Distributed Network Monitoring for Distributed Denial of Service Attacks Detection and Prevention


Lucky, Godswill Azibanagein (2021) Distributed Network Monitoring for Distributed Denial of Service Attacks Detection and Prevention. PhD thesis, University of Liverpool.

[img] Text
200986520_Nov2021.pdf - Unspecified
Download (7MB) | Preview

Abstract

There are two main categories of Distributed Denial of Service (DDoS) attacks that are capable of disrupting the daily operations of internet users and these are the low and high rate DDoS attacks. The detection and prevention of DDoS attacks is a very important aspect in network security in ensuring that the operations of businesses, communication, and educational facilities operate efficiently without disruptions. Over the years, many DDoS attacks detection systems have been proposed. These detection systems have focused more on obtaining high accuracy, reduction of false alarm rates and simplification of detection systems. However, less attention has been given to the computational costs of detection systems (processing power requirements and memory consumptions), early detection and flexibility in their deployment to support the different needs of networks and distributed monitoring approaches. The focus of this thesis is to investigate the use of a robust feature selection approach and machine learning classifiers to develop useful DDoS detection architectures for fast, effective, and efficient DDoS attacks detection to achieve high performance at low computational cost. To achieve this, a lightweight software architecture which is simple in design using minimal number of network flow features for distinguishing normal from DDoS attack network flows is proposed. The architecture is based on the Decision-Tree (DT) classifier and distinguishes DDoS attack from normal traffic network flows with a detection accuracy of over 99.9% when evaluated with up-to-date DDoS attack datasets. In addition, it can flexibly be deployed in a real-time network environment and at different network nodes to meet the needs of the network being monitored creating an avenue for distributed monitoring. Also, the use of minimal network flow features selected through a robust features selection approach results in a massive reduction in memory requirements when compared to traditional systems. Results from the software implementation of the architecture indicated that it uses just 7% processing power of a core of the detection system’s CPU in offline mode and provides no additional overhead to the monitored network. However, software applications for distinguishing normal from DDoS attack traffic are struggling to cope with the ever-increasing complexity and intensity of DDoS attack traffic. This increased workload ranges from the capturing and processing of millions of packets per second to classification of thousands of network flows per second which is evident in some of the most recent DDoS attacks faced by a variety of companies. To cope with this workload, a hardware accelerated hybrid network monitoring application is proposed. The proposed application is capable of fast network flows classification by leveraging the hardware parallel processing characteristics of a Field Programmable Gate Array (FPGA) whilst using a software application in the CPU for the network flow pre-processing required for classification. The hybrid system is capable of distinguishing DDoS attacks from normal network traffic flows with a detection accuracy of over 98% when deployed in a real-time environment under different network traffic conditions with detection in 1µs which is over thirty times faster than the software implementation of the architecture. The hardware accelerated application was implemented in the Zynq-7000 All Programmable SoCs ZedBoard which can monitor up to 1Gbps line rate. The evaluation results and findings from analysis of the experimental results of the hard ware accelerated application provide some important insights in improving the programmability, overall performance, scalability, and flexibility in deployment of the detection system across a network for accurate and early DDoS attack detection. In the final part of this thesis, the use of distributed network monitoring is explored with the implementation of the lightweight DDoS attacks detection architecture using Network Simulator 3 (NS-3). The systems are distributed at different parts of a network and results from the approach indicated that effective implementation of distributed network monitoring systems dramatically reduces the effect of DDoS attack to a minimal on the target network or network node.

Item Type: Thesis (PhD)
Divisions: Faculty of Science and Engineering > School of Electrical Engineering, Electronics and Computer Science
Depositing User: Symplectic Admin
Date Deposited: 13 Jan 2022 14:35
Last Modified: 18 Jan 2023 21:24
DOI: 10.17638/03143256
Supervisors:
URI: https://livrepository.liverpool.ac.uk/id/eprint/3143256
Dimensions
Altmetric
CORE (COnnecting REpositories)