1 of 21

Two-phase Deep learning-based EDoS Detection�

Authors: Chien Nguyen Nhu

Park Minho

2 of 21

DDoS attack in Cloud Computing

2

3 of 21

DDoS attack in Cloud Computing

3

4 of 21

DDoS attack in Cloud Computing

4

5 of 21

EDoS attack detection

5

6 of 21

EDoS attack

6

Although EDoS is another variant of low-rate DDoS attack, it has some different points with DDoS attack.

  • A high-rate DDoS attack wants to shut down a service offered by a cloud server. Thus, the attackers irrationally launch an attack over a short amount of time with their maximum resources to disrupt the server as soon as posibe.
  • An EDoS attack exploits the auto-scaling feature and pay-as-you-go

feature of cloud computing. It launches an attack to make the server have

to require more new virtual machines or resources from cloud providers.

The cloud consumer has to pay more for new resources and lead to

bankruptcy if the attack is maintained for a long time. Thus, the EDoS

attacker will gradually push illegitimate traffic over a longer period of time

and with a slower rate attack.

=> EDoS attack’s behavior is quite similar as normal requests.

7 of 21

EDoS attack

7

8 of 21

Related works

8

-Almost the existing researches which focused on mitigation are based on

graphical turing test, crypto-puzzle or predefined threshold to distinguish

normal and abnormal traffic.

However, these solutions leads to high false-negative and false-positive

Rates and increase end-to-end latency of the system.

Abbasi et.al ‘’ Machine Learning-Based EDoS attack Detection Technique Using Execution Trace Analysis’”proposes a machine learning-based method (SVM) to detect EDoS attack. They also propose a new set of metrics to classify 3 kinds of EDoS attack and normal traffic.

Our limitation: their system only detects there is an attack happening in

Traffic and warns the system server to react not suppling resources for the server instead of detect which exact flow is abnormal flows

9 of 21

Related works

9

The EDoS attack rate looks similar to the legitimate network traffic from the victim-end in each time period. To detect this kind of slow rate attacks

efficiently, it is required to trace or collect the historical information of the

attack source. Thus, LSTM or GRU-two variants of RNN are proposed in 2

researches in EDoS detection([1]"Dynamic Economic-Denial-of-Sustainability (EDoS) Detection in SDN-based Cloud,“ [2]”R-EDoS: Robust Economic Denial of Sustain- ability Detection in an SDN-Based Cloud Through Stochastic Recurrent Neural Network” ). These algorithms can handle sequential relationship data problems very effectively. Mechanisms on two paper achieve high accuracy and are evaluated via a lot of metrics such as accuracy, detection time, cost and complexity.

However, using LSTM and GRU leads to the problem of high resources

consumption. The sequence length of input data required for two

algorithms is long (250 and 100). It makes the detection time become

longer and the resources of the defense system being high.

10 of 21

Problem statement

10

As shown in the above review, no existing proposals have the right approach which can both achieve high accuracy, use less resources and detect on each

flow of network traffic in EDoS attacks tackling.

11 of 21

The idea

11

Recognizing that using LSTM or other variants of RNN for EDoS attack

detection in each flow of network traffic can achieves high accuracy and low-false alarm rate than other approaches, we want to take this advantage but

eliminating the disadvantage of this algorithm which is requires a long

sequential input data (make the entire system consumes more resources and the calculation time increases).

=>we propose a two-phase deep learning based EDoS detection scheme

using the LSTM algorithm to detect and mitigate each abnormal flow; how- ever, the sequence length of the LSTM model is reduced significantly.

12 of 21

System Description

12

Figure 1: Conceptual architecture of the proposed model

13 of 21

System Description

13

Figure 2: Detail architecture of the proposed model

14 of 21

System Description

14

  • In the first phase, an artificial neural network (ANN) algorithm observes the network traffic in a time interval to check if there is an attack in that time period

  • The second phase detection using the LSTM algorithm is triggered to

detect an attack flow if any attacks are detected in the first phase. The second detector exactly decides which is an abnormal flow, which is called the flow detector.

  • Using the period detector before the flow detector, we can know when an attack happend and which data is the most critical part of the input data

for the LSTM model. By doing so, we can reduce the sequence length of the

LSTM input data

15 of 21

System Description

15

Figure 3: The architecture of LSTM model

16 of 21

Evaluation

16

  • Based on other related works, we implement a testbed to evaluate our

proposed model and compare to other methods. We will use a same simulation tool to simulate an EDoS attack model.

  • We will compare our proposed method with two other references: A

machine learning-based model using SVM and same metrics as us to detect EDoS attack [1] and a LSTM-based model [2].

  • We want to illustrate that our proposed model can achieve much higher accuracy, lower-false alarm rate than other solution or at least same as other LSTM-based method and consumes lower resources than the other LSTM-based method. Thus, our system will response more quickly compared to other methods

[1] Machine Learning-Based EDoS attack Detection Technique Using Execution Trace Analysis.

[2] R-EDoS: Robust Economic Denial of Sustain- ability Detection in an SDN-Based Cloud Through Stochastic Recurrent Neural Network

17 of 21

Evaluation

17

 

18 of 21

Evaluation

18

Figure 4: The Experimental Topology

19 of 21

Results

19

Figure 6: Detection performance

comparison of the flow detector

Figure 7: Detection Time

among 3 solutions

20 of 21

Results

20

21 of 21

Thank You