A lightweight machine learning approach for DDoS detection and classification

With the development of network technology, more and more protocols and devices are used in DDoS reflection and exploitation attacks. Different DDoS attacks often require different responses, so in order to protect against DDoS attacks; it requires not only DDoS detection, but also the classification of the detected DDoS traffic. Traditional machine learning approaches are typically ineffective and unable to cope with actual traffic properties when used to identify DDoS attacks. This paper introduces a novel and lightweight machine learning approach for DDoS detection and classification. The proposed approach aims to detect all types of DDoS attacks with their specific subcategory. Our approach implements different machine learning models, including Complement Naïve Bayes (CNB), k-Nearest-Neighbour (kNN), Random Forest (RF), and Logistic Regression (LR). We aim to find a universal approach whose performance is not limited to a specific dataset, so the proposed approach uses the universal features set and some minimal universal features subsets when training and testing our models. Moreover, we apply under-sampling method (NearMiss) to produce balanced and small sized samples. Extensive experiments are performed on the CIC-DDoS2019 dataset to validate the effectiveness of the proposed approach. In our experiments, we considered the multiclass classification configurations. The results demonstrated that the proposed approach is effective and causes a significant reduction in time and memory usage, as the random forest algorithm achieved the best performance compared to other models. The KNN algorithm came in second place, with performance values close to those achieved by the RF algorithm. More precisely, we found that KNN with NearMiss achieved better time than RF with NearMiss, but RF still outperformed KNN in terms of memory usage. Therefore, we recommend using KNN with NearMiss when time is a limitation for this network. We also recommend using RF with NearMiss when memory usage is limited in the network environment in which this approach will be applied.