for real scientific research (Kumar & Panda, 2019). While the concept of combining
activation functions improve the performance of the model (Manessi & Rozza,
2018).in the data manipulation and preparation part, data were divided into three
groups namely train, test and validation data. Testing data help to control the model
and not generalize data or start to remember as it was trained for so long on a single
source of data (training) (Allmer, 2014).

2.2.1 Research Gap

The challenge of DDoS attacks and FE over computer networks has become very
serious. DDoS is deliberately caused by users with bad intentions of disrupting
services by keeping the servers busy. On the other hand, FE happens when many
authentic users try to access a server which has insufficient resources to handle
requests. For a proper network management, a system administrator must be able to
distinguish between the two events for appropriate service restoration decision
whenever they happen simultaneously.

Unfortunately, most of the proposed solutions to detect the FE and DDoD were
proposed to deal with each effect mutually exclusively. However, in real network
environment DDoS and FE may happen at the same and should be identified and
dealt with appropriately.

11
This study therefore, created a model which can detect and differentiate between the
DDoS attacks and FE happening simultaneously in computer networks.

12
 CHAPTER THREE
METHODOLOGY

3.1 Introduction
This part presents research setting, design, strategy, simulation setup, manipulation
of DDoS and FE, experimental tool, data collection, data analysis and model
development. The next chapter focuses on the result that were analysed in this
chapter.

3.2 Research Setting

The research was conducted in CIVE computer laboratory located at the University
of Dodoma, College of Informatics and Virtual (CIVE). The deep learning and
machine learning field required computer with high GPU, CPU specification as it
needs high computing power for training phase. On memory part, it also needs high
specification so that it can handle a large data size at once. For minimum
recommendation specification, the following are specifications of computer that were
used to conduct the experiment based on simulation:

Table 3. 1: Computer Specifications

ITEM CPU GPU CPU-memory GPU-memory

Cloud computing/ 4 4 32Gb 32Gb
Super Computer
Normal computer 1 1 8Gb 8Gb

3.3 Research Design

This study used quantitative approach. This is because the data were collected and
analysed quantitatively to achieve the objectives of the study be accomplished the
aim of the study.

3.4 Research Strategy

To achieve main objective of the study simulation strategy was adopted in
formulation of the study. Virtual computer network and communication processes
were established and DDoS attacks and FE were manipulated as they happen in real
computer network environments.

13
3.4.1 Simulation Setup
The simulation setup did have computer for DDoS attacker, normal user, FE, wire
shark, and target server. The network was simulated as a normal network using GN3,
having switches, routers and ISP. This was done to reflect the real network situation.

3.4.2 Manipulation of DDoS and FE in Computer Networks

DDoS was generated by Scapy tool library in Python language. The attacker
computer generated DDoS attacks, FE traffic were generated from another computer
in network then both network traffics were recorded and captures using computer
with Wireshark. Each step generated the pattern for all scenarios and recorded as
dataset. The generated dataset were used as dataset for the developed model.
However, for the case of FE, simulated data in simulated network above were
generated to resemble the FIFA world cup 98 dataset that contained FE and
recommended software from literature is Scapy tool. FIFA world cup 98 being used
in many researches as a common dataset that contain FE (Daneshgadeh et al., 2019b)

3.4.3 Experiment Tool

The Python language was used in developing a model. In the simulation of the
network, capturing of network traffic Wireshark was used not only that but also for
observation and analysis of network traffic. The Scapy tool was used to generate
DDoS attacks and FE. The setup contained the attacker computer, FE computer,
Wireshark computer and target server in the network.

3.5 Data Collection

In data collection, quantitative approach was used.

3.5.1 Studying of the DDoS attacks and FE in network traffic with reference to
a normal traffic
In the simulation Scapy and Wireshark tools were used, the pattern was observed and
collected for DDoS attack, FE. The procedures were as follows:

3.5.1.1 FE Generation
FE was generated based on FIFA world cup 98 using python scapy tool, FIFA world
cup of 1998 is only available dataset represent the predictable FE. The researcher’s
focus was to generate the similar pattern as it happens on FIFA world cup 98 dataset.
According to (Daneshgadeh et al., 2019b) the highest FE occur in a 66th day around
23:30 and 23:46 covering 16 minutes towards a game match between Argentina and

14
England. The focus was to replicate these 16 minutes in simulator. In that dataset, IP
addresses were replaced by code id for the purpose of retaining privacy. The
following table shows important details about a dataset as number of requests, range
code id, maximum code id, and destination id.

Table 3. 2: Detail of FIFA World Cup 98 FE Dataset Requests

No Total Number of request

1. 2,712,425

3.5.1.2 Data Preparation for FE Generation: with Python Language

The first step before simulation was to assign IP address to a code id in dataset. The
network class C with network range from 192.168.1.0 to 192.168.73.0 was used to
represent the code ID while destination ID was assigned a server IP. The whole
process of data preparation was done using Python Pandas library. The following
table indicates the detail about a new dataset as number of request, Network range,
maximum IP address, Destination IP:

Table 3. 3: Summary of New Dataset from FIFA World Cup 98 FE

Total Number of Network Maximum IPs Address Destination

request range IPs

2,712,425 192.168.1.0 to 192.168.73.161 192.168.73.200

192.168.73.0 and 10.0.92.21

3.5.1.3 Programming of Script FE Traffic Generator with Python Language

The Pandas library was used again to read the prepared data while traffic generation
were done by Scapy library. The traffic generator scripts were able to send traffic in
range of 0 to 3100 packets per second. The part of code for generator script is shown
by the following image:

3.5.1.4 Experiment Environment Setup

In achieving the required rate of traffic generator script, the server and network
device with following specifications were used:

15
 Table 3. 4: Server and Network device specifications

Device Name/Bran CPU(cores) RAM Operating

d used system (OS)

Server HP-Proliant 40cores 64GB Ubuntu 16.04

DL380 G9
@2.4GHz

Dhcp Cisco - 512 MB Cisco IOS-XE

Catalyst (installed) / 1 03.04.02.SG
GB (max) (UNIVERSAL)
4506-E
SDRAM

Router Cisco 2951 - 512 MB Cisco IOS

(installed) / 2 15.1(3)T,
GB (max) (UNIVERSALK9
SDRAM )

Switch Cisco 2960 APM86392 (installed): 12 Cisco IOS

600 MHz dual 8.000 MB, 12.2(50)SE4,
core 512.000 MB (LANLITEK9)

3.5.1.5 DDoS Generation

For the case of DDoS, according to (Daneshgadeh et al., 2019a) the HR-DDoS are
more similar to FE compared to other LR-DDoS. Broadly speeking, DoS and DDoS
attacks can be divided into three types: volume based attack, Protocol attack and
Application attacks. However, from several researches it can be attacked in network
layer or application layer. In DDoS attack, most common attacks happen in network
layer (volume based attack).

Moreover, in network layer attacks (volume based attack) the most effective attack is
flood (Sahi, Lai, Li, & Diykh, 2017). Among this flood DDoS are UDP, ICMP, TCP-
SYN and HTTP. In this study the focus was in TCP SYN flood (SYN flood). The
DDoS generator was volume based attack focus on TCP SYN flood. This TCP SYN
is when attacker exploits the normal TCP three-way handshake by sending request
for connection and when the server reply the request with acknowledge attacker does
16
not send the acknowledge that left server waiting for it for some period of time. The
server will deny other clients as many connections are open waiting for
acknowledgement. This scenario exhausts network bandwidth, CPU and other server
resources.

3.5.1.6 Data Preparation for DDoS attacks with Python Language

The researcher used one scenario that was among of scenario implemented in
(Daneshgadeh et al., 2019a). That one scenario can be explained in the following
table:

Table 3. 5: DDoS Setup Scenarios with Specification

Domain Number of IP Total IPs Number of Bots Packets per

per domain second

1 4 4 100 2110

3.5.1.7 Programming of Script DDoS Generator with Python Language

The script was designed; traffics were generated by Scapy with the rate of 2110
packets per second. The IP for one ISP domain network was 61.10.10.0. The part of
code for generator script is shown by following image:

3.5.1.8 Experiment Environment Setup

In achieving the required rate of traffic generator the same as the previous FE
environment were used. For more clarification refer to the Table 1 in chapter 3.

3.5.1.9 FE and DDoS Attacks Generation at the Same Time

The purpose of the previous steps was to enable to simulate both scenarios when
happen simultaneously. Moreover, in this stage the pattern and behave were
established. The analysis was done on results and findings whereby discussion and
challenges were provided. In addition, results and finding helped the next stage of
designing the model that could detect the occurrence of FE and DDoS attacks when
happen at the same time.

17
3.5.1.10 Data Preparation for FE and DDoS Attacks Generation at the Same
Time with Python Language
In this stage, the data were obtained by simulating both generators at the same time
and capturing the traffic using wireshark. The simulated data were the graphed based
on a number of requests over the time (minutes).

3.5.1.11 Programming of Script for both Generator with Python Language

In this stage, the researcher combined both scripts of FE and DDoS attacks. The
combined scripts were executed as follows: starting with FE generator script then in
6th minutes the DDoS generator followed. Both FE and DDoS scripts were executed
for 16 and 8 minutes respectively.

3.5.1.12 Experiment Environment Setup

In achieving the required rate of traffic generator the same as previous FE and DDoS
environment were used. For more clarification refer to the table 1.

3.5.2 Modelling of described pattern using deep learning technique for

detection of DDoS attacks and FE
Literature were review, DL selection depend on the nature of dataset. Dataset can be
a label or not. The nature of the dataset for this study as observed in specific
objective one is label dataset, therefore supervised learning approach was found to be
appropriate for the detect DDoS attacks and FE. After deciding it was supervised
then its classification or regression. The data for the second objective were from
generated dataset and two data groups namely train data and test data were used.

3.5.3 Validate performance of the developed model for detection of DDoS

attacks and FE
For the third objective, the validated data were obtained from The University of
Dodoma network traffics. This validated the model and gave out the accurate score
and error and false alarm.

3.6 Data Analysis

In this study, data were analysed using quantitative approach. For first objective
different DDoS attacks were simulated and observed, later compared of generate
dataset with FE will be done by wireshark. In identification of DL techniques
through literature review a DL technique was selected based on the following
performance metrics: accuracy, validation accuracy, error and false alarm. In the
second objective through literature review, the number of inputs, hidden layer,

18
activation function, and output were selected and used on a model. As input depends
on dataset generated and output is categorical, then different hidden layers and
activation functions were tested and analysed. As before, performance metric was
used to analyse the model created based on several hidden layers and activation
functions. For the third and last specific objective which validation of the developed
model was accomplished and analysed by using test and validation data. The
performance metrics of DL were used to analyse.

3.7 Model Development

3.7.1 Introduction
In the previous stage, the data obtained were FE and DDoS happened at the same
time. The aim here was to design a model that could detect and distinguish the two.
The nature of this problem was classification as the researcher indicated; therefore,
the researcher selected deep learning techniques as the method for detecting and
distinguishing. In classification problem, it depends on how many categories to be
classified and researcher have two categories: FE or DDoS attack. Therefore, its
logistic (binary) classification the output can be 0 or 1. In implementation of the
model, the researcher used Python Language relying on Pytorch library

3.7.2 Data Preparation

The researcher prepared the simulated dataset from the previous stage; the data were
categories in two groups namely: Train dataset and Test dataset. The model was
trained by the train dataset and later tested by test dataset.

3.7.3 Input Design

The researcher selected a number of requests per IP and time interval as many
researchers used in their models. This parameter showed high accuracy in
performance and detection. Therefore, in input features for this model, in this study,
was a number of requests per IP and time interval between requests of the same IP.

3.7.4 Hidden Layer and Nodes

The next stage, after input, is about how many hidden layers the researcher use in the
model should. This stage depends on the size of the data and how many epochs were
used. In the case of data, it is about 42.1Mb which is small so that a few hidden layer
can give out a desirable output. The more hidden layer the more features it can
extract and more accuracy but for large dataset with more features. Moreover, the

19
number of epoch to train the model depends too on the size of the data. The
researcher concludes as follows in this stage: 1 to 3 hidden layers with 1 epoch of
train then increase epoch until desirable accuracy with validation accuracy achieved.
Moreover, in a selected number of nodes/neuron there is no clear and systematic
way. The researcher used text different and came out with one that have most
desirable performance

3.7.5 Activation and Loss Function

In this stage, consider the binary logistic classification appropriate activation
function are Relu, and for the last part sigmoid were sued that output a value between
0 and 1. The two activation functions have their strengths and weaknesses and the
researcher intended to find out which gave out better performance. Moreover, in
determining the loss of the model, loss functions were used namely: Binary cross
entropy (BCE loss) for the case of sigmoid activation function.

3.7.6 Optimizer
The researcher picked two optimizers namely: Adam and SGD that can help the
learning rate of the model making training and test phase to speed up. The researcher
decided to test both optimizer with learning rate of 0.1 and 0.01 for better
performance in training phase.

3.7.7 Output
In the output part, only one output was given out either FE or DDoS attack. The
researcher used binary to represent the output as follows: 0 for FE and 1 for DDoS
attacks.

3.7.8 Design Summary in Table and Deep Neuron Network diagrams

In the summary the researchers tends to implement and test the model in the
following stages, start with Optimizer Adam then SGD. In both stages the hidden
layer was from 1 to 3 and the learning rate between 0.1 and 0.01. The following table
shows the summary of all designed steps parameter with diagram of deep neuron
networks

20
 Table 3. 6: Summary of Model Design Parameter

SN. Parameter Number/type Reason

1. Input 2 – number of request, Number of features
time interval
2. Hidden Layer 1-3 processing time, reduce over
and under fitting
3. Activation Sigmoid, relu, Concept of combine
function activations functions
4. Loss Function Binary Cross Concept of combine Loss
Entropy(BCE loss) function for better performance

5. Optimizer Adam, SGD (learning Learning rate can speed up

rate between 0.1 – 0.01) training phase.

6. Output 2 - FE or DDoS Its logic output either 0 or 1

Figure 3. 1: Deep Neuron Network Diagram with 3 Hidden Layers

21
 Figure 3. 2: Deep Neuron Network Diagram with 2 Hidden Layers

Figure 3. 3: Deep Neuron Network Diagram with 1 Hidden Layers

3.7.9 Training of the Model

After designing the model in deep learning, the next step was to train and optimise
the model for several epochs, it the repetitive process from design, training and
optimize. In this process, the model was trained until a good accuracy was achieved
meanwhile avoiding a situation where the model started to generalise data or in other
words a model started to remember the data. This could be achieved by looking at
the test error and normal error when they started to diverge from one another in the
train phase. These were explained and showed in result and discussion chapter of the
study.

22
3.7.10 Model Validation

3.7.11 Introduction
In previous stage, several design models obtained that can detect and distinguish
between FE and DDoS attack when they happen at the same time. The focus here
was to test the performance of the model to a real data from the network of the
University of Dodoma.

3.7.12 Data preparation with Python Language

In this stage, the data were obtained from the log file of the server. This server kept
the log files of the University website. This selected log file was picked by
considering the size as the larger the size the larger the numbers of request and
traffic. The data logs were picked both 22 and 29 of July 2020 as they showed larger
size compared to others. The table 3.7 shows the summary.

Table 3. 7: Network data summary from The University of Dodoma

Date Number of IPs StartTime End Time Number of requests

22/7/20202 2,174 06:25:07 23:59:59 427,062

29/7/2020 1,953 06:25:24 23:59:59 325,982

23
 Figure 3. 4: Training, Testing and Validation phase flow chart

3.8 Ethical Consideration

The study use simulation environment at CIVE computer laboratory and therefore,
the researcher sought ethical clearance and research permit from the office of
Research, Publications and Consultancy and the office of Vice Chancellor
respectively. In this study, data collection was done in two phases. The first one was
data collection to train and validate a model which was obtained through a special
test-bed of four interconnected computers. Because no human being was involved in
this phase then issues of privacy and confidentiality were not applicable. However,
the researcher observed integrity of data generated for model training and validation
although the results could not bring the expected results.

The second phase is collection of data for testing a model in a live network. In this
study, the UDOM Local Area Network (LAN) was used. Then, there were some
ethical concerns such as privacy, confidentiality and integrity of data generated by
network users and applications.

24
Therefore, the researcher preserved the said attributes by securing the IP addresses,
service port numbers and server credentials that will be availed for the purpose of
this study.

25
 CHAPTER FOUR
RESULTS AND DISCUSSIONS

4.1 Description of the DDoS attacks and FE in network traffic with reference
to a normal traffic Results and Finding for FE

4.1.1 FE pattern
The process of execution of script took 16 minutes. The results were plotted to the
graph. The purpose on this stage was to replicate the FIFA dataset as it happened.
The following graph shows the number of requests in each minute of 16 minutes for
both Traffic generator and FIFA world cup 98.

Figure 4. 1: Network Traffic of FIFA Dataset and FE Generator in 16 Minutes

The researcher was able to simulate and generate almost similar traffic as FIFA
dataset is shown in fig. 3 with tolerance of about +/- 5%. The challenge faced was
hardware issue as when using small specification below what the researcher
indicated the outcome may diverge from the target. Moreover, the researcher faced
the Scapy tool limitation of packet rate when sending packet so there was limitation
of a certain packet rate. This could be improved by deep understanding of the Scapy
tool library but for researcher time was not in his favour. For future work, the
researcher plans to go deep in Scapy tool library to improve the FE traffic generator.

26
4.1.2 DDoS attacks pattern
The process of execution of script took 8 minutes for both scenarios. The results
were plotted to the graph. The following graph shows the number of requests in each
minute of 8 minutes for both scenarios with 4 domains and 1 domain network.

Figure 4. 2: Network Traffic of DDoS Generator for 8 Minutes

The results were similar to other researchers who reported on how the flood DDoS
attack behaves when it happens. The DDoS attacks produce a Square shape as it
maintains a number of packets for a certain period of time.

4.1.3 FE and DDoS attacks occur at same time

Like the previous stage, a process of execution for combining took 16 minutes. The
results were prepared and plotted using two graphs. The first graph shows the
number of requests in each minute of 16 minutes for both scenarios with separated
FE and DDoS attacks. The other shows the combined traffic of requests without
separated FE and DDoS attack.

27
 Figure 4. 3: Network Traffic of FE with DDoS Attack in 16 Minutes

Figure 4. 4: Network Traffic of FE and DDoS Attack Separated in 16 Minutes

28
The researcher was able to simulate and generate network traffic that contained both
FE and DDoS attacks happen simultaneously. This provides new direction as it gives
out alternative ways to researchers who wish to try their model in scenarios like this
where FE and DDoS attacks happen at same time. The challenge faced were
hardware issue as when using small specification below what the researcher
indicated the outcome could diverge from the target. Moreover, researcher faced the
Scapy limitation of packet rate when sending packet so there was limitation of a
certain packet rate. This could be improved by deep understanding of the Scapy
library but for the researcher time was not in his favour. For future works, the
researcher plans to go deep in Scapy library so as to improve the FE traffic generator.

4.2 Modelling of described pattern using deep learning technique for

detection of DDoS attacks and FE
In the training and test phase, the following parameters were obtained namely:
accuracy, validation accuracy, loss and validation loss. Note that validationaccuracy,
loss were obtained in test phase. Moreover, time taken was measured as a reference
point (x axis in a graph). In summary, the graph was plotted as follows:

In the first trial where learning rate was 0.01, the model took less than 50 seconds to
obtain the highest accuracy of about 99% while loss drop dramatically to almost
0.01, the model were taken short and small steps in learning gradient descent that
produce more desirable gradient which lead to the high accuracy . This is shown in
Figure 4.5:

Figure 4. 5: Accuracy, Loss of the Model with Learning Rate 0.01

29
In the second trial where learning rate was 0.1 the model took above 50 seconds to
obtain the highest accuracy of about 99% while loss drop dramatically to 0.01 as
shown in Figure 4.6. Now the model took much high steps which can lead quick
learning to a model meanwhile it overshot the step and miss the true and desirable
gradient(s). That’s why it takes too long compare to the learning rate of 0.01.

Figure 4. 6: Accuracy, Loss of the Model with Learning Rate 0.1

In the first trial for two hidden layers with learning rate of 0.01, the model took again
less than 50 seconds to obtain the highest accuracy of about 99% while loss dropped
dramatically to almost 0.01. The reason here it’s the same as previous model with the
same learning rate of 0.01 that the model took small steps toward desirable
gradient(s).This is shown in Figure 4.7:

30
 Figure 4. 7: Accuracy, Loss of the model with learning rate 0.01

In the second trial where learning rate was 0.1, the model took between 10 to 15
seconds to obtain the highest accuracy of about 99% while loss dropped dramatically
to almost 0.01. In this scenario with large learning rate the model learn more quickly
which did not happen to the previous model with the same learning rate. This is
because number of hidden layer and nodes reduce meaning the model did not go
deep enough to capture all features instead it generalize the result. On previous Fig
4.7 did not affect that much because the learning step was 0.01 small enough
compare to 0.1. This is shown in Figure 4.8:

Figure 4. 8: Accuracy, Loss of the Model with Learning Rate 0.1

31
In the first trial for one hidden layer with learning rate of 0.01, the model took more
than 50 seconds to obtain the highest accuracy of about 99% while loss dropped
dramatically to almost 0.01. The reason here it’s the same as previous model with the
same learning rate of 0.01 that the model took small steps toward desirable
gradient(s) the model took few time as layer did not go deep enough to capture all
features as it have only one hidden layer. This is shown in Figure 4.9:

Figure 4. 9: Accuracy, Loss of the Model with Learning Rate 0.01

In the second trial for one hidden layer with a learning rate of 0.1 the model took
again between 10 to 15seconds to obtain the highest accuracy of about 99% while
loss dropped dramatically to almost 0.01. In this scenario same as Fig 4.11 with large
learning rate the model learn more quickly which did not happen to the previous
model with the same learning rate. This is because number of hidden layer and nodes
reduce meaning the model did not go deep enough to capture all features instead it
generalize the result .This is shown in Figure 4.10:

32
 Figure 4. 10 Accuracy, Loss of the model with learning rate 0.1

In the first trial for three hidden layers with a learning rate of 0.1 with SGD optimizer
the model took almost 130 seconds to obtain the highest accuracy of about 99%
while loss dropped dramatically to almost 0.01. this show Optimizer is not suitable as
its took long time to capture the desirable gradient(s) and this is validated in Figure
4.11.

Figure 4. 11: Accuracy, Loss of the Model with a Learning Rate of 0.1

33
In the second trial for the three hidden layers with a learning rate of 0.01 with SGD
optimizer the model trained for 400 seconds to and obtained the highest accuracy of
about 70-72% for test data and 75-82% for train data while loss dramatically to
almost 0.55 for test and 0.5 for trained data. The reason here is model took small
steps but optimizer failed to learn the features from data hence it train for long time
without capture a true gradient(s). This is evidenced in Figure 4.12.

Figure 4. 12: Accuracy, Loss of the Model with a Learning Rate of 0.01

As shown in the Figure 1 and 2 when using SGD as optimizer model took too long to
learn the pattern. For the same learning rate between Adam and SGD, Adam
optimizer showed that it was more capable for learning quickly a pattern in a dataset.
This concludes that Adam optimizer is the best optimizer for training model and
there is no need for finding out performance for a small number of hidden layers.

Moreover, using Adam optimizer 0.1, model performance took a few seconds
compared to the 0.01 configuration. Also, when considering the number of hidden
layers, two hidden layers showed the highest and quickest learning compared to
others.

34
However, a number of hidden layers depend on the size of dataset and a number of
inputs, so that the model could be changed. With respect to this study, selection of
the appropriate model is discussed in the next step.

4.3 Validate performance of the developed model for detection of DDoS

attacks and FE.
The performances of the model were tested by following steps. First, the model with
three hidden layers was tested on 22 and 29 of July dataset followed by the model
with the two hidden layers and lastly the model with one hidden layer. The results
were graphed as follows:

Figure 4. 13: Three Hidden Layers, 0.01 Learning Rate on a Real Dataset Detection

35
Figure 4. 14: Three Hidden Layers, Learning Rate 0.1 on a Real Dataset Detection

Figure 4. 15: Two Hidden Layers, 0.01 Learning Rate on a Real Dataset Detection

36
Figure 4. 16: Two Hidden Layers, Learning Rate 0.1 on a Real Dataset Detection

Figure 4. 17: One Hidden layer, 0.01 Learning Rate on a Real Dataset Detection

37
 Figure 4. 18: One Hidden Layers, Learning Rate 0.1 on a Real Dataset Detection

Table 4. 1 Summary of Performance for both Models

Hidden Learning FE DDoS

layer Date rate FE DDoS different different
0.01 342295 84767
22/07/2020 0.1 342294 84768 1 -1
0.01 238125 87857
3 29/07/2020 0.1 238125 87857 0 0
0.01 336317 90745
22/07/2020 0.1 309259 117803 27058 -27058
0.01 225859 100123
2 29/07/2020 0.1 225859 100123 0 0
0.01 348623 78439
22/07/2020 0.1 336317 90745 12306 -12306
0.01 238125 87857
1 29/07/2020 0.1 225859 100123 12266 -12266

38
As summarized in the Table 4.1 both models detect the FE and DDoS attacks.
However, the numbers of FE and DDoS attacks detected were different. This implies
that the different model design affected the outcome. This was due to the effect of
different numbers of hidden layers and a learning rate. However, as the hidden layers
increased, the difference started to become small. This implies that the more layer of
the model (Deeper layer), improve accuracy. This is significant as FE and DDoS
attacks both have properties of happen with a large number of traffic or requests in
short period of time.

Therefore, the model with three hidden layer with either learning rate can classify
and detect FE or DDoS attacks. However, the learning rate of 0.01 gives out a
smooth curve of learning without jumping to far or too small. This implies that it is
better to take few steps in training the model because with high learning rate it can
overshoot or miss out the desirable weight (gradient). The model can be used to
detect accuracy of 99% with a false alarm of less than 1%. This is evident in several
researches using DL for detection has high performance and accuracy. Those studies
were (Garg et al., 2019; C. Li et al., 2018; Priyadarshini & Barik, 2019) with their
proposed models obtained an accuracy of between 98-99%.

39
 CHAPTER FIVE
CONCLUSION, RECOMMENDATION AND FUTURE RESEARCH

5.1 Conclusion
In this dissertation the detection of DDoS attacks and FE when occurring at
simultaneously in network traffic using deep learning techniques were developed
and tested with data from real network traffic as shown in Chapter Four. The
performance parameters such as accuracy, loss and false alarm were used to compare
in designing the model as shown in several figures with respect to how long time
took on training phase and be able to detect and distinguish attacks and FE. Not only
that but also how the hidden layer affected the performance as shown in several
figures and Table 4.1 in Chapter Four. The model score the accuracy of 99% as same
as other studies but this study were solve the different scenario were this DDoS
attacks and FE occurring simultaneously while others studies did not.

5.2 Recommendations
The shown developed model can detect and distinguish with accuracy of 99%, this
shows it can be applied in live network traffic to detect the two scenarios the defence
mechanism can be applied after this proposed techniques as FE needs more server
processing power and network resources while DDoS attacks should be blocked. The
uses of different hidden layers and nodes help to improve the developed model with
two-test optimizer. Adam optimizer showed higher performance compared to normal
SGD as shown in Chapter Four. The study recommended this (Adam) optimizer in
deep learning problem similar to this study. Moreover, in this study, the researcher
observed the use of one public IP for all internet users in the organisation. However,
this is not a good network configuration because when all users access a server like
Google at once, DDoS detect techniques group all as DDoS attacks. The
organisations have more than 1400 staff with more than 25000 students with access
points and internet places for both of them. Regarding these scenarios, it is definitely
that IP will be grouped in suspicious or in black list. The quick fix for these scenarios
is to use IP version 6.

5.3 Future Research

Following the challenges and shortcomings which faced this study, some of the goals
were not achieved. Due to that the study was conducted in some of the parameters.

40
The study used FIFA world cup dataset 98 that took place more than 21 years ago.
This can provide invalid results. However, the study was able to simulate the events
of FIFA. This FE generator needs more improvement as it needs to mimic more
current situation of FE happening now.

Moreover, the input parameter used in this study to distinguish DDoS attacks and FE
were time interval and a number of requests/packets but to improve the detection
more parameters are needed for example source, destination IP distribution(entropy).
The future researcher will be required to include those parameters in input vector of
the model. Also, the organisation network configuration especially in Tanzania needs
to be investigated as this study pointed out the bad configuration of the Public IPs
which may be the source of blacklist organisation IPs in several sites of the world. In
the DDoS generation, only one type was used in this study. Therefore, the future
study will have to focus on testing other DDoS attacks and improving the techniques.

41
 REFERENCES

Al-Ali, Z., Al-Duwairi, B., & Al-Hammouri, A. T. (2016). Handling System

Overload Resulting from DDoS Attacks and Flash Crowd Events. Proceedings -
2nd IEEE International Conference on Cyber Security and Cloud Computing,
CSCloud 2015 - IEEE International Symposium of Smart Cloud, IEEE SSC
2015, 66(9), 512. https://doi.org/10.1109/CSCloud.2015.66

Alkhaleefah, M., & Wu, C. C. (2019). A Hybrid CNN and RBF-Based SVM
Approach for Breast Cancer Classification in Mammograms. Proceedings -
2018 IEEE International Conference on Systems, Man, and Cybernetics, SMC
2018, 894–899. https://doi.org/10.1109/SMC.2018.00159

Allmer, J. (2014). miRNomics: MicroRNA Biology and Computational Analysis.

1107, 333. https://doi.org/10.1007/978-1-62703-748-8

Alsirhani, A., Sampalli, S., & Bodorik, P. (2018). DDoS Detection System: Utilizing
Gradient Boosting Algorithm and Apache Spark. Canadian Conference on
Electrical and Computer Engineering, 2018-May, 1–6.
https://doi.org/10.1109/CCECE.2018.8447671

Bhatia, S. (2017). Ensemble-based model for DDoS attack detection and flash event
separation. FTC 2016 - Proceedings of Future Technologies Conference,
(December), 958–967. https://doi.org/10.1109/FTC.2016.7821720

Chen, X., Li, B., Proietti, R., Zhu, Z., & Yoo, S. J. B. (2019). Self-taught anomaly
detection with hybrid unsupervised/supervised machine learning in optical
networks. Journal of Lightwave Technology, 37(7), 1742–1749.
https://doi.org/10.1109/JLT.2019.2902487

Daneshgadeh, S., Kemmerich, T., & Ahmed, T. (2019a). An Empirical Investigation

of DDoS and Flash Event Detection Using Shannon Entropy , KOAD and SVM
Combined. 2019 International Conference on Computing, Networking and
Communications (ICNC), 658–662.

Daneshgadeh, S., Kemmerich, T., & Ahmed, T. (2019b). Detection of DDoS Attacks
and Flash Events Using Shannon Entropy , KOAD and Mahalanobis Distance.
2019 22nd Conference on Innovation in Clouds, Internet and Networks and

42
 Workshops (ICIN), 222–229.

Document ID:1551296909190103 (2019, February 27). Cisco Visual Networking

Index: Forecast and Trends, 2017–2022 White Paper. Retrieved from:
https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-
networking-index-vni/white-paper-c11-741490.html

Dhingra, A., & Sachdeva, M. (2018). DDoS detection and discrimination from flash
events: A compendious review. ICSCCC 2018 - 1st International Conference on
Secure Cyber Computing and Communications, 518–524.
https://doi.org/10.1109/ICSCCC.2018.8703335

Elsayed, M. S., & Azer, M. A. (2018). Detection and Countermeasures of DDoS

Attacks in Cloud Computing. International Conference on Ubiquitous and
Future Networks, ICUFN, 2018-July, 708–713.
https://doi.org/10.1109/ICUFN.2018.8436989

Feng, J., & Lu, S. (2019). Performance Analysis of Various Activation Functions in
Artificial Neural Networks. Journal of Physics: Conference Series, 1237(2).
https://doi.org/10.1088/1742-6596/1237/2/022030

Garg, S., Kumar, N., Rodrigues, J. J. P. C., & Rodrigues, J. J. P. C. (2019). Hybrid
deep-learning-based anomaly detection scheme for suspicious flow detection in
SDN: A social multimedia perspective. IEEE Transactions on Multimedia,
21(3), 566–578. https://doi.org/10.1109/TMM.2019.2893549

Gupta, T. K., & Raza, K. (2020). Optimizing Deep Feedforward Neural Network
Architecture: A Tabu Search Based Approach. Neural Processing Letters,
51(3), 2855–2870. https://doi.org/10.1007/s11063-020-10234-7

Harms, A. (2019). A comprehensive view of machine learning techniques for CPI

production. (November).

Imamverdiyev, Y., & Abdullayeva, F. (2018). Deep Learning Method for Denial of
Service Attack Detection Based on Restricted Boltzmann Machine. Big Data,
6(2), 159–169. https://doi.org/10.1089/big.2018.0023

Keren, G., Sabato, S., & Schuller, B. (2020). Analysis of loss functions for fast
single-class classification. Knowledge and Information Systems, 62(1), 337–

43
 358. https://doi.org/10.1007/s10115-019-01395-6

Kumar, A., & Panda, S. P. (2019). A Survey: How Python Pitches in IT-World.
Proceedings of the International Conference on Machine Learning, Big Data,
Cloud and Parallel Computing: Trends, Prespectives and Prospects,
COMITCon 2019, 248–251. https://doi.org/10.1109/COMITCon.2019.8862251

Leskovec, J., Rajaraman, A., & Ullman, J. D. (2020). Neural Nets and Deep
Learning. Mining of Massive Datasets, 498–543.
https://doi.org/10.1017/9781108684163.014

Li, C., Wu, Y., Yuan, X., Sun, Z., Wang, W., Li, X., & Gong, L. (2018). Detection
and defense of DDoS attack–based on deep learning in OpenFlow-based SDN.
International Journal of Communication Systems, 31(5), 1–15.
https://doi.org/10.1002/dac.3497

Li, P. (2017). Optimization Algorithms for Deep Learning. 1–10.

Manessi, F., & Rozza, A. (2018). Learning Combinations of Activation Functions.

Proceedings - International Conference on Pattern Recognition, 2018-Augus,
61–66. https://doi.org/10.1109/ICPR.2018.8545362

McDermott, C. D., Majdani, F., & Petrovski, A. V. (2018). Botnet Detection in the
Internet of Things using Deep Learning Approaches. Proceedings of the
International Joint Conference on Neural Networks, 2018-July, 1–8.
https://doi.org/10.1109/IJCNN.2018.8489489

Mhaskar, H. N., & Micchelli, C. a. (1994). How to Choose an Activation Function.

Advances in Neural Information Processing Systems 6, 319–326. Retrieved
from http://papers.nips.cc/paper/874-how-to-choose-an-activation-
function.pdf%5Cnfiles/2354/Mhaskar ? Micchelli - 1994 - How to Choose an
Activation Function.pdf%5Cnfiles/2355/874-how-to-choose-an-activation-
function.html

Panchal, F. S., & Panchal, M. (2014). Review on Methods of Selecting Number of

Hidden Nodes in Artificial Neural Network. International Journal of Computer
Science and Mobile Computing, 3(11), 455–464. Retrieved from
www.ijcsmc.com

44
Poirot, H. (2019). Logistic Regression.

Priyadarshini, R., & Barik, R. K. (2019). A deep learning based intelligent

framework to mitigate DDoS attack in fog environment. Journal of King Saud
University - Computer and Information Sciences, (xxxx).
https://doi.org/10.1016/j.jksuci.2019.04.010

Rahman, S., Wang, L., Sun, C., & Zhou, L. (2006). Review.

Retrieved from (24/7/2020): https://www.imperva.com/learn/application-

security/ddos-attacks/

Retrieved from (24/7/2020): https://www.esecurityplanet.com/network-

security/types-of-ddos-attacks.html [24/7/2020]

Rymarczyk, T., Kozłowski, E., Kłosowski, G., & Niderla, K. (2019). Logistic
regression for machine learning in process tomography. Sensors (Switzerland),
19(15), 1–19. https://doi.org/10.3390/s19153400

Sahi, A., Lai, D., Li, Y., & Diykh, M. (2017). An Efficient DDoS TCP Flood Attack
Detection and Prevention System in a Cloud Environment. IEEE Access, 5(c),
6036–6048. https://doi.org/10.1109/ACCESS.2017.2688460

Sahoo, K. S., Tiwary, M., & Sahoo, B. (2018). Detection of High Rate DDoS Attack
From Flash Events Using Information Metrics in Software Defined Networks.
421–424.

Saikirthiga, & Vaithyasubramanian, S. (2016). Review on development of some

strong visual CAPTCHAs and breaking of weak audio CAPTCHAs. 2016
International Conference on Information Communication and Embedded
Systems, ICICES 2016, (Icices), 7–10.
https://doi.org/10.1109/ICICES.2016.7518939

Shu, M. (2019). Deep learning for image classification on very small datasets using
transfer learning.

Sun, G., Jiang, W., Gu, Y., Ren, D., & Li, H. (2019). DDoS Attacks and Flash Event
Detection Based on Flow Characteristics in SDN. Proceedings of AVSS 2018 -
2018 15th IEEE International Conference on Advanced Video and Signal-Based

45
 Surveillance. https://doi.org/10.1109/AVSS.2018.8639103

Wang, Y., Li, Y., Song, Y., & Rong, X. (2020). The influence of the activation
function in a convolution neural network model of facial expression recognition.
Applied Sciences (Switzerland), 10(5). https://doi.org/10.3390/app10051897

Yu, J., & Zhou, X. (2020). One - Dimension Residual Convolutional Auto - Encoder
- Based Feature Learning for Gearbox Fault Diagnosis. IEEE Transactions on
Industrial Informatics, PP(c), 1. https://doi.org/10.1109/TII.2020.2966326

Zhang, B., Zhang, T., & Yu, Z. (2018). DDoS detection and prevention based on
artificial intelligence techniques. 2017 3rd IEEE International Conference on
Computer and Communications, ICCC 2017, 2018-Janua, 1276–1280.
https://doi.org/10.1109/CompComm.2017.8322748

Zou, W., Li, Y., & Tang, A. (2009). Effects of the number of hidden nodes used in a
structured-based neural network on the reliability of image classification.
Neural Computing and Applications, 18(3), 249–260.
https://doi.org/10.1007/s00521-008-0177-3

46
Appendix

FE generator code

DDoS Generator Code

Deep Neuron Network diagram with 3 Hidden Layer

Deep Neuron Network diagram with 2 Hidden Layer

47
Deep Neuron Network diagram with 1 Hidden Layer

Optimizer Adam and SGD sample Code

48