The identification of DoS and DDoS attacks to IoT devices in software defined networks by using machine learning and deep learning models

Abstract

This thesis project explores and improves the current state of the art about detection techniques for Distributed Denial of Service (DDoS) attacks to Internet of Things (IoT) devices in Software Defined Networks (SDN), which as far as is known, is a big problem that network providers and data centers are still facing. Our planned solution for this problem started with the selection of strong Machine Learning (ML) and Deep Learning (DL) models from the current literature (such as Decision Trees and Recurrent Neural Networks), and their further evaluation under three feature sets from our balanced version of the Bot-IoT dataset, in order to evaluate the effects of different variables and avoid the dependencies produced by the Argus flow data generator.

With this evaluation we achieved an average accuracy greater than 99% for binary and multiclass classifications, leveraging the categories and subcategories present in the Bot-IoT dataset, for the detection and identification of DDoS attacks based on Transport (UDP, TCP) and Application layer (HTTP) protocols.

To extend the capacity of this Intrusion Detection System (IDS) we did a research stay in Colombia, with Universidad de Antioquia and in collaboration with Aligo (a cybersecurity company from Medellín). There, we created a new dataset based on real normal and attack traffic to physical IoT devices: the LATAM-DDoS-IoT dataset. We conducted binary and multiclass classifications with the DoS and the DDoS versions of this new dataset, getting an average accuracy of 99.967% and 98.872%, respectively. Then, we did two additional experiments combining our balanced version of the Bot-IoT dataset, applying transfer learning and a datasets concatenation, showing the differences between both domains and the generalization level we accomplished.

Finally, we deployed our extended IDS (as a functional app built in Java and connected to an own cloud-hosted Python REST API) into a real-time SDN simulated environment, based on the Open Network Operating System (ONOS) controller and Mininet. We got a best accuracy of 94.608%, where 100% of the flows identified as attackers were correctly classified, and 91.406% of the attack flows were detected. This app can be further enhanced with the creation of an Intrusion Prevention System (IPS) as mitigation management strategy to stop the identified attackers.