One of the most dangerous aspects looming the computer world is security threats. It is estimated that aroundthree trillion dollarsare lost in cyber crimes every year. This figure is expected todoubleby 2021. With all of these threats lurking around, it is difficult to track and eliminate every threat, especially as the number of users is rising exponentially.
The most popular among the existing cyber threats now is the distributed denial of service (DDoS) attack. ADDoS attackis a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of the internet traffic. DDoS attacks have adversely affected businesses on a large scale.
Now, with machine learning prevailing in the tech ecosystem, eliminating DDoS attacks has found a new way. In this article, we will lay out a research paper that has used ML techniques to subdue DDoS attacks in systems.
Z Tsiatsikas and a team from the University of the Aegean, Greece, have published a newresearch studyin countering DDoS in SIP-based VoIP systems through ML. The reason for choosing VoIP systems is its popularity and spread in the hardware ecosystem. With the growing number of digital devices and the abundant availability of the internet, VoIP is the preferred method for voice and multimedia communications.
In order to establish a VoIP session,Session Initiation Protocol (SIP)is the popular means of initiating and these sessions. A simple version of the SIP/VoIP architecture is givenbelow:
All of the SIP communication is logged by the VoIP provider. This is important because it gives out billing and accounting information for service providers based on users’ activity. Interestingly, it can also give out information regarding intrusion or suspicious activity present in the network. This can be a breeding ground for DDoS attacks if left neglected.
The researchers consider the same SIP VoIP architecture and use five standard ML classifier algorithms in their experiments, which are as follows:
These algorithms are set up for dealing with communications directly in the experiment. Then, classification features are generated once the network is made anonymous usingkeyed-hash method authentication code (HMAC)for the VoIP communications. The algorithms are tested under 15 DDoS attack scenarios. In order to do this, a ‘test bed’ of DDoS simulations is designed by the researchers which is shown below:
“Three or four different Virtual Machines (VMs) have been used for the SIP proxy, the legitimate users, and the generation of the attack traffic depending on the scenario. All VMs run on an i7 processor 2.2 GHz machine having 6GB of RAM. For the SIP proxy, we employed the widely known VoIP serverKamailio(kam, 2014). We simulated distinct patterns for both legitimate and DoS attack traffic using sipp v.3.21 and sipsak2 tools respectively. Furthermore, for the simulation of DDoS attack, the SIPp-DD tool has been used. The well-known Weka tool has been employed for ML analysis.”
Training and Testing process for algorithms include both normal traffic and attack traffic. To simulate the attack traffic, they use a range of random high call rates to give a feel of real VoIP whereas the normal traffic has normal, observed call rates.
The training scenario in the experiment is denoted as SN1 and testing scenarios are denoted as SN1.1, SN1.2, SN1.3 etc. A detailed description is givenhere.
The algorithms fare well compared to non-ML detection. Among the algorithms, Random Forest and decision trees stand top when measured from an intrusion detection viewpoint. The other three fare below them. In addition, as the attack traffic rises, the intrusion detection rate drops, which means DDoS is evident. Ultimately, ML techniques outclass conventional attack detection techniques/methods.
Even though ML models take considerable time to build, it is worth implementing in critical scenarios such as the above case in cybersecurity. It can also be extended to detect harmful applications such as SQL Injection, Phishing, Malware, Zero-day exploits, to name a few.