Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Research ArticleAdaptive DDoS Attack Detection Method Based onMultiple-Kernel Learning
Jieren Cheng 123 Chen Zhang 1 Xiangyan Tang1 Victor S Sheng 4
Zhe Dong1 and Junqi Li1
1College of Information Science amp Technology Hainan University Haikou 570228 China2State Key Laboratory of Marine Resource Utilization in South China Sea Haikou 570228 China3Key Laboratory of Internet Information Retrieval of Hainan Province Hainan University Haikou 570228 China4Department of Computer Science University of Central Arkansas Conway AR 72035 USA
Correspondence should be addressed to Chen Zhang 314848554qqcom
Received 11 July 2018 Accepted 19 September 2018 Published 16 October 2018
Guest Editor Lianyong Qi
Copyright copy 2018 Jieren Cheng et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
Distributed denial of service (DDoS) attacks has caused huge economic losses to societyThey have become one of the main threatsto Internet security Most of the current detection methods based on a single feature and fixed model parameters cannot effectivelydetect early DDoS attacks in cloud and big data environment In this paper an adaptive DDoS attack detection method (ADADM)based on multiple-kernel learning (MKL) is proposed Based on the burstiness of DDoS attack flow the distribution of addressesand the interactivity of communication we define five features to describe the network flow characteristic Based on the ensemblelearning framework the weight of each dimension is adaptively adjusted by increasing the interclass mean with a gradient ascentand reducing the intraclass variance with a gradient descent and the classifier is established to identify an early DDoS attack bytraining simple multiple-kernel learning (SMKL) models with two characteristics including interclass mean squared differencegrowth (M-SMKL) and intraclass variance descent (S-SMKL) The sliding window mechanism is used to coordinate the S-SMKLand M-SMKL to detect the early DDoS attack The experimental results indicate that this method can detect DDoS attacks earlyand accurately
1 Introduction
In recent years the security of computer networks chipsvirtual networks and mobile devices has been of wideconcern [1ndash3] As an important platform for informationexchange computer network security has attracted muchattention In the security of computer network distributeddenial of service (DDoS) attack is yet to be settled in along time DDoS is a traditional network attack methodIt controls a large number of zombie machines sending alarge number of invalid network request packets to a targethost It consumes and meaninglessly occupies the resourcesof the server causing normal users to be unable to use thenormal services provided by the target host [4] Although theDDoS attack mode is simpler its destruction power to thenetwork is far more than other network attacks Moreoverthis traditional attack method in recent years can still cause
great damage to the Internet and the frequency of launchloss caused complexity of DDoS diversity of DDoS anddifficulty of defense have increased more than before [5]In June 2016 an ordinary US jewelry online sales websitewas flooded with 35000 HTTP requests (spam requests) persecond making the site unable to provide normal servicesIn October DynDNS which provides dynamic DNS servicesin the United States was subject to large-scale DDoS attacksresulting in access problems for multiple websites usingDynDNS services including GitHub Twitter Airbnb Red-dit Freshbooks Heroku SoundCloud Spotify and ShopifyTwitter has even appeared in nearly 24 hours with a zero-visit situation The reason why DDoS attacks have such agreat destructive power is that DDoS uses a large numberof zombie machines to launch attacks on a certain targetEach zombie machine has powerful computing capabilityThrough the massive distributed processing capabilities of
HindawiSecurity and Communication NetworksVolume 2018 Article ID 5198685 19 pageshttpsdoiorg10115520185198685
2 Security and Communication Networks
zombie machines it is easy for a server to no longer havethe ability to provide services to normal users [6] On theother hand DDoS attacks are easy to implement Unlikeother network attacks DDoS attacks require only a largenumber of zombie machines and a small amount of networksecurity knowledge to launch an effective attackThis easy-to-grasp network attack method makes the DDoS attack morepowerful
At present under the traditional network environmentmethods for defense against DDoS attacks mainly includeattack detection and attack response [7] DDoS attack detec-tion is based on attack signatures congestion patternsprotocols and source addresses as an important basis fordetecting attacks thereby establishing an effective detectionmechanism The detection model can be roughly dividedinto two categories misuse-based detection and anomaly-based detection Misuse-based detection is a technique basedon feature-matching algorithms It matches the collectedand extracted user behavior features with the known featuredatabase of DDoS attacks to identify whether an attack hasoccurred Anomaly-based detection is adopted by moni-toring systems By establishing the target system and theuserrsquos normal behavior model the monitoring systems candetermine whether the states of the system and the userrsquosactivities deviate from the normal profile and can judgewhether there is an attack The attack response is to properlyfilter or limit the network traffic after the DDoS attack isinitiated The attack traffic to the attack target host is reducedas much as possible to mitigate the influence of the denial ofa service attack
With the rise of cloud computing technologies andsoftware-defined networking (SDN) concepts DDoS attackdetection based on cloud computing environments andsoftware-defined networks has received widespread attention[8 9] As a new computing model cloud computing haspowerful distributed computing capabilities massive storagecapabilities and diverse service capabilities [10 11] It hasbecome an important means of solving big data problems[12] Therefore establishing a cloud platform system is anecessary measure to effectively ensure cloud computingrsquosreliability stability and security [13ndash15]
In recent years machine learning has been applied tothe field of security [17] The method of constructing anattack detection model using machine learning has beenwidely used [18 19] The machine-learning method playsan important role in the traditional network environmentthe cloud environment and software-defined network archi-tecture The reason is that the machine-learning methodcan deeply mine the important information hidden behindthe data and combine prior knowledge to discriminate andpredict new data [20] Therefore compared with traditionaldetection methods machine-learning methods can exhibitbetter detection accuracy [21ndash25] In the above analysisof defense measures it is known that the traditional net-work environment cloud environment and software-definednetwork architecture all involve attack detection for thedefense mechanism of DDoS Therefore studying the useof machine-learning methods to identify DDoS attacks is ofgreat significance However the data generated by the DDoS
attack is often burst and diverse and the background trafficsize also has a greater impact on the detection model therebyreducing the modelrsquos detection accuracy
To solve the above problems we propose a multiple-kernel learning DDoS attack detection method The methoduses the algorithm to extract five features and combines twomultiple-kernel learning models with the adaptive featureweights to recognize attack flows and normal flows Forfurther improving the accuracy of DDoS attack detectiona sliding window mechanism is employed to coordinatetwo multiple-kernel learning models treating the detectionresults Experiments show that our method can better dis-tinguish DDoS attack flow from normal flow and can detectDDoS attacks earlier
2 Related Work
DDoS attacks can cause tremendous damage to a network andoften subject the attacked party to great economic lossesThisis one of the main ways that hackers initiate cyberattacks
To reduce the damage of DDoS attacks researchershave proposed a large number of attack detection meth-ods in recent years According to the application scenariothese methods can be divided into three categories thedetection method in the conventional network environmentthe detection method in the cloud environment and thedetection method in the software-defined network (SDN)environment(1) The conventional network environment refers to theInternet environment generally established on the Internetbased on an open system interconnect referencemodel (OSI)In this regard Saied et al proposed a method for detectingknown and unknown DDoS attacks using artificial neuralnetworks [26] Bhuyan et al proposed an empirical evalua-tion method for the measurement of low-rate and high-rateDDoS attack detection information [27] Tan et al proposeda DDoS attack detection method based on multivariatecorrelation analysis [28] Yu et al proposed a DDoS attackdetection method based on the traffic correlation coefficient[29] Wang et al conducted an in-depth analysis of thecharacteristics of DDoS botnets [30] Kumar and others usedthe Jpcap API to monitor and analyze DDoS attacks [31]Khundrakpam et al proposed an application-layer DDoSattack detection method combining entropy and an artificialneural network [32](2) The cloud environment refers to the network serviceplatform with cloud computing as the core technology Inthis regard Karnwal et al proposed a defense method forXMLDDoS andHTTPDDoS attacks under cloud computingplatforms [33] Sahi et al proposed the check and defensemethod for TCP-flood DDoS attacks in the cloud environ-ment [34] Rukavitsyn et al proposed a self-learning DDoSattack detection method in the cloud environment [35](3) Software-defined network refers to a new networkarchitecture that adopts OpenFlow as the communicationprotocol and specifies the router as well as switch dataexchange rules through the controller [36] In this regardAshraf used machine-learning detection software to define
Security and Communication Networks 3
DDoS attacks under the network [37] MihaindashGabriel pro-posed an intelligent elastic risk assessment method based onthe neural network and risk theory in the SDN environment[38] Yan et al proposed an effective controller schedulingmethod to reduceDDoS attacks in software-defined networks[39] Chin et al proposed a DDoS flood attack methodfor selective detection of packets under SDN [40] Dayal etal analyzed the behavioral characteristics of DDoS attacksunder SDN [41] Ye et al proposed a method of using SVMto detect DDoS attacks under the SDN environment [42]Except the above detection methods used to ensure the secu-rity of the system some efficient cryptography techniques canbe applied to achieve privacy of the system [43ndash46]
In summary the core issue of DDoS attack detectionresearch is the construction of feature extraction and classi-fication models The attack detection methods in the abovethree environments can effectively detect DDoS attacks cor-responding to the environment However in the detection ofearly DDoS attack these defense methods do not have a gooddetection effect In addition most of these methods use asingle feature and do not consider the impact of multidimen-sional features on the classifier Therefore an adaptive DDoSattack detection method is proposed in this paper Firstlywe design the algorithms to extract five features Secondlythrough an ensemble learning framework the five featuresare used to train two multikernel learning models and obtainthe adaptive feature weights with gradient method Finallythe sliding window mechanism is used to coordinate the twomodels to improve the detection accuracy
3 DDoS Attack Feature Extraction
31 Analysis of DDoS Attack Behavior In the cloud envi-ronment the botnets of DDoS attacks have distributedcharacteristics Each zombie machine has the ability toindependently calculate send and process data packets andthe source IP address of the packets can also be forgedThe advantage of these DDoS attacks makes defense moredifficult However under the background of time series thecharacteristics of data packets generated by DDoS attacks arestill quite different from those of normal usersThe differenceis reflected in the following three aspects
(1) Asymmetry DDoS attack is often caused by multiplezombie hosts sending a large number of packets to a hostwithout the hostrsquos response These useless packets quicklyconsume the hostrsquos service resources so that the host can nolonger provide services to other users With this feature theDDoS attack behavior is such that there are a large amountof packets sent to the host from the zombie hosts and thereare no or a small amount of packets sent to the zombie hostsfrom the host The IP data packet often presents a situationin which multiple-source IP addresses point to the same orseveral destination IP addresses which is expressed as theasymmetry of the source IP as well as the destination IP insending and receiving
(2) Interactivity It is assumed that there are A (zombie host)and B (attacked host) When an attack occurs there are two
main communication ways as follows (1) A sends packetsto B (denoted as A997888rarrB) and (2) A and B send packets toeach other (denoted as A999448999471B) And the packet amount sentwith the way (A997888rarrB) is much more than those sent with theway (A999448999471B) Therefore the interactivity of DDoS attack flowhas different states in communication direction and amountcompared with normal flow
(3) Distribution According to the characteristics of DDoSattack when an attack occurs the number of the hosts thatlaunch the attack is much larger than that of the attackedhosts And the number of the source IP address is muchlarger than that of the destination IP address so that thesource address and the destination address have different dis-tribution characteristics In addition because DDoS attacksgenerate useless requests so compared to normal flows thehost ports accessed by the attack requests are more dispersedTherefore the distribution of the ports is different in normalflows and attack flows
Due to the limited ability of a single feature to expressdata it cannot fully reflect the characteristics of the DDoSattack Therefore to effectively express the characteristics ofthe DDoS attack this paper selects five feature extractionmethods based on the above characteristics as follows Theaddress correlation degree (ACD) combines the traffic bursti-ness flow asymmetry and source IP address distribution ofDDoS attack the IP flow features value (FFV) exploits theasymmetry of attack flows and the distribution of source IPaddresses the IP flowrsquos interaction behavior feature (IBF)uses the different interactivity between normal flows andattack flows on the network the IP flow multifeature fusion(MFF) exploits the different behavioral characteristics ofnormal flows as well as DDoS attack flows and integratesthe multiple characteristics of DDoS attack flows the IP flowaddress half interaction anomaly degree (HIAD) focuses onthe characteristics of the aggregated attack flows that aremixture of a large number of normal background flows Inorder to make the feature richer in representation we referto several articles and combine the five feature extractionalgorithms besides removing the less impactful parametersto formamultidimensional feature for DDoS attack detection[45ndash51]
32 DDoS Attack Feature Extraction In the cloud envi-ronment assume that network flow 119865 is as follows⟨(11990511199041 1198891 1199011) (11990521199042 1198892 1199012) (119905119899119904119899 119889119899 119901119899)⟩ in a certainunit of time where 119905119894119904119894 119889119894 and 119901119894 denote the time sourceIP address destination IP address and the port of the119894(119894 = 1 2 119899)-th data packet respectively All data packetswhich contain source IP address 119860 119894 and destination IPaddress 119860119895 are denoted as class 119878119863(119860 119894 119860119895) All data packetswith source IP address 119860 119894 are denoted as class 119868119875119878(119860 119894) Alldata packets with destination IP address 119860119895 are denoted asclass 119868119875D(119860119895) The packets with source IP address 119860 119894 whichexist in the class 119868119875119878(119860 119894) and class 119868119875119863(119860 119894) are denoted as119868119865(119860 119894) The packets with source IP address 119860 119894 which existin class 119868119875119878(119860 119894) and do not exist class 119868119875119863(119860 119894) are denotedas 119878119867(119860 119894) The number of the different ports in 119878119867(119860 119894) isdenoted as 119875119900119903119905(119878119867(119860 119894)) The packets with the destination
4 Security and Communication Networks
IP address 119860 119894 which do not exist in class 119868119875119878(119860 119894) and existin class 119868119875119863(119860 119894) are denoted as 119863119867(119860 119894) The number of thedifferent ports in119863119867(119860 119894) is denoted as 119875119900119903119905(119863119867(119860 119894))Definition 1 If there are different destination IP addresses119860119895 and 119860119896 making classes 119878119863(119860 119894 119860119895) and 119878119863(119860 119894 119860119896) bothnon-null then delete the class where all source IP address 119860 119894
packets resideAssume that the last remaining classes are denoted as1198601198621198781 1198601198621198782 119860119862119878119898 and are statistically calculated to gain
the ACD The detailed formulation is as follows
119860119862119863119865 = 119898sum119894=1
119882(119860119862119878119894) (1)
In this part 119882(119860119862119878119894) = 1205791119875119900119903119905(119860119862119878119894) + (1 minus1205791)119875119886119888119896119890119905(119860119862119878119894)(0 lt 1205791 lt 1) where 119875119900119903119905(119860119862119878119894) is thenumber of different ports in class 119860119862119878119894 119875119886119888119896119890119905(119860119862119878119894) is thenumber of data packets in class 119860119862119878119894 and 1205791 is the weightedvalue
Definition 2 If all the packets whose destination IP addressis119860119895 form the unique class 119878119863(119860 119894 119860119895) delete the class wherethe packet with the destination IP address is 119860119895
Assume that the last remaining classes are denoted as1198781198631198781 1198781198631198782 119878119863119878119897 all packets in these remaining classeswith the destination IP address 119860119895 are denoted as 119878119863119863(119860119895)and all the classes are denoted as 1198781198631198631 1198781198631198632 119878119863119863119898The FFV is defined as follows
119865119865119881119865 = ( 119898sum119894=1
119862119868119875 (119878119863119863119894) minus 119898) (2)
119862119868119875(119878119863119863119894) in formula (2) is presented as follows
119862119868119875 (119878119863119863119894) = 119873119906119898(119878119863119863119894)+ 1205792
119873119906119898(119878119863119863119894)sum119895=1
119874119860(119875119886119888119896 (119860119895))+ (1 minus 1205792) (119874119861 (119875119900119903119905 (119878119863119863119894)) minus 1)
(3)
In this equation 0 le 1205792 le 1 119873119906119898(119878119863119863119894) is the numberof different source IP addresses in 119878119863119863119894
119874119860(119875119886119888119896 (119860119895)) = 119875119886119888119896 (119860119895) 119875119886119888119896 (119860119895)Δ119905gt 1205793 0 119875119886119888119896 (119860119895)Δ119905 le 1205793
(4)
119875119886119888119896(119860119895) is the number of source IP addresses 119860119895 in 119878119863119863119894and 1205793 is the threshold of the number of packets
119874119861 (119875119900119903119905 (119878119863119863119894)) = 119875119900119903119905 (119878119863119863119894) 119875119900119903119905 (119878119863119863119894)Δ119905gt 1205794 0 119875119900119903119905 (119878119863119863119894)Δ119905 le 1205794
(5)
119875119900119903119905(119878119863119863119894) is the number of different destination ports in119878119863119863119894 1205794 is the threshold of the number of ports and Δ119905 isthe sampling time
Definition 3 Assume that the IF flow is 1198681198651 1198681198652 119868119865119872 theSH class is denoted as 1198781198671 1198781198672 119878119867119878 and the DH class isdenoted as1198631198671 1198631198672 119863119867119872Then define IBF as follows
119868119861119865 = 1119872 + 1 (|119878 minus 119863| + 119878sum119894=1
119900V119890119903 (119875119900119903119905 (119878119867119894))
+ 119863sum119894=1
119900V119890119903 (119875119900119903119905 (119863119867119894)))(6)
119900V119890119903(119909) = 119909 119909Δ119905 gt 1205795 0 119909Δ119905 le 1205795 where 1205795 is thethreshold of the amount of port 119872 in formula (6) is thenumber of IF flows within Δ119905 and |119878 minus 119863| is the absolutevalue of the difference value between the number of sourceIP addresses and the number of destination IP addresses forall SH and DH flows in Δ119905Definition 4 Assume that the resulting SD classes are1198781198631 1198781198632 sdot sdot sdot 119878119863119897 and IF classes are 1198681198651 1198681198652 sdot sdot sdot 119868119865119872 Thenumber of packets of source IP address 119860 119894 in class 119868119865119894is denoted as 119878119899119894 where 119894 = 1 2 119872 the number ofpackets of all interworking flow classes is denoted as SNand the source semi-interactive flow class is denoted as1198781198671 1198781198672 sdot sdot sdot 119878119867119878 The number of different ports in class 119878119867119894
is denoted as 119875119900119903119905(119878119867119894) where 119894 = 1 2 119878 the destinationsemi-interactive class is denoted as D1198671 1198631198672 sdot sdot sdot 119863119867119863 andthe number of different ports in class 119863119867119894 is denoted as119875119900119903119905(119863119867119894) where 119894 = 1 2 119863
The weighted value of all packets in SH class is defined asfollows
119882119890119894119892ℎ119905119878119867 = 119904sum119894=1
119900V119890119903119904ℎ (119875119886119888119896119890119905 (119878119867119894)) (7)
The weighted value of all packets in SD classes is definedas follows
119882119890119894119892ℎ119905119878119863 = 119871sum119894=1
119900V119890119903119904119889 (119875119886119888119896119890119905 (119878119863119894)) (8)
The weighted value of the number of packets of networkflow F in unit time T is as follows
119882119890119894119892ℎ119905119901119886119888119896119890119905 = 119891119897119886119892 (119882119890119894119892ℎ119905119878119863)119882119890119894119892ℎ119905119878119863+ 119882119890119894119892ℎ119905119878119863 (9)
In these equations
119900V119890119903119904ℎ (119909) = 119909 119909119905 gt 1205796 0 119909119905 le 1205796 119900V119890119903119904119889 (119909) = 119909 119909119905 gt 1205797 0 119909119905 le 1205797 119891119897119886119892 (119909) = 0 119909 gt 0 1 119909 = 0
(10)
Security and Communication Networks 5
998779119905 is sampling time and 1205796 and 1205797 are SH-type packet numberabnormality thresholds119875119886119888119896119890119905(119878119863119894) is the number of packetsin 119878119863119894 119868 = 1 2 119899 The weighted value of the number ofdifferent ports in the SH and DH classes is as follows
119882119890119894119892ℎ119905119901119900119903119905 = 119878sum119894=1
119900V119890119903119901 (119875119900119903119905 (119878119867119894))
+ 119863sum119895=1
119900V119890119903119901 (119875119900119903119905 (119863119867119895))(11)
where 119900V119890119903119901(119909) = 119909 119909 119905 gt 1205798 0 119909 119905 le 1205798998779119905 is sampling time and 1205798 is the SH-type port numberabnormality threshold
In this part we define the MFF as follows
119872119865119865119865 = S + 119882119890119894119892ℎ119905119901119900119903119905 + 119882119890119894119892ℎ119905119901119886119888119896119890119905119872 + 1 (12)
where 119891(119909) = 119909 119909 ge 1 1 119909 le 1Definition 5 Thenumber of SH flowswith different source IPaddresses and the same destination IP address 119860 119894 is denotedas ℎ119899119894 The SH class with the same destination IP address 119860 119894
flow is denoted as119867119878119863(ℎ119899119894 119860 119894) where 119894 = 1 2 119899Assume that all HSD classes are 11986711987811986311198671198781198632 sdot sdot sdot 119867119878119863119896
and the number of different destination ports in the class119867119878119863119894 is expressed as 119875119900119903119905(119867119878119863119894) where 119894 = 1 2 119896The HIAD is defined as follows
119867119868119860119863119865 = ( 119896sum119894=1
(ℎ119899119894 + 119908119890119894119892ℎ119905 (119875119900119903119905 (119867119878119863119868)))) (13)
In (13) 119908119890119894119892ℎ119905(119909) = 119909 119909 119905 gt 1205799 0 119909 119905 le 1205799998779t is sampling time and 1205799 is the threshold for differentdestination ports
4 The DDoS Attack Detection Model
The establishment of an attack detection model is an impor-tant part of the whole detection process Based on thebehavior of DDoS attack we extract ACD IBFMFF HIADand FFV features to express the inherent rules of attack flowsThe disadvantages of the current DDoS attack detectionmodels are summarized as follows (1) some models highlydepend on the selection of kernel function (2) some modelsrequire data with highly stable value (3) some models canonly fit linear rules but DDoS attack can generate linearlyinseparable data due to abrupt unstable and stochasticcharacteristics Considering that themultiple-kernel learningmodel has a low requirement for data stability and can beused for nonlinear fitting and it can treat flexibly linearand nonlinear data this paper proposes an adaptive DDoSattack detection method based on the ensemble learningframework
41TheMultiple-Kernel LearningModel Themultiple-kernellearning (MKL) model is developed from the original single-kernel SVM In single-kernel SVM a SVM only uses one
kernel function to map the sample to high-dimensionalspaces By comparison the multiple-kernel learning modelusesmultiple-kernel functionswith weight tomap the sampleto high-dimensional spaceTherefore it has higher flexibilityand adaptability on heterogeneous data
The multiple-kernel learning is defined as follows giventraining set T = (1199091 1199101) (1199092 1199102) sdot sdot sdot (119909119899 119910119899)
testing set 119862 = 11990910158401 11990910158402 sdot sdot sdot 1199091015840119904 119909i isin 119877119889 1199091015840k isin 119877119889119910119894 isin (minus1 +1) R is real-number set d is data dimension 119894 =1 2 sdot sdot sdot 119899 119896 = 1 2 sdot sdot sdot 119904 1198701(119909 1199091015840) 1198702(119909 1199091015840) sdot sdot sdot 119870119872(119909 1199091015840)are kernel functions in 119877119889 times 119877119889 and 1206011 1206012 sdot sdot sdot 120601119872 is akernel mapping for each function In the classic multiple-kernel learning SimpleMKL [52] the objective function of thehyperplane is as follows
119891 (119909) = 119872sum119898=1
(120596119898 120601119898 (119909)) + 119887 (14)
where 120596119898 is the weight for each kernel function and 119887 isbias The relaxation factor is 120585 According to the principle ofminimum structure the objective function can be optimizedas follows
min 120595 (120596m 119887 120585 119889) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i (15)
st yi119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0
(16)
By the two-order alternation optimization the formula(15) can be converted to the optimization problem with 119889119898as the variable
min119889ge0
119869 (119889) 119872sum119898=1
119889119898 = 1 (17)
st min120596119898119887120585
= 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
119899sumiminus1
120585iyi
119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894120585119894 ge 0
(18)
The Lagrange function of 119869(119889) is as followsL = 12
119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumi=1
120585i+ msum
i=1120572i (1 minus 120585119894 minus yi
119872summ=1
120596119898 sdot 120593m (119909119894) + yi119887)
+ nsumi=1]119894120585119894
(19)
6 Security and Communication Networks
where 120572i ]119894 are Lagrange operators First 120596119898 119887 120585119894 arecalculated for partial derivatives Then the extremumsare gained when the partial derivatives are ldquo0rdquo Finallyextremums are brought into the Lagrange function whichcan be further changed to
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119909119894 119909119895) + 119899sum
119894=1
120572119894 (20)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119909119894 119909119895) = 119872sum
119898=1
119889119898119896119898 (119909119894 119909119895) (21)
The gradient descent method is used to adjust 119869(119889) on 119889update 119889 and optimize the 119889 as well as 119886 alternately Then anoptimal solution is obtained120572lowast = (1205721 1205722 sdotsdotsdot 120572119899) that is the original objective functioneventually turns into (22) The detailed formulation is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119909119894 119909119895) + 119887 (22)
119909119895 isin 119862 When the test set data as 119909119895 is inputted to 119891(119909)the object function candetermine the category of test set data
42 The Attack Detection Model Based on Multiple-KernelLearning The SimpleMKL model can be suitable for all thedimension weight values with ldquo1rdquo But it cannot fully exertthe different features This paper uses the feature weightsto control the effect of different features on the modelTo gain the appropriate feature weights in the SimpleMKLmodel we combine the gradient method to optimize theweight parameters so that the detection accuracy is furtherimproved
We marked ACD as 1199091 IBF as 1199092 MFF as 1199093 HIADas 1199094 and FFV as 1199095 then the feature value vector is 119865 =(1199091 1199092 1199093 1199094 1199095) and the marked weight vector is 119882 =(1199081 1199082 1199083 1199084 1199085) Combinatorial features are 119862119865 = 119865 lowast119882119879 and the mean value of each dimension of normal flowis 11990611 11990612 11990613 11990614 or 11990615 Note the mean value of eachdimension of the attack flow is 11990621 11990622 11990623 11990624 or 11990625
The interclass mean squared difference is expressed asfollows
119872 = [1199081 lowast (11990611 minus 11990621)]2 + [1199082 lowast (11990612 minus 11990622)]2+ [1199083 lowast (11990613 minus 11990623)]2 + [1199084 lowast (11990614 minus 11990624)]2+ [1199085 lowast (11990615 minus 11990625)]2
(23)
The normal intraclass variance is denoted
1198781 = 119899sumi=1
[1199081 lowast (1199091198941 minus 11990611)]2 + [1199082 lowast (1199091198942 minus 11990612)]2
+ [1199083 lowast (1199091198943 minus 11990613)]2 + [1199084 lowast (1199091198944 minus 11990614)]2+ [1199085 lowast (1199091198945 minus 11990615)]2
(24)
The attack intraclass variance is denoted
1198782 = 119899sum119894=1
[1199081 lowast (1199091198941 minus 11990621)]2 + [1199082 lowast (1199091198942 minus 11990622)]2
+ [1199083 lowast (1199091198943 minus 11990623)]2 + [1199084 lowast (1199091198944 minus 11990624)]2+ [1199085 lowast (1199091198945 minus 11990625)]2
(25)
The intraclass variance is 119878 = 1198781 + 1198782 To improveclassification accuracy and ensure a rapid convergence offunctions on the one hand we should try to improve themean difference between positive and negative samples sothat the two kinds of samples are far away from each otherthat is we should increase the M value On the other handwe should minimize the differences between samples Thevariance corresponding to each dimension should be assmall as possible thus reducing the S value Therefore theclassification model needs to train two different classifiersto classify the samples One classifier is interclass meansquared difference growth (M-SMKL) and the other classifieris intraclass variance descent (S-SMKL) In combination withthe SimpleMKL framework formula (15) the above problemscan be transformed into (26) The detailed formulation is asfollows
max119909119894119895isin119865
120572119872 +min119909119894119895isin119865
120573119878
min 120595 (120596m 119887 120585 119889 119908) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i(26)
st yi119872sum119898=1
120596119898 sdot 120593 (119908119909119894) + 119910i119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0119872 lt 1205901119878 gt 1205901
(27)
If 120572 ≫ 120573 the objective function is M-SMKL If 120573 ≫ 120572the objective function is S-SMKL 120572 and 120573 are converted tothe learning rate of formula (35)
To solve the above problems we use the way of updatingiterative weights to get the objective function The details areas follows Firstly the weights of each feature are assigned
Security and Communication Networks 7
initial values Secondly they are combined with (26) and (27)to gain optimal function of this timeThemathematical formis expressed as follows
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119908119909119894 119908119909119895) + 119899sum
119894=1
120572119894 (28)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119908119909119894 119908119909119895) = 119872sum
119898=1
119889119898119896119898 (119908119909119894 119908119909119895)(29)
The optimal equation obtained using (28) and (29) is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119908119909119894 119908119909119895) + 119887 (30)
To further determine whether the optimal equation hasachieved good results this paper sets two constraint condi-tions forM-SMKL and S-SMKL respectively without conflictwith formula (27) constraint conditions These constraintconditions are expressed as follows
The constraint conditions of M-SMKL are as follows
1199051 lt 1003816100381610038161003816119872119894+1 minus 1198721198941003816100381610038161003816 lt 1199052
lt 1003816100381610038161003816119872i minus 119872119894minus11003816100381610038161003816 lt 1199053
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199011119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199012
(31)
The constraint conditions of S-SMKL are as follows
1199054 lt 1003816100381610038161003816119878i minus 119878119894minus11003816100381610038161003816 lt 1199055 lt 1003816100381610038161003816119878119894+1 minus 1198781198941003816100381610038161003816lt 1199056
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199013119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199014
(32)
where the values of 1199011 1199012 1199013 and 1199014 are close to ldquo0rdquo thevalues of 1199051 1199052 and 1199053 are close to ldquo1rdquo the values of 1199054 1199055 and1199056 are close to ldquo75rdquo If the constraint condition is satisfied the
algorithm will be stopped and formula (30) will become theoptimal function otherwise each dimension weight will beupdated iteratively The gradient of M and S correspondingto each dimension weight is as follows
1205971198721205971199081 = 21199081 (11990611 minus 11990621)21205971198721205971199082 = 21199082 (11990612 minus 11990622)21205971198721205971199083 = 21199083 (11990613 minus 11990623)21205971198721205971199084 = 21199084 (11990614 minus 11990624)21205971198721205971199085 = 21199085 (11990615 minus 11990625)2
(33)
1205971198781205971199081= 2[1199081(
1198991sum119894=1
119909211 minus 1198991119906211) + 1199081 (1198992sum119894=1
119909221 minus 1198992119906221)]1205971198781205971199082= 2[1199082(
1198991sum119894=1
119909212 minus 1198991119906212) + 1199082 (1198992sum119894=1
119909222 minus 1198992119906222)]1205971198781205971199083= 2[1199083(
1198991sum119894=1
119909213 minus 1198991119906213) + 1199083 (1198992sum119894=1
119909223 minus 1198992119906223)]1205971198781205971199084= 2[1199084(
1198991sum119894=1
119909214 minus 1198991119906214) + 1199084 (1198992sum119894=1
119909224 minus 1198992119906224)]1205971198781205971199085= 2[1199085(
1198991sum119894=1
119909215 minus 1198991119906215) + 1199085 (1198992sum119894=1
119909225 minus 1198992119906225)]
(34)
where 1198991 is the number of the normal flow feature of thetraining sample 1198992 is the number of the attack flow feature of
8 Security and Communication Networks
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
Meet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
MMeet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training End S-SMKL Training
No No
Yes Yes
Figure 1 Flow chart of multiple-kernel learning training process based on ensemble learning
the training sample According to gradients in (33) and (34)the weight of each dimension is updated as follows (35)
1199081 = 1199081 + 2 lowast 1198971199031 lowast 1205971198721205971199081 minus 2 lowast 1198971199032 lowast 12059711987812059711990811199082 = 1199082 + 2 lowast 1198971199031 lowast 1205971198721205971199082 minus 2 lowast 1198971199032 lowast 12059711987812059711990821199083 = 1199083 + 2 lowast 1198971199031 lowast 1205971198721205971199083 minus 2 lowast 1198971199032 lowast 12059711987812059711990831199084 = 1199084 + 2 lowast 1198971199034 lowast 1205971198721205971199084 minus 2 lowast 1198971199032 lowast 12059711987812059711990841199085 = 1199085 + 2 lowast 1198971199031 lowast 1205971198721205971199085 minus 2 lowast 1198971199032 lowast 1205971198781205971199085
(35)
where 1198971199031 is the learning rate of gradient ascent 1198971199032 is thelearning rate of gradient descent 1198971199031 has the same functionas 120572 and 1198971199032 has the same function as 120573 Each updated weightismultiplied by each original feature accordingly and the nextround of iteration is carried out
43 Framework of Multiple-Kernel Learning Detection Basedon Ensemble Learning We input the multidimensional datawith weight and set the learning rate Then two differentclassifiers are trained M-SMKL is trained by increasing theM value mainly with reducing the S value secondarily andthe S-SMKL is trained by reducing the S value mainly withincreasing the M value secondarily During the trainingprocess the M value and the S value are constantly updatedwith the method of gradient rising and descending until theconstraint conditions are met The flowchart is provided inFigure 1
The detection process is as follows firstly the test datais multiplied with two different weight vectors which aretrained earlier secondly the calculated data are inputted tothe corresponding M-SMKL and S-SMKL model finally weuse the sliding window mechanism to coordinate two kindsof models The sliding window mechanism is described asfollows Firstly a sliding window with a size of 119899 is createdSecondly the trained M-SMKL classifies the test data andobtains the first classification results the trained S-SMKLclassifies the test data and obtains the second classificationresults Finally four ways are used to cooperatively treat thefirst classification results and the second classification resultsthe details are as follows (1) ifM-SMKL and S-SMKL identifythat the current data category is both normal the currentdata category is judged to be normal (2) if M-SMKL and S-SMKL identify that the current data category is both attackthe current data category is judged to be attack (3) if M-SMKL identifies that the current data category is normal butS-SMKL identifies that the current data category is attackthe current data category is judged to be attack (4) if M-SMKL identifies that the current data category is attack but S-SMKL identifies that the current data category is normal thenconsider the following Step 1Move the starting point of thesliding window to the current position of the test data in thefirst classification result and map the end point of the slidingwindow to the n-1 position of the first classification resultsStep 2 If the results in the sliding window are all attack thecurrent data category is judged to be attack otherwise thecurrent data category is judged to be normal The flow chartis provided in Figure 2
The reason for the training of two kinds of SMKL isthat S-SMKL focuses on reducing the difference betweenthe data of each dimension and can assemble the two typesof samples in their respective central positions However
Security and Communication Networks 9
Multiply initial data with new weightof S-SMKL
Multiply initial data with new weightof M-SMKL
Classify test set with S-SMKL Classify test set with M-SMKL
Classify Result 1 Classify Result 2
Slide Window Process
Final Predict Result
Figure 2 Flow chart of multiple-kernel learning detection process based on ensemble learning
S-SMKL does not consider the location of the two sample-center points Although a better classification feature can bemaintained on the whole it is impossible to identify DDoSattacks earlier because the center distance of the normal flowand attack flow is small M-SMKL focuses on the differencebetween the two types of data centers and maximizes thesample centers distance between the two types of samplecenters making the two samples as separate as possible M-SMKL can expand the distance of different class so that theattack flow can be identified earlier but it makes intraclassdata dispersed causing default results Therefore the slidingwindowmechanism is adopted to coordinate the two modelsto detect early DDoS accurately
5 Experimental Analysis
51 Experimental Data Sets and Evaluation Standards Thedata set used for this experiment is the CAIDA ldquoDDoS Attack2007rdquo data set [53]This data set contains an [L1]DistributedDenial of Service (DDoS) anonymous traffic attack forapproximately one hour on August 4 2007 The total size ofthe data set is 21 GB which accounts for approximately onehour (205008 UTCndash215616 UTC) Attacks began around2113 causing the network load to grow rapidly (in minutes)from approximately 200 kbitss to 80 megabitss One hourof attack traffic is divided into 5 minutes of files and stored inPCAP format The contents of this data set are TCP networktraffic packets Each TCP packet contains the source addressdestination address source port destination port packet sizeand protocol type The duration of normal flow data used inthis paper is 2minutes in total and the duration of attack datais 5 minutes in total
The hardware equipment adopted is 8 GB memory IntelCore i7 processor and a computer with a Windows 10 64-bit
system the development environment isMATLAB 2014a andCodeblocks 1005 The evaluation criteria used in this paperconsist of the detection rate (DR) the false alarm rate (FR)and total error rate (ER)
Assume that TP indicates that the number of normaltest samples is properly marked FP indicates the number ofnormal test samples that have been incorrectly marked TNindicates the number of attack test samples that are correctlymarked and FN indicates the number of attack test samplesthat have been incorrectly marked
119863119877 = 119879119873119879119873 + 119865119873119865119877 = 119865119875119879119875 + 119865119875119864119877 = 119865119873 + 119865119875119879119875 + 119865119875 + 119879119873 + 119865119873
(36)
We used the above five feature extraction algorithmsto extract features from the data set The extracted featurevalues are normalized and used as a training set The datain the training set can be regarded as the regularity ofthe change in network traffic The network traffic has anabrupt and volatile nature Therefore although the collectednetwork data have similarities with the conventional onesthey still have a certain degree of difference To simulate thisphenomenon for verifying the effectiveness of the presentedmethod three types of data are generated as follows (1)Normal flow feature values and attack flow feature valuesare multiplied by random number (2) only the attack flowfeature values are multiplied by random number and (3)only the normal flow feature values are multiplied by randomnumber
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
2 Security and Communication Networks
zombie machines it is easy for a server to no longer havethe ability to provide services to normal users [6] On theother hand DDoS attacks are easy to implement Unlikeother network attacks DDoS attacks require only a largenumber of zombie machines and a small amount of networksecurity knowledge to launch an effective attackThis easy-to-grasp network attack method makes the DDoS attack morepowerful
At present under the traditional network environmentmethods for defense against DDoS attacks mainly includeattack detection and attack response [7] DDoS attack detec-tion is based on attack signatures congestion patternsprotocols and source addresses as an important basis fordetecting attacks thereby establishing an effective detectionmechanism The detection model can be roughly dividedinto two categories misuse-based detection and anomaly-based detection Misuse-based detection is a technique basedon feature-matching algorithms It matches the collectedand extracted user behavior features with the known featuredatabase of DDoS attacks to identify whether an attack hasoccurred Anomaly-based detection is adopted by moni-toring systems By establishing the target system and theuserrsquos normal behavior model the monitoring systems candetermine whether the states of the system and the userrsquosactivities deviate from the normal profile and can judgewhether there is an attack The attack response is to properlyfilter or limit the network traffic after the DDoS attack isinitiated The attack traffic to the attack target host is reducedas much as possible to mitigate the influence of the denial ofa service attack
With the rise of cloud computing technologies andsoftware-defined networking (SDN) concepts DDoS attackdetection based on cloud computing environments andsoftware-defined networks has received widespread attention[8 9] As a new computing model cloud computing haspowerful distributed computing capabilities massive storagecapabilities and diverse service capabilities [10 11] It hasbecome an important means of solving big data problems[12] Therefore establishing a cloud platform system is anecessary measure to effectively ensure cloud computingrsquosreliability stability and security [13ndash15]
In recent years machine learning has been applied tothe field of security [17] The method of constructing anattack detection model using machine learning has beenwidely used [18 19] The machine-learning method playsan important role in the traditional network environmentthe cloud environment and software-defined network archi-tecture The reason is that the machine-learning methodcan deeply mine the important information hidden behindthe data and combine prior knowledge to discriminate andpredict new data [20] Therefore compared with traditionaldetection methods machine-learning methods can exhibitbetter detection accuracy [21ndash25] In the above analysisof defense measures it is known that the traditional net-work environment cloud environment and software-definednetwork architecture all involve attack detection for thedefense mechanism of DDoS Therefore studying the useof machine-learning methods to identify DDoS attacks is ofgreat significance However the data generated by the DDoS
attack is often burst and diverse and the background trafficsize also has a greater impact on the detection model therebyreducing the modelrsquos detection accuracy
To solve the above problems we propose a multiple-kernel learning DDoS attack detection method The methoduses the algorithm to extract five features and combines twomultiple-kernel learning models with the adaptive featureweights to recognize attack flows and normal flows Forfurther improving the accuracy of DDoS attack detectiona sliding window mechanism is employed to coordinatetwo multiple-kernel learning models treating the detectionresults Experiments show that our method can better dis-tinguish DDoS attack flow from normal flow and can detectDDoS attacks earlier
2 Related Work
DDoS attacks can cause tremendous damage to a network andoften subject the attacked party to great economic lossesThisis one of the main ways that hackers initiate cyberattacks
To reduce the damage of DDoS attacks researchershave proposed a large number of attack detection meth-ods in recent years According to the application scenariothese methods can be divided into three categories thedetection method in the conventional network environmentthe detection method in the cloud environment and thedetection method in the software-defined network (SDN)environment(1) The conventional network environment refers to theInternet environment generally established on the Internetbased on an open system interconnect referencemodel (OSI)In this regard Saied et al proposed a method for detectingknown and unknown DDoS attacks using artificial neuralnetworks [26] Bhuyan et al proposed an empirical evalua-tion method for the measurement of low-rate and high-rateDDoS attack detection information [27] Tan et al proposeda DDoS attack detection method based on multivariatecorrelation analysis [28] Yu et al proposed a DDoS attackdetection method based on the traffic correlation coefficient[29] Wang et al conducted an in-depth analysis of thecharacteristics of DDoS botnets [30] Kumar and others usedthe Jpcap API to monitor and analyze DDoS attacks [31]Khundrakpam et al proposed an application-layer DDoSattack detection method combining entropy and an artificialneural network [32](2) The cloud environment refers to the network serviceplatform with cloud computing as the core technology Inthis regard Karnwal et al proposed a defense method forXMLDDoS andHTTPDDoS attacks under cloud computingplatforms [33] Sahi et al proposed the check and defensemethod for TCP-flood DDoS attacks in the cloud environ-ment [34] Rukavitsyn et al proposed a self-learning DDoSattack detection method in the cloud environment [35](3) Software-defined network refers to a new networkarchitecture that adopts OpenFlow as the communicationprotocol and specifies the router as well as switch dataexchange rules through the controller [36] In this regardAshraf used machine-learning detection software to define
Security and Communication Networks 3
DDoS attacks under the network [37] MihaindashGabriel pro-posed an intelligent elastic risk assessment method based onthe neural network and risk theory in the SDN environment[38] Yan et al proposed an effective controller schedulingmethod to reduceDDoS attacks in software-defined networks[39] Chin et al proposed a DDoS flood attack methodfor selective detection of packets under SDN [40] Dayal etal analyzed the behavioral characteristics of DDoS attacksunder SDN [41] Ye et al proposed a method of using SVMto detect DDoS attacks under the SDN environment [42]Except the above detection methods used to ensure the secu-rity of the system some efficient cryptography techniques canbe applied to achieve privacy of the system [43ndash46]
In summary the core issue of DDoS attack detectionresearch is the construction of feature extraction and classi-fication models The attack detection methods in the abovethree environments can effectively detect DDoS attacks cor-responding to the environment However in the detection ofearly DDoS attack these defense methods do not have a gooddetection effect In addition most of these methods use asingle feature and do not consider the impact of multidimen-sional features on the classifier Therefore an adaptive DDoSattack detection method is proposed in this paper Firstlywe design the algorithms to extract five features Secondlythrough an ensemble learning framework the five featuresare used to train two multikernel learning models and obtainthe adaptive feature weights with gradient method Finallythe sliding window mechanism is used to coordinate the twomodels to improve the detection accuracy
3 DDoS Attack Feature Extraction
31 Analysis of DDoS Attack Behavior In the cloud envi-ronment the botnets of DDoS attacks have distributedcharacteristics Each zombie machine has the ability toindependently calculate send and process data packets andthe source IP address of the packets can also be forgedThe advantage of these DDoS attacks makes defense moredifficult However under the background of time series thecharacteristics of data packets generated by DDoS attacks arestill quite different from those of normal usersThe differenceis reflected in the following three aspects
(1) Asymmetry DDoS attack is often caused by multiplezombie hosts sending a large number of packets to a hostwithout the hostrsquos response These useless packets quicklyconsume the hostrsquos service resources so that the host can nolonger provide services to other users With this feature theDDoS attack behavior is such that there are a large amountof packets sent to the host from the zombie hosts and thereare no or a small amount of packets sent to the zombie hostsfrom the host The IP data packet often presents a situationin which multiple-source IP addresses point to the same orseveral destination IP addresses which is expressed as theasymmetry of the source IP as well as the destination IP insending and receiving
(2) Interactivity It is assumed that there are A (zombie host)and B (attacked host) When an attack occurs there are two
main communication ways as follows (1) A sends packetsto B (denoted as A997888rarrB) and (2) A and B send packets toeach other (denoted as A999448999471B) And the packet amount sentwith the way (A997888rarrB) is much more than those sent with theway (A999448999471B) Therefore the interactivity of DDoS attack flowhas different states in communication direction and amountcompared with normal flow
(3) Distribution According to the characteristics of DDoSattack when an attack occurs the number of the hosts thatlaunch the attack is much larger than that of the attackedhosts And the number of the source IP address is muchlarger than that of the destination IP address so that thesource address and the destination address have different dis-tribution characteristics In addition because DDoS attacksgenerate useless requests so compared to normal flows thehost ports accessed by the attack requests are more dispersedTherefore the distribution of the ports is different in normalflows and attack flows
Due to the limited ability of a single feature to expressdata it cannot fully reflect the characteristics of the DDoSattack Therefore to effectively express the characteristics ofthe DDoS attack this paper selects five feature extractionmethods based on the above characteristics as follows Theaddress correlation degree (ACD) combines the traffic bursti-ness flow asymmetry and source IP address distribution ofDDoS attack the IP flow features value (FFV) exploits theasymmetry of attack flows and the distribution of source IPaddresses the IP flowrsquos interaction behavior feature (IBF)uses the different interactivity between normal flows andattack flows on the network the IP flow multifeature fusion(MFF) exploits the different behavioral characteristics ofnormal flows as well as DDoS attack flows and integratesthe multiple characteristics of DDoS attack flows the IP flowaddress half interaction anomaly degree (HIAD) focuses onthe characteristics of the aggregated attack flows that aremixture of a large number of normal background flows Inorder to make the feature richer in representation we referto several articles and combine the five feature extractionalgorithms besides removing the less impactful parametersto formamultidimensional feature for DDoS attack detection[45ndash51]
32 DDoS Attack Feature Extraction In the cloud envi-ronment assume that network flow 119865 is as follows⟨(11990511199041 1198891 1199011) (11990521199042 1198892 1199012) (119905119899119904119899 119889119899 119901119899)⟩ in a certainunit of time where 119905119894119904119894 119889119894 and 119901119894 denote the time sourceIP address destination IP address and the port of the119894(119894 = 1 2 119899)-th data packet respectively All data packetswhich contain source IP address 119860 119894 and destination IPaddress 119860119895 are denoted as class 119878119863(119860 119894 119860119895) All data packetswith source IP address 119860 119894 are denoted as class 119868119875119878(119860 119894) Alldata packets with destination IP address 119860119895 are denoted asclass 119868119875D(119860119895) The packets with source IP address 119860 119894 whichexist in the class 119868119875119878(119860 119894) and class 119868119875119863(119860 119894) are denoted as119868119865(119860 119894) The packets with source IP address 119860 119894 which existin class 119868119875119878(119860 119894) and do not exist class 119868119875119863(119860 119894) are denotedas 119878119867(119860 119894) The number of the different ports in 119878119867(119860 119894) isdenoted as 119875119900119903119905(119878119867(119860 119894)) The packets with the destination
4 Security and Communication Networks
IP address 119860 119894 which do not exist in class 119868119875119878(119860 119894) and existin class 119868119875119863(119860 119894) are denoted as 119863119867(119860 119894) The number of thedifferent ports in119863119867(119860 119894) is denoted as 119875119900119903119905(119863119867(119860 119894))Definition 1 If there are different destination IP addresses119860119895 and 119860119896 making classes 119878119863(119860 119894 119860119895) and 119878119863(119860 119894 119860119896) bothnon-null then delete the class where all source IP address 119860 119894
packets resideAssume that the last remaining classes are denoted as1198601198621198781 1198601198621198782 119860119862119878119898 and are statistically calculated to gain
the ACD The detailed formulation is as follows
119860119862119863119865 = 119898sum119894=1
119882(119860119862119878119894) (1)
In this part 119882(119860119862119878119894) = 1205791119875119900119903119905(119860119862119878119894) + (1 minus1205791)119875119886119888119896119890119905(119860119862119878119894)(0 lt 1205791 lt 1) where 119875119900119903119905(119860119862119878119894) is thenumber of different ports in class 119860119862119878119894 119875119886119888119896119890119905(119860119862119878119894) is thenumber of data packets in class 119860119862119878119894 and 1205791 is the weightedvalue
Definition 2 If all the packets whose destination IP addressis119860119895 form the unique class 119878119863(119860 119894 119860119895) delete the class wherethe packet with the destination IP address is 119860119895
Assume that the last remaining classes are denoted as1198781198631198781 1198781198631198782 119878119863119878119897 all packets in these remaining classeswith the destination IP address 119860119895 are denoted as 119878119863119863(119860119895)and all the classes are denoted as 1198781198631198631 1198781198631198632 119878119863119863119898The FFV is defined as follows
119865119865119881119865 = ( 119898sum119894=1
119862119868119875 (119878119863119863119894) minus 119898) (2)
119862119868119875(119878119863119863119894) in formula (2) is presented as follows
119862119868119875 (119878119863119863119894) = 119873119906119898(119878119863119863119894)+ 1205792
119873119906119898(119878119863119863119894)sum119895=1
119874119860(119875119886119888119896 (119860119895))+ (1 minus 1205792) (119874119861 (119875119900119903119905 (119878119863119863119894)) minus 1)
(3)
In this equation 0 le 1205792 le 1 119873119906119898(119878119863119863119894) is the numberof different source IP addresses in 119878119863119863119894
119874119860(119875119886119888119896 (119860119895)) = 119875119886119888119896 (119860119895) 119875119886119888119896 (119860119895)Δ119905gt 1205793 0 119875119886119888119896 (119860119895)Δ119905 le 1205793
(4)
119875119886119888119896(119860119895) is the number of source IP addresses 119860119895 in 119878119863119863119894and 1205793 is the threshold of the number of packets
119874119861 (119875119900119903119905 (119878119863119863119894)) = 119875119900119903119905 (119878119863119863119894) 119875119900119903119905 (119878119863119863119894)Δ119905gt 1205794 0 119875119900119903119905 (119878119863119863119894)Δ119905 le 1205794
(5)
119875119900119903119905(119878119863119863119894) is the number of different destination ports in119878119863119863119894 1205794 is the threshold of the number of ports and Δ119905 isthe sampling time
Definition 3 Assume that the IF flow is 1198681198651 1198681198652 119868119865119872 theSH class is denoted as 1198781198671 1198781198672 119878119867119878 and the DH class isdenoted as1198631198671 1198631198672 119863119867119872Then define IBF as follows
119868119861119865 = 1119872 + 1 (|119878 minus 119863| + 119878sum119894=1
119900V119890119903 (119875119900119903119905 (119878119867119894))
+ 119863sum119894=1
119900V119890119903 (119875119900119903119905 (119863119867119894)))(6)
119900V119890119903(119909) = 119909 119909Δ119905 gt 1205795 0 119909Δ119905 le 1205795 where 1205795 is thethreshold of the amount of port 119872 in formula (6) is thenumber of IF flows within Δ119905 and |119878 minus 119863| is the absolutevalue of the difference value between the number of sourceIP addresses and the number of destination IP addresses forall SH and DH flows in Δ119905Definition 4 Assume that the resulting SD classes are1198781198631 1198781198632 sdot sdot sdot 119878119863119897 and IF classes are 1198681198651 1198681198652 sdot sdot sdot 119868119865119872 Thenumber of packets of source IP address 119860 119894 in class 119868119865119894is denoted as 119878119899119894 where 119894 = 1 2 119872 the number ofpackets of all interworking flow classes is denoted as SNand the source semi-interactive flow class is denoted as1198781198671 1198781198672 sdot sdot sdot 119878119867119878 The number of different ports in class 119878119867119894
is denoted as 119875119900119903119905(119878119867119894) where 119894 = 1 2 119878 the destinationsemi-interactive class is denoted as D1198671 1198631198672 sdot sdot sdot 119863119867119863 andthe number of different ports in class 119863119867119894 is denoted as119875119900119903119905(119863119867119894) where 119894 = 1 2 119863
The weighted value of all packets in SH class is defined asfollows
119882119890119894119892ℎ119905119878119867 = 119904sum119894=1
119900V119890119903119904ℎ (119875119886119888119896119890119905 (119878119867119894)) (7)
The weighted value of all packets in SD classes is definedas follows
119882119890119894119892ℎ119905119878119863 = 119871sum119894=1
119900V119890119903119904119889 (119875119886119888119896119890119905 (119878119863119894)) (8)
The weighted value of the number of packets of networkflow F in unit time T is as follows
119882119890119894119892ℎ119905119901119886119888119896119890119905 = 119891119897119886119892 (119882119890119894119892ℎ119905119878119863)119882119890119894119892ℎ119905119878119863+ 119882119890119894119892ℎ119905119878119863 (9)
In these equations
119900V119890119903119904ℎ (119909) = 119909 119909119905 gt 1205796 0 119909119905 le 1205796 119900V119890119903119904119889 (119909) = 119909 119909119905 gt 1205797 0 119909119905 le 1205797 119891119897119886119892 (119909) = 0 119909 gt 0 1 119909 = 0
(10)
Security and Communication Networks 5
998779119905 is sampling time and 1205796 and 1205797 are SH-type packet numberabnormality thresholds119875119886119888119896119890119905(119878119863119894) is the number of packetsin 119878119863119894 119868 = 1 2 119899 The weighted value of the number ofdifferent ports in the SH and DH classes is as follows
119882119890119894119892ℎ119905119901119900119903119905 = 119878sum119894=1
119900V119890119903119901 (119875119900119903119905 (119878119867119894))
+ 119863sum119895=1
119900V119890119903119901 (119875119900119903119905 (119863119867119895))(11)
where 119900V119890119903119901(119909) = 119909 119909 119905 gt 1205798 0 119909 119905 le 1205798998779119905 is sampling time and 1205798 is the SH-type port numberabnormality threshold
In this part we define the MFF as follows
119872119865119865119865 = S + 119882119890119894119892ℎ119905119901119900119903119905 + 119882119890119894119892ℎ119905119901119886119888119896119890119905119872 + 1 (12)
where 119891(119909) = 119909 119909 ge 1 1 119909 le 1Definition 5 Thenumber of SH flowswith different source IPaddresses and the same destination IP address 119860 119894 is denotedas ℎ119899119894 The SH class with the same destination IP address 119860 119894
flow is denoted as119867119878119863(ℎ119899119894 119860 119894) where 119894 = 1 2 119899Assume that all HSD classes are 11986711987811986311198671198781198632 sdot sdot sdot 119867119878119863119896
and the number of different destination ports in the class119867119878119863119894 is expressed as 119875119900119903119905(119867119878119863119894) where 119894 = 1 2 119896The HIAD is defined as follows
119867119868119860119863119865 = ( 119896sum119894=1
(ℎ119899119894 + 119908119890119894119892ℎ119905 (119875119900119903119905 (119867119878119863119868)))) (13)
In (13) 119908119890119894119892ℎ119905(119909) = 119909 119909 119905 gt 1205799 0 119909 119905 le 1205799998779t is sampling time and 1205799 is the threshold for differentdestination ports
4 The DDoS Attack Detection Model
The establishment of an attack detection model is an impor-tant part of the whole detection process Based on thebehavior of DDoS attack we extract ACD IBFMFF HIADand FFV features to express the inherent rules of attack flowsThe disadvantages of the current DDoS attack detectionmodels are summarized as follows (1) some models highlydepend on the selection of kernel function (2) some modelsrequire data with highly stable value (3) some models canonly fit linear rules but DDoS attack can generate linearlyinseparable data due to abrupt unstable and stochasticcharacteristics Considering that themultiple-kernel learningmodel has a low requirement for data stability and can beused for nonlinear fitting and it can treat flexibly linearand nonlinear data this paper proposes an adaptive DDoSattack detection method based on the ensemble learningframework
41TheMultiple-Kernel LearningModel Themultiple-kernellearning (MKL) model is developed from the original single-kernel SVM In single-kernel SVM a SVM only uses one
kernel function to map the sample to high-dimensionalspaces By comparison the multiple-kernel learning modelusesmultiple-kernel functionswith weight tomap the sampleto high-dimensional spaceTherefore it has higher flexibilityand adaptability on heterogeneous data
The multiple-kernel learning is defined as follows giventraining set T = (1199091 1199101) (1199092 1199102) sdot sdot sdot (119909119899 119910119899)
testing set 119862 = 11990910158401 11990910158402 sdot sdot sdot 1199091015840119904 119909i isin 119877119889 1199091015840k isin 119877119889119910119894 isin (minus1 +1) R is real-number set d is data dimension 119894 =1 2 sdot sdot sdot 119899 119896 = 1 2 sdot sdot sdot 119904 1198701(119909 1199091015840) 1198702(119909 1199091015840) sdot sdot sdot 119870119872(119909 1199091015840)are kernel functions in 119877119889 times 119877119889 and 1206011 1206012 sdot sdot sdot 120601119872 is akernel mapping for each function In the classic multiple-kernel learning SimpleMKL [52] the objective function of thehyperplane is as follows
119891 (119909) = 119872sum119898=1
(120596119898 120601119898 (119909)) + 119887 (14)
where 120596119898 is the weight for each kernel function and 119887 isbias The relaxation factor is 120585 According to the principle ofminimum structure the objective function can be optimizedas follows
min 120595 (120596m 119887 120585 119889) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i (15)
st yi119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0
(16)
By the two-order alternation optimization the formula(15) can be converted to the optimization problem with 119889119898as the variable
min119889ge0
119869 (119889) 119872sum119898=1
119889119898 = 1 (17)
st min120596119898119887120585
= 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
119899sumiminus1
120585iyi
119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894120585119894 ge 0
(18)
The Lagrange function of 119869(119889) is as followsL = 12
119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumi=1
120585i+ msum
i=1120572i (1 minus 120585119894 minus yi
119872summ=1
120596119898 sdot 120593m (119909119894) + yi119887)
+ nsumi=1]119894120585119894
(19)
6 Security and Communication Networks
where 120572i ]119894 are Lagrange operators First 120596119898 119887 120585119894 arecalculated for partial derivatives Then the extremumsare gained when the partial derivatives are ldquo0rdquo Finallyextremums are brought into the Lagrange function whichcan be further changed to
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119909119894 119909119895) + 119899sum
119894=1
120572119894 (20)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119909119894 119909119895) = 119872sum
119898=1
119889119898119896119898 (119909119894 119909119895) (21)
The gradient descent method is used to adjust 119869(119889) on 119889update 119889 and optimize the 119889 as well as 119886 alternately Then anoptimal solution is obtained120572lowast = (1205721 1205722 sdotsdotsdot 120572119899) that is the original objective functioneventually turns into (22) The detailed formulation is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119909119894 119909119895) + 119887 (22)
119909119895 isin 119862 When the test set data as 119909119895 is inputted to 119891(119909)the object function candetermine the category of test set data
42 The Attack Detection Model Based on Multiple-KernelLearning The SimpleMKL model can be suitable for all thedimension weight values with ldquo1rdquo But it cannot fully exertthe different features This paper uses the feature weightsto control the effect of different features on the modelTo gain the appropriate feature weights in the SimpleMKLmodel we combine the gradient method to optimize theweight parameters so that the detection accuracy is furtherimproved
We marked ACD as 1199091 IBF as 1199092 MFF as 1199093 HIADas 1199094 and FFV as 1199095 then the feature value vector is 119865 =(1199091 1199092 1199093 1199094 1199095) and the marked weight vector is 119882 =(1199081 1199082 1199083 1199084 1199085) Combinatorial features are 119862119865 = 119865 lowast119882119879 and the mean value of each dimension of normal flowis 11990611 11990612 11990613 11990614 or 11990615 Note the mean value of eachdimension of the attack flow is 11990621 11990622 11990623 11990624 or 11990625
The interclass mean squared difference is expressed asfollows
119872 = [1199081 lowast (11990611 minus 11990621)]2 + [1199082 lowast (11990612 minus 11990622)]2+ [1199083 lowast (11990613 minus 11990623)]2 + [1199084 lowast (11990614 minus 11990624)]2+ [1199085 lowast (11990615 minus 11990625)]2
(23)
The normal intraclass variance is denoted
1198781 = 119899sumi=1
[1199081 lowast (1199091198941 minus 11990611)]2 + [1199082 lowast (1199091198942 minus 11990612)]2
+ [1199083 lowast (1199091198943 minus 11990613)]2 + [1199084 lowast (1199091198944 minus 11990614)]2+ [1199085 lowast (1199091198945 minus 11990615)]2
(24)
The attack intraclass variance is denoted
1198782 = 119899sum119894=1
[1199081 lowast (1199091198941 minus 11990621)]2 + [1199082 lowast (1199091198942 minus 11990622)]2
+ [1199083 lowast (1199091198943 minus 11990623)]2 + [1199084 lowast (1199091198944 minus 11990624)]2+ [1199085 lowast (1199091198945 minus 11990625)]2
(25)
The intraclass variance is 119878 = 1198781 + 1198782 To improveclassification accuracy and ensure a rapid convergence offunctions on the one hand we should try to improve themean difference between positive and negative samples sothat the two kinds of samples are far away from each otherthat is we should increase the M value On the other handwe should minimize the differences between samples Thevariance corresponding to each dimension should be assmall as possible thus reducing the S value Therefore theclassification model needs to train two different classifiersto classify the samples One classifier is interclass meansquared difference growth (M-SMKL) and the other classifieris intraclass variance descent (S-SMKL) In combination withthe SimpleMKL framework formula (15) the above problemscan be transformed into (26) The detailed formulation is asfollows
max119909119894119895isin119865
120572119872 +min119909119894119895isin119865
120573119878
min 120595 (120596m 119887 120585 119889 119908) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i(26)
st yi119872sum119898=1
120596119898 sdot 120593 (119908119909119894) + 119910i119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0119872 lt 1205901119878 gt 1205901
(27)
If 120572 ≫ 120573 the objective function is M-SMKL If 120573 ≫ 120572the objective function is S-SMKL 120572 and 120573 are converted tothe learning rate of formula (35)
To solve the above problems we use the way of updatingiterative weights to get the objective function The details areas follows Firstly the weights of each feature are assigned
Security and Communication Networks 7
initial values Secondly they are combined with (26) and (27)to gain optimal function of this timeThemathematical formis expressed as follows
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119908119909119894 119908119909119895) + 119899sum
119894=1
120572119894 (28)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119908119909119894 119908119909119895) = 119872sum
119898=1
119889119898119896119898 (119908119909119894 119908119909119895)(29)
The optimal equation obtained using (28) and (29) is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119908119909119894 119908119909119895) + 119887 (30)
To further determine whether the optimal equation hasachieved good results this paper sets two constraint condi-tions forM-SMKL and S-SMKL respectively without conflictwith formula (27) constraint conditions These constraintconditions are expressed as follows
The constraint conditions of M-SMKL are as follows
1199051 lt 1003816100381610038161003816119872119894+1 minus 1198721198941003816100381610038161003816 lt 1199052
lt 1003816100381610038161003816119872i minus 119872119894minus11003816100381610038161003816 lt 1199053
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199011119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199012
(31)
The constraint conditions of S-SMKL are as follows
1199054 lt 1003816100381610038161003816119878i minus 119878119894minus11003816100381610038161003816 lt 1199055 lt 1003816100381610038161003816119878119894+1 minus 1198781198941003816100381610038161003816lt 1199056
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199013119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199014
(32)
where the values of 1199011 1199012 1199013 and 1199014 are close to ldquo0rdquo thevalues of 1199051 1199052 and 1199053 are close to ldquo1rdquo the values of 1199054 1199055 and1199056 are close to ldquo75rdquo If the constraint condition is satisfied the
algorithm will be stopped and formula (30) will become theoptimal function otherwise each dimension weight will beupdated iteratively The gradient of M and S correspondingto each dimension weight is as follows
1205971198721205971199081 = 21199081 (11990611 minus 11990621)21205971198721205971199082 = 21199082 (11990612 minus 11990622)21205971198721205971199083 = 21199083 (11990613 minus 11990623)21205971198721205971199084 = 21199084 (11990614 minus 11990624)21205971198721205971199085 = 21199085 (11990615 minus 11990625)2
(33)
1205971198781205971199081= 2[1199081(
1198991sum119894=1
119909211 minus 1198991119906211) + 1199081 (1198992sum119894=1
119909221 minus 1198992119906221)]1205971198781205971199082= 2[1199082(
1198991sum119894=1
119909212 minus 1198991119906212) + 1199082 (1198992sum119894=1
119909222 minus 1198992119906222)]1205971198781205971199083= 2[1199083(
1198991sum119894=1
119909213 minus 1198991119906213) + 1199083 (1198992sum119894=1
119909223 minus 1198992119906223)]1205971198781205971199084= 2[1199084(
1198991sum119894=1
119909214 minus 1198991119906214) + 1199084 (1198992sum119894=1
119909224 minus 1198992119906224)]1205971198781205971199085= 2[1199085(
1198991sum119894=1
119909215 minus 1198991119906215) + 1199085 (1198992sum119894=1
119909225 minus 1198992119906225)]
(34)
where 1198991 is the number of the normal flow feature of thetraining sample 1198992 is the number of the attack flow feature of
8 Security and Communication Networks
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
Meet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
MMeet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training End S-SMKL Training
No No
Yes Yes
Figure 1 Flow chart of multiple-kernel learning training process based on ensemble learning
the training sample According to gradients in (33) and (34)the weight of each dimension is updated as follows (35)
1199081 = 1199081 + 2 lowast 1198971199031 lowast 1205971198721205971199081 minus 2 lowast 1198971199032 lowast 12059711987812059711990811199082 = 1199082 + 2 lowast 1198971199031 lowast 1205971198721205971199082 minus 2 lowast 1198971199032 lowast 12059711987812059711990821199083 = 1199083 + 2 lowast 1198971199031 lowast 1205971198721205971199083 minus 2 lowast 1198971199032 lowast 12059711987812059711990831199084 = 1199084 + 2 lowast 1198971199034 lowast 1205971198721205971199084 minus 2 lowast 1198971199032 lowast 12059711987812059711990841199085 = 1199085 + 2 lowast 1198971199031 lowast 1205971198721205971199085 minus 2 lowast 1198971199032 lowast 1205971198781205971199085
(35)
where 1198971199031 is the learning rate of gradient ascent 1198971199032 is thelearning rate of gradient descent 1198971199031 has the same functionas 120572 and 1198971199032 has the same function as 120573 Each updated weightismultiplied by each original feature accordingly and the nextround of iteration is carried out
43 Framework of Multiple-Kernel Learning Detection Basedon Ensemble Learning We input the multidimensional datawith weight and set the learning rate Then two differentclassifiers are trained M-SMKL is trained by increasing theM value mainly with reducing the S value secondarily andthe S-SMKL is trained by reducing the S value mainly withincreasing the M value secondarily During the trainingprocess the M value and the S value are constantly updatedwith the method of gradient rising and descending until theconstraint conditions are met The flowchart is provided inFigure 1
The detection process is as follows firstly the test datais multiplied with two different weight vectors which aretrained earlier secondly the calculated data are inputted tothe corresponding M-SMKL and S-SMKL model finally weuse the sliding window mechanism to coordinate two kindsof models The sliding window mechanism is described asfollows Firstly a sliding window with a size of 119899 is createdSecondly the trained M-SMKL classifies the test data andobtains the first classification results the trained S-SMKLclassifies the test data and obtains the second classificationresults Finally four ways are used to cooperatively treat thefirst classification results and the second classification resultsthe details are as follows (1) ifM-SMKL and S-SMKL identifythat the current data category is both normal the currentdata category is judged to be normal (2) if M-SMKL and S-SMKL identify that the current data category is both attackthe current data category is judged to be attack (3) if M-SMKL identifies that the current data category is normal butS-SMKL identifies that the current data category is attackthe current data category is judged to be attack (4) if M-SMKL identifies that the current data category is attack but S-SMKL identifies that the current data category is normal thenconsider the following Step 1Move the starting point of thesliding window to the current position of the test data in thefirst classification result and map the end point of the slidingwindow to the n-1 position of the first classification resultsStep 2 If the results in the sliding window are all attack thecurrent data category is judged to be attack otherwise thecurrent data category is judged to be normal The flow chartis provided in Figure 2
The reason for the training of two kinds of SMKL isthat S-SMKL focuses on reducing the difference betweenthe data of each dimension and can assemble the two typesof samples in their respective central positions However
Security and Communication Networks 9
Multiply initial data with new weightof S-SMKL
Multiply initial data with new weightof M-SMKL
Classify test set with S-SMKL Classify test set with M-SMKL
Classify Result 1 Classify Result 2
Slide Window Process
Final Predict Result
Figure 2 Flow chart of multiple-kernel learning detection process based on ensemble learning
S-SMKL does not consider the location of the two sample-center points Although a better classification feature can bemaintained on the whole it is impossible to identify DDoSattacks earlier because the center distance of the normal flowand attack flow is small M-SMKL focuses on the differencebetween the two types of data centers and maximizes thesample centers distance between the two types of samplecenters making the two samples as separate as possible M-SMKL can expand the distance of different class so that theattack flow can be identified earlier but it makes intraclassdata dispersed causing default results Therefore the slidingwindowmechanism is adopted to coordinate the two modelsto detect early DDoS accurately
5 Experimental Analysis
51 Experimental Data Sets and Evaluation Standards Thedata set used for this experiment is the CAIDA ldquoDDoS Attack2007rdquo data set [53]This data set contains an [L1]DistributedDenial of Service (DDoS) anonymous traffic attack forapproximately one hour on August 4 2007 The total size ofthe data set is 21 GB which accounts for approximately onehour (205008 UTCndash215616 UTC) Attacks began around2113 causing the network load to grow rapidly (in minutes)from approximately 200 kbitss to 80 megabitss One hourof attack traffic is divided into 5 minutes of files and stored inPCAP format The contents of this data set are TCP networktraffic packets Each TCP packet contains the source addressdestination address source port destination port packet sizeand protocol type The duration of normal flow data used inthis paper is 2minutes in total and the duration of attack datais 5 minutes in total
The hardware equipment adopted is 8 GB memory IntelCore i7 processor and a computer with a Windows 10 64-bit
system the development environment isMATLAB 2014a andCodeblocks 1005 The evaluation criteria used in this paperconsist of the detection rate (DR) the false alarm rate (FR)and total error rate (ER)
Assume that TP indicates that the number of normaltest samples is properly marked FP indicates the number ofnormal test samples that have been incorrectly marked TNindicates the number of attack test samples that are correctlymarked and FN indicates the number of attack test samplesthat have been incorrectly marked
119863119877 = 119879119873119879119873 + 119865119873119865119877 = 119865119875119879119875 + 119865119875119864119877 = 119865119873 + 119865119875119879119875 + 119865119875 + 119879119873 + 119865119873
(36)
We used the above five feature extraction algorithmsto extract features from the data set The extracted featurevalues are normalized and used as a training set The datain the training set can be regarded as the regularity ofthe change in network traffic The network traffic has anabrupt and volatile nature Therefore although the collectednetwork data have similarities with the conventional onesthey still have a certain degree of difference To simulate thisphenomenon for verifying the effectiveness of the presentedmethod three types of data are generated as follows (1)Normal flow feature values and attack flow feature valuesare multiplied by random number (2) only the attack flowfeature values are multiplied by random number and (3)only the normal flow feature values are multiplied by randomnumber
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 3
DDoS attacks under the network [37] MihaindashGabriel pro-posed an intelligent elastic risk assessment method based onthe neural network and risk theory in the SDN environment[38] Yan et al proposed an effective controller schedulingmethod to reduceDDoS attacks in software-defined networks[39] Chin et al proposed a DDoS flood attack methodfor selective detection of packets under SDN [40] Dayal etal analyzed the behavioral characteristics of DDoS attacksunder SDN [41] Ye et al proposed a method of using SVMto detect DDoS attacks under the SDN environment [42]Except the above detection methods used to ensure the secu-rity of the system some efficient cryptography techniques canbe applied to achieve privacy of the system [43ndash46]
In summary the core issue of DDoS attack detectionresearch is the construction of feature extraction and classi-fication models The attack detection methods in the abovethree environments can effectively detect DDoS attacks cor-responding to the environment However in the detection ofearly DDoS attack these defense methods do not have a gooddetection effect In addition most of these methods use asingle feature and do not consider the impact of multidimen-sional features on the classifier Therefore an adaptive DDoSattack detection method is proposed in this paper Firstlywe design the algorithms to extract five features Secondlythrough an ensemble learning framework the five featuresare used to train two multikernel learning models and obtainthe adaptive feature weights with gradient method Finallythe sliding window mechanism is used to coordinate the twomodels to improve the detection accuracy
3 DDoS Attack Feature Extraction
31 Analysis of DDoS Attack Behavior In the cloud envi-ronment the botnets of DDoS attacks have distributedcharacteristics Each zombie machine has the ability toindependently calculate send and process data packets andthe source IP address of the packets can also be forgedThe advantage of these DDoS attacks makes defense moredifficult However under the background of time series thecharacteristics of data packets generated by DDoS attacks arestill quite different from those of normal usersThe differenceis reflected in the following three aspects
(1) Asymmetry DDoS attack is often caused by multiplezombie hosts sending a large number of packets to a hostwithout the hostrsquos response These useless packets quicklyconsume the hostrsquos service resources so that the host can nolonger provide services to other users With this feature theDDoS attack behavior is such that there are a large amountof packets sent to the host from the zombie hosts and thereare no or a small amount of packets sent to the zombie hostsfrom the host The IP data packet often presents a situationin which multiple-source IP addresses point to the same orseveral destination IP addresses which is expressed as theasymmetry of the source IP as well as the destination IP insending and receiving
(2) Interactivity It is assumed that there are A (zombie host)and B (attacked host) When an attack occurs there are two
main communication ways as follows (1) A sends packetsto B (denoted as A997888rarrB) and (2) A and B send packets toeach other (denoted as A999448999471B) And the packet amount sentwith the way (A997888rarrB) is much more than those sent with theway (A999448999471B) Therefore the interactivity of DDoS attack flowhas different states in communication direction and amountcompared with normal flow
(3) Distribution According to the characteristics of DDoSattack when an attack occurs the number of the hosts thatlaunch the attack is much larger than that of the attackedhosts And the number of the source IP address is muchlarger than that of the destination IP address so that thesource address and the destination address have different dis-tribution characteristics In addition because DDoS attacksgenerate useless requests so compared to normal flows thehost ports accessed by the attack requests are more dispersedTherefore the distribution of the ports is different in normalflows and attack flows
Due to the limited ability of a single feature to expressdata it cannot fully reflect the characteristics of the DDoSattack Therefore to effectively express the characteristics ofthe DDoS attack this paper selects five feature extractionmethods based on the above characteristics as follows Theaddress correlation degree (ACD) combines the traffic bursti-ness flow asymmetry and source IP address distribution ofDDoS attack the IP flow features value (FFV) exploits theasymmetry of attack flows and the distribution of source IPaddresses the IP flowrsquos interaction behavior feature (IBF)uses the different interactivity between normal flows andattack flows on the network the IP flow multifeature fusion(MFF) exploits the different behavioral characteristics ofnormal flows as well as DDoS attack flows and integratesthe multiple characteristics of DDoS attack flows the IP flowaddress half interaction anomaly degree (HIAD) focuses onthe characteristics of the aggregated attack flows that aremixture of a large number of normal background flows Inorder to make the feature richer in representation we referto several articles and combine the five feature extractionalgorithms besides removing the less impactful parametersto formamultidimensional feature for DDoS attack detection[45ndash51]
32 DDoS Attack Feature Extraction In the cloud envi-ronment assume that network flow 119865 is as follows⟨(11990511199041 1198891 1199011) (11990521199042 1198892 1199012) (119905119899119904119899 119889119899 119901119899)⟩ in a certainunit of time where 119905119894119904119894 119889119894 and 119901119894 denote the time sourceIP address destination IP address and the port of the119894(119894 = 1 2 119899)-th data packet respectively All data packetswhich contain source IP address 119860 119894 and destination IPaddress 119860119895 are denoted as class 119878119863(119860 119894 119860119895) All data packetswith source IP address 119860 119894 are denoted as class 119868119875119878(119860 119894) Alldata packets with destination IP address 119860119895 are denoted asclass 119868119875D(119860119895) The packets with source IP address 119860 119894 whichexist in the class 119868119875119878(119860 119894) and class 119868119875119863(119860 119894) are denoted as119868119865(119860 119894) The packets with source IP address 119860 119894 which existin class 119868119875119878(119860 119894) and do not exist class 119868119875119863(119860 119894) are denotedas 119878119867(119860 119894) The number of the different ports in 119878119867(119860 119894) isdenoted as 119875119900119903119905(119878119867(119860 119894)) The packets with the destination
4 Security and Communication Networks
IP address 119860 119894 which do not exist in class 119868119875119878(119860 119894) and existin class 119868119875119863(119860 119894) are denoted as 119863119867(119860 119894) The number of thedifferent ports in119863119867(119860 119894) is denoted as 119875119900119903119905(119863119867(119860 119894))Definition 1 If there are different destination IP addresses119860119895 and 119860119896 making classes 119878119863(119860 119894 119860119895) and 119878119863(119860 119894 119860119896) bothnon-null then delete the class where all source IP address 119860 119894
packets resideAssume that the last remaining classes are denoted as1198601198621198781 1198601198621198782 119860119862119878119898 and are statistically calculated to gain
the ACD The detailed formulation is as follows
119860119862119863119865 = 119898sum119894=1
119882(119860119862119878119894) (1)
In this part 119882(119860119862119878119894) = 1205791119875119900119903119905(119860119862119878119894) + (1 minus1205791)119875119886119888119896119890119905(119860119862119878119894)(0 lt 1205791 lt 1) where 119875119900119903119905(119860119862119878119894) is thenumber of different ports in class 119860119862119878119894 119875119886119888119896119890119905(119860119862119878119894) is thenumber of data packets in class 119860119862119878119894 and 1205791 is the weightedvalue
Definition 2 If all the packets whose destination IP addressis119860119895 form the unique class 119878119863(119860 119894 119860119895) delete the class wherethe packet with the destination IP address is 119860119895
Assume that the last remaining classes are denoted as1198781198631198781 1198781198631198782 119878119863119878119897 all packets in these remaining classeswith the destination IP address 119860119895 are denoted as 119878119863119863(119860119895)and all the classes are denoted as 1198781198631198631 1198781198631198632 119878119863119863119898The FFV is defined as follows
119865119865119881119865 = ( 119898sum119894=1
119862119868119875 (119878119863119863119894) minus 119898) (2)
119862119868119875(119878119863119863119894) in formula (2) is presented as follows
119862119868119875 (119878119863119863119894) = 119873119906119898(119878119863119863119894)+ 1205792
119873119906119898(119878119863119863119894)sum119895=1
119874119860(119875119886119888119896 (119860119895))+ (1 minus 1205792) (119874119861 (119875119900119903119905 (119878119863119863119894)) minus 1)
(3)
In this equation 0 le 1205792 le 1 119873119906119898(119878119863119863119894) is the numberof different source IP addresses in 119878119863119863119894
119874119860(119875119886119888119896 (119860119895)) = 119875119886119888119896 (119860119895) 119875119886119888119896 (119860119895)Δ119905gt 1205793 0 119875119886119888119896 (119860119895)Δ119905 le 1205793
(4)
119875119886119888119896(119860119895) is the number of source IP addresses 119860119895 in 119878119863119863119894and 1205793 is the threshold of the number of packets
119874119861 (119875119900119903119905 (119878119863119863119894)) = 119875119900119903119905 (119878119863119863119894) 119875119900119903119905 (119878119863119863119894)Δ119905gt 1205794 0 119875119900119903119905 (119878119863119863119894)Δ119905 le 1205794
(5)
119875119900119903119905(119878119863119863119894) is the number of different destination ports in119878119863119863119894 1205794 is the threshold of the number of ports and Δ119905 isthe sampling time
Definition 3 Assume that the IF flow is 1198681198651 1198681198652 119868119865119872 theSH class is denoted as 1198781198671 1198781198672 119878119867119878 and the DH class isdenoted as1198631198671 1198631198672 119863119867119872Then define IBF as follows
119868119861119865 = 1119872 + 1 (|119878 minus 119863| + 119878sum119894=1
119900V119890119903 (119875119900119903119905 (119878119867119894))
+ 119863sum119894=1
119900V119890119903 (119875119900119903119905 (119863119867119894)))(6)
119900V119890119903(119909) = 119909 119909Δ119905 gt 1205795 0 119909Δ119905 le 1205795 where 1205795 is thethreshold of the amount of port 119872 in formula (6) is thenumber of IF flows within Δ119905 and |119878 minus 119863| is the absolutevalue of the difference value between the number of sourceIP addresses and the number of destination IP addresses forall SH and DH flows in Δ119905Definition 4 Assume that the resulting SD classes are1198781198631 1198781198632 sdot sdot sdot 119878119863119897 and IF classes are 1198681198651 1198681198652 sdot sdot sdot 119868119865119872 Thenumber of packets of source IP address 119860 119894 in class 119868119865119894is denoted as 119878119899119894 where 119894 = 1 2 119872 the number ofpackets of all interworking flow classes is denoted as SNand the source semi-interactive flow class is denoted as1198781198671 1198781198672 sdot sdot sdot 119878119867119878 The number of different ports in class 119878119867119894
is denoted as 119875119900119903119905(119878119867119894) where 119894 = 1 2 119878 the destinationsemi-interactive class is denoted as D1198671 1198631198672 sdot sdot sdot 119863119867119863 andthe number of different ports in class 119863119867119894 is denoted as119875119900119903119905(119863119867119894) where 119894 = 1 2 119863
The weighted value of all packets in SH class is defined asfollows
119882119890119894119892ℎ119905119878119867 = 119904sum119894=1
119900V119890119903119904ℎ (119875119886119888119896119890119905 (119878119867119894)) (7)
The weighted value of all packets in SD classes is definedas follows
119882119890119894119892ℎ119905119878119863 = 119871sum119894=1
119900V119890119903119904119889 (119875119886119888119896119890119905 (119878119863119894)) (8)
The weighted value of the number of packets of networkflow F in unit time T is as follows
119882119890119894119892ℎ119905119901119886119888119896119890119905 = 119891119897119886119892 (119882119890119894119892ℎ119905119878119863)119882119890119894119892ℎ119905119878119863+ 119882119890119894119892ℎ119905119878119863 (9)
In these equations
119900V119890119903119904ℎ (119909) = 119909 119909119905 gt 1205796 0 119909119905 le 1205796 119900V119890119903119904119889 (119909) = 119909 119909119905 gt 1205797 0 119909119905 le 1205797 119891119897119886119892 (119909) = 0 119909 gt 0 1 119909 = 0
(10)
Security and Communication Networks 5
998779119905 is sampling time and 1205796 and 1205797 are SH-type packet numberabnormality thresholds119875119886119888119896119890119905(119878119863119894) is the number of packetsin 119878119863119894 119868 = 1 2 119899 The weighted value of the number ofdifferent ports in the SH and DH classes is as follows
119882119890119894119892ℎ119905119901119900119903119905 = 119878sum119894=1
119900V119890119903119901 (119875119900119903119905 (119878119867119894))
+ 119863sum119895=1
119900V119890119903119901 (119875119900119903119905 (119863119867119895))(11)
where 119900V119890119903119901(119909) = 119909 119909 119905 gt 1205798 0 119909 119905 le 1205798998779119905 is sampling time and 1205798 is the SH-type port numberabnormality threshold
In this part we define the MFF as follows
119872119865119865119865 = S + 119882119890119894119892ℎ119905119901119900119903119905 + 119882119890119894119892ℎ119905119901119886119888119896119890119905119872 + 1 (12)
where 119891(119909) = 119909 119909 ge 1 1 119909 le 1Definition 5 Thenumber of SH flowswith different source IPaddresses and the same destination IP address 119860 119894 is denotedas ℎ119899119894 The SH class with the same destination IP address 119860 119894
flow is denoted as119867119878119863(ℎ119899119894 119860 119894) where 119894 = 1 2 119899Assume that all HSD classes are 11986711987811986311198671198781198632 sdot sdot sdot 119867119878119863119896
and the number of different destination ports in the class119867119878119863119894 is expressed as 119875119900119903119905(119867119878119863119894) where 119894 = 1 2 119896The HIAD is defined as follows
119867119868119860119863119865 = ( 119896sum119894=1
(ℎ119899119894 + 119908119890119894119892ℎ119905 (119875119900119903119905 (119867119878119863119868)))) (13)
In (13) 119908119890119894119892ℎ119905(119909) = 119909 119909 119905 gt 1205799 0 119909 119905 le 1205799998779t is sampling time and 1205799 is the threshold for differentdestination ports
4 The DDoS Attack Detection Model
The establishment of an attack detection model is an impor-tant part of the whole detection process Based on thebehavior of DDoS attack we extract ACD IBFMFF HIADand FFV features to express the inherent rules of attack flowsThe disadvantages of the current DDoS attack detectionmodels are summarized as follows (1) some models highlydepend on the selection of kernel function (2) some modelsrequire data with highly stable value (3) some models canonly fit linear rules but DDoS attack can generate linearlyinseparable data due to abrupt unstable and stochasticcharacteristics Considering that themultiple-kernel learningmodel has a low requirement for data stability and can beused for nonlinear fitting and it can treat flexibly linearand nonlinear data this paper proposes an adaptive DDoSattack detection method based on the ensemble learningframework
41TheMultiple-Kernel LearningModel Themultiple-kernellearning (MKL) model is developed from the original single-kernel SVM In single-kernel SVM a SVM only uses one
kernel function to map the sample to high-dimensionalspaces By comparison the multiple-kernel learning modelusesmultiple-kernel functionswith weight tomap the sampleto high-dimensional spaceTherefore it has higher flexibilityand adaptability on heterogeneous data
The multiple-kernel learning is defined as follows giventraining set T = (1199091 1199101) (1199092 1199102) sdot sdot sdot (119909119899 119910119899)
testing set 119862 = 11990910158401 11990910158402 sdot sdot sdot 1199091015840119904 119909i isin 119877119889 1199091015840k isin 119877119889119910119894 isin (minus1 +1) R is real-number set d is data dimension 119894 =1 2 sdot sdot sdot 119899 119896 = 1 2 sdot sdot sdot 119904 1198701(119909 1199091015840) 1198702(119909 1199091015840) sdot sdot sdot 119870119872(119909 1199091015840)are kernel functions in 119877119889 times 119877119889 and 1206011 1206012 sdot sdot sdot 120601119872 is akernel mapping for each function In the classic multiple-kernel learning SimpleMKL [52] the objective function of thehyperplane is as follows
119891 (119909) = 119872sum119898=1
(120596119898 120601119898 (119909)) + 119887 (14)
where 120596119898 is the weight for each kernel function and 119887 isbias The relaxation factor is 120585 According to the principle ofminimum structure the objective function can be optimizedas follows
min 120595 (120596m 119887 120585 119889) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i (15)
st yi119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0
(16)
By the two-order alternation optimization the formula(15) can be converted to the optimization problem with 119889119898as the variable
min119889ge0
119869 (119889) 119872sum119898=1
119889119898 = 1 (17)
st min120596119898119887120585
= 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
119899sumiminus1
120585iyi
119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894120585119894 ge 0
(18)
The Lagrange function of 119869(119889) is as followsL = 12
119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumi=1
120585i+ msum
i=1120572i (1 minus 120585119894 minus yi
119872summ=1
120596119898 sdot 120593m (119909119894) + yi119887)
+ nsumi=1]119894120585119894
(19)
6 Security and Communication Networks
where 120572i ]119894 are Lagrange operators First 120596119898 119887 120585119894 arecalculated for partial derivatives Then the extremumsare gained when the partial derivatives are ldquo0rdquo Finallyextremums are brought into the Lagrange function whichcan be further changed to
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119909119894 119909119895) + 119899sum
119894=1
120572119894 (20)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119909119894 119909119895) = 119872sum
119898=1
119889119898119896119898 (119909119894 119909119895) (21)
The gradient descent method is used to adjust 119869(119889) on 119889update 119889 and optimize the 119889 as well as 119886 alternately Then anoptimal solution is obtained120572lowast = (1205721 1205722 sdotsdotsdot 120572119899) that is the original objective functioneventually turns into (22) The detailed formulation is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119909119894 119909119895) + 119887 (22)
119909119895 isin 119862 When the test set data as 119909119895 is inputted to 119891(119909)the object function candetermine the category of test set data
42 The Attack Detection Model Based on Multiple-KernelLearning The SimpleMKL model can be suitable for all thedimension weight values with ldquo1rdquo But it cannot fully exertthe different features This paper uses the feature weightsto control the effect of different features on the modelTo gain the appropriate feature weights in the SimpleMKLmodel we combine the gradient method to optimize theweight parameters so that the detection accuracy is furtherimproved
We marked ACD as 1199091 IBF as 1199092 MFF as 1199093 HIADas 1199094 and FFV as 1199095 then the feature value vector is 119865 =(1199091 1199092 1199093 1199094 1199095) and the marked weight vector is 119882 =(1199081 1199082 1199083 1199084 1199085) Combinatorial features are 119862119865 = 119865 lowast119882119879 and the mean value of each dimension of normal flowis 11990611 11990612 11990613 11990614 or 11990615 Note the mean value of eachdimension of the attack flow is 11990621 11990622 11990623 11990624 or 11990625
The interclass mean squared difference is expressed asfollows
119872 = [1199081 lowast (11990611 minus 11990621)]2 + [1199082 lowast (11990612 minus 11990622)]2+ [1199083 lowast (11990613 minus 11990623)]2 + [1199084 lowast (11990614 minus 11990624)]2+ [1199085 lowast (11990615 minus 11990625)]2
(23)
The normal intraclass variance is denoted
1198781 = 119899sumi=1
[1199081 lowast (1199091198941 minus 11990611)]2 + [1199082 lowast (1199091198942 minus 11990612)]2
+ [1199083 lowast (1199091198943 minus 11990613)]2 + [1199084 lowast (1199091198944 minus 11990614)]2+ [1199085 lowast (1199091198945 minus 11990615)]2
(24)
The attack intraclass variance is denoted
1198782 = 119899sum119894=1
[1199081 lowast (1199091198941 minus 11990621)]2 + [1199082 lowast (1199091198942 minus 11990622)]2
+ [1199083 lowast (1199091198943 minus 11990623)]2 + [1199084 lowast (1199091198944 minus 11990624)]2+ [1199085 lowast (1199091198945 minus 11990625)]2
(25)
The intraclass variance is 119878 = 1198781 + 1198782 To improveclassification accuracy and ensure a rapid convergence offunctions on the one hand we should try to improve themean difference between positive and negative samples sothat the two kinds of samples are far away from each otherthat is we should increase the M value On the other handwe should minimize the differences between samples Thevariance corresponding to each dimension should be assmall as possible thus reducing the S value Therefore theclassification model needs to train two different classifiersto classify the samples One classifier is interclass meansquared difference growth (M-SMKL) and the other classifieris intraclass variance descent (S-SMKL) In combination withthe SimpleMKL framework formula (15) the above problemscan be transformed into (26) The detailed formulation is asfollows
max119909119894119895isin119865
120572119872 +min119909119894119895isin119865
120573119878
min 120595 (120596m 119887 120585 119889 119908) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i(26)
st yi119872sum119898=1
120596119898 sdot 120593 (119908119909119894) + 119910i119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0119872 lt 1205901119878 gt 1205901
(27)
If 120572 ≫ 120573 the objective function is M-SMKL If 120573 ≫ 120572the objective function is S-SMKL 120572 and 120573 are converted tothe learning rate of formula (35)
To solve the above problems we use the way of updatingiterative weights to get the objective function The details areas follows Firstly the weights of each feature are assigned
Security and Communication Networks 7
initial values Secondly they are combined with (26) and (27)to gain optimal function of this timeThemathematical formis expressed as follows
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119908119909119894 119908119909119895) + 119899sum
119894=1
120572119894 (28)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119908119909119894 119908119909119895) = 119872sum
119898=1
119889119898119896119898 (119908119909119894 119908119909119895)(29)
The optimal equation obtained using (28) and (29) is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119908119909119894 119908119909119895) + 119887 (30)
To further determine whether the optimal equation hasachieved good results this paper sets two constraint condi-tions forM-SMKL and S-SMKL respectively without conflictwith formula (27) constraint conditions These constraintconditions are expressed as follows
The constraint conditions of M-SMKL are as follows
1199051 lt 1003816100381610038161003816119872119894+1 minus 1198721198941003816100381610038161003816 lt 1199052
lt 1003816100381610038161003816119872i minus 119872119894minus11003816100381610038161003816 lt 1199053
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199011119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199012
(31)
The constraint conditions of S-SMKL are as follows
1199054 lt 1003816100381610038161003816119878i minus 119878119894minus11003816100381610038161003816 lt 1199055 lt 1003816100381610038161003816119878119894+1 minus 1198781198941003816100381610038161003816lt 1199056
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199013119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199014
(32)
where the values of 1199011 1199012 1199013 and 1199014 are close to ldquo0rdquo thevalues of 1199051 1199052 and 1199053 are close to ldquo1rdquo the values of 1199054 1199055 and1199056 are close to ldquo75rdquo If the constraint condition is satisfied the
algorithm will be stopped and formula (30) will become theoptimal function otherwise each dimension weight will beupdated iteratively The gradient of M and S correspondingto each dimension weight is as follows
1205971198721205971199081 = 21199081 (11990611 minus 11990621)21205971198721205971199082 = 21199082 (11990612 minus 11990622)21205971198721205971199083 = 21199083 (11990613 minus 11990623)21205971198721205971199084 = 21199084 (11990614 minus 11990624)21205971198721205971199085 = 21199085 (11990615 minus 11990625)2
(33)
1205971198781205971199081= 2[1199081(
1198991sum119894=1
119909211 minus 1198991119906211) + 1199081 (1198992sum119894=1
119909221 minus 1198992119906221)]1205971198781205971199082= 2[1199082(
1198991sum119894=1
119909212 minus 1198991119906212) + 1199082 (1198992sum119894=1
119909222 minus 1198992119906222)]1205971198781205971199083= 2[1199083(
1198991sum119894=1
119909213 minus 1198991119906213) + 1199083 (1198992sum119894=1
119909223 minus 1198992119906223)]1205971198781205971199084= 2[1199084(
1198991sum119894=1
119909214 minus 1198991119906214) + 1199084 (1198992sum119894=1
119909224 minus 1198992119906224)]1205971198781205971199085= 2[1199085(
1198991sum119894=1
119909215 minus 1198991119906215) + 1199085 (1198992sum119894=1
119909225 minus 1198992119906225)]
(34)
where 1198991 is the number of the normal flow feature of thetraining sample 1198992 is the number of the attack flow feature of
8 Security and Communication Networks
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
Meet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
MMeet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training End S-SMKL Training
No No
Yes Yes
Figure 1 Flow chart of multiple-kernel learning training process based on ensemble learning
the training sample According to gradients in (33) and (34)the weight of each dimension is updated as follows (35)
1199081 = 1199081 + 2 lowast 1198971199031 lowast 1205971198721205971199081 minus 2 lowast 1198971199032 lowast 12059711987812059711990811199082 = 1199082 + 2 lowast 1198971199031 lowast 1205971198721205971199082 minus 2 lowast 1198971199032 lowast 12059711987812059711990821199083 = 1199083 + 2 lowast 1198971199031 lowast 1205971198721205971199083 minus 2 lowast 1198971199032 lowast 12059711987812059711990831199084 = 1199084 + 2 lowast 1198971199034 lowast 1205971198721205971199084 minus 2 lowast 1198971199032 lowast 12059711987812059711990841199085 = 1199085 + 2 lowast 1198971199031 lowast 1205971198721205971199085 minus 2 lowast 1198971199032 lowast 1205971198781205971199085
(35)
where 1198971199031 is the learning rate of gradient ascent 1198971199032 is thelearning rate of gradient descent 1198971199031 has the same functionas 120572 and 1198971199032 has the same function as 120573 Each updated weightismultiplied by each original feature accordingly and the nextround of iteration is carried out
43 Framework of Multiple-Kernel Learning Detection Basedon Ensemble Learning We input the multidimensional datawith weight and set the learning rate Then two differentclassifiers are trained M-SMKL is trained by increasing theM value mainly with reducing the S value secondarily andthe S-SMKL is trained by reducing the S value mainly withincreasing the M value secondarily During the trainingprocess the M value and the S value are constantly updatedwith the method of gradient rising and descending until theconstraint conditions are met The flowchart is provided inFigure 1
The detection process is as follows firstly the test datais multiplied with two different weight vectors which aretrained earlier secondly the calculated data are inputted tothe corresponding M-SMKL and S-SMKL model finally weuse the sliding window mechanism to coordinate two kindsof models The sliding window mechanism is described asfollows Firstly a sliding window with a size of 119899 is createdSecondly the trained M-SMKL classifies the test data andobtains the first classification results the trained S-SMKLclassifies the test data and obtains the second classificationresults Finally four ways are used to cooperatively treat thefirst classification results and the second classification resultsthe details are as follows (1) ifM-SMKL and S-SMKL identifythat the current data category is both normal the currentdata category is judged to be normal (2) if M-SMKL and S-SMKL identify that the current data category is both attackthe current data category is judged to be attack (3) if M-SMKL identifies that the current data category is normal butS-SMKL identifies that the current data category is attackthe current data category is judged to be attack (4) if M-SMKL identifies that the current data category is attack but S-SMKL identifies that the current data category is normal thenconsider the following Step 1Move the starting point of thesliding window to the current position of the test data in thefirst classification result and map the end point of the slidingwindow to the n-1 position of the first classification resultsStep 2 If the results in the sliding window are all attack thecurrent data category is judged to be attack otherwise thecurrent data category is judged to be normal The flow chartis provided in Figure 2
The reason for the training of two kinds of SMKL isthat S-SMKL focuses on reducing the difference betweenthe data of each dimension and can assemble the two typesof samples in their respective central positions However
Security and Communication Networks 9
Multiply initial data with new weightof S-SMKL
Multiply initial data with new weightof M-SMKL
Classify test set with S-SMKL Classify test set with M-SMKL
Classify Result 1 Classify Result 2
Slide Window Process
Final Predict Result
Figure 2 Flow chart of multiple-kernel learning detection process based on ensemble learning
S-SMKL does not consider the location of the two sample-center points Although a better classification feature can bemaintained on the whole it is impossible to identify DDoSattacks earlier because the center distance of the normal flowand attack flow is small M-SMKL focuses on the differencebetween the two types of data centers and maximizes thesample centers distance between the two types of samplecenters making the two samples as separate as possible M-SMKL can expand the distance of different class so that theattack flow can be identified earlier but it makes intraclassdata dispersed causing default results Therefore the slidingwindowmechanism is adopted to coordinate the two modelsto detect early DDoS accurately
5 Experimental Analysis
51 Experimental Data Sets and Evaluation Standards Thedata set used for this experiment is the CAIDA ldquoDDoS Attack2007rdquo data set [53]This data set contains an [L1]DistributedDenial of Service (DDoS) anonymous traffic attack forapproximately one hour on August 4 2007 The total size ofthe data set is 21 GB which accounts for approximately onehour (205008 UTCndash215616 UTC) Attacks began around2113 causing the network load to grow rapidly (in minutes)from approximately 200 kbitss to 80 megabitss One hourof attack traffic is divided into 5 minutes of files and stored inPCAP format The contents of this data set are TCP networktraffic packets Each TCP packet contains the source addressdestination address source port destination port packet sizeand protocol type The duration of normal flow data used inthis paper is 2minutes in total and the duration of attack datais 5 minutes in total
The hardware equipment adopted is 8 GB memory IntelCore i7 processor and a computer with a Windows 10 64-bit
system the development environment isMATLAB 2014a andCodeblocks 1005 The evaluation criteria used in this paperconsist of the detection rate (DR) the false alarm rate (FR)and total error rate (ER)
Assume that TP indicates that the number of normaltest samples is properly marked FP indicates the number ofnormal test samples that have been incorrectly marked TNindicates the number of attack test samples that are correctlymarked and FN indicates the number of attack test samplesthat have been incorrectly marked
119863119877 = 119879119873119879119873 + 119865119873119865119877 = 119865119875119879119875 + 119865119875119864119877 = 119865119873 + 119865119875119879119875 + 119865119875 + 119879119873 + 119865119873
(36)
We used the above five feature extraction algorithmsto extract features from the data set The extracted featurevalues are normalized and used as a training set The datain the training set can be regarded as the regularity ofthe change in network traffic The network traffic has anabrupt and volatile nature Therefore although the collectednetwork data have similarities with the conventional onesthey still have a certain degree of difference To simulate thisphenomenon for verifying the effectiveness of the presentedmethod three types of data are generated as follows (1)Normal flow feature values and attack flow feature valuesare multiplied by random number (2) only the attack flowfeature values are multiplied by random number and (3)only the normal flow feature values are multiplied by randomnumber
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
4 Security and Communication Networks
IP address 119860 119894 which do not exist in class 119868119875119878(119860 119894) and existin class 119868119875119863(119860 119894) are denoted as 119863119867(119860 119894) The number of thedifferent ports in119863119867(119860 119894) is denoted as 119875119900119903119905(119863119867(119860 119894))Definition 1 If there are different destination IP addresses119860119895 and 119860119896 making classes 119878119863(119860 119894 119860119895) and 119878119863(119860 119894 119860119896) bothnon-null then delete the class where all source IP address 119860 119894
packets resideAssume that the last remaining classes are denoted as1198601198621198781 1198601198621198782 119860119862119878119898 and are statistically calculated to gain
the ACD The detailed formulation is as follows
119860119862119863119865 = 119898sum119894=1
119882(119860119862119878119894) (1)
In this part 119882(119860119862119878119894) = 1205791119875119900119903119905(119860119862119878119894) + (1 minus1205791)119875119886119888119896119890119905(119860119862119878119894)(0 lt 1205791 lt 1) where 119875119900119903119905(119860119862119878119894) is thenumber of different ports in class 119860119862119878119894 119875119886119888119896119890119905(119860119862119878119894) is thenumber of data packets in class 119860119862119878119894 and 1205791 is the weightedvalue
Definition 2 If all the packets whose destination IP addressis119860119895 form the unique class 119878119863(119860 119894 119860119895) delete the class wherethe packet with the destination IP address is 119860119895
Assume that the last remaining classes are denoted as1198781198631198781 1198781198631198782 119878119863119878119897 all packets in these remaining classeswith the destination IP address 119860119895 are denoted as 119878119863119863(119860119895)and all the classes are denoted as 1198781198631198631 1198781198631198632 119878119863119863119898The FFV is defined as follows
119865119865119881119865 = ( 119898sum119894=1
119862119868119875 (119878119863119863119894) minus 119898) (2)
119862119868119875(119878119863119863119894) in formula (2) is presented as follows
119862119868119875 (119878119863119863119894) = 119873119906119898(119878119863119863119894)+ 1205792
119873119906119898(119878119863119863119894)sum119895=1
119874119860(119875119886119888119896 (119860119895))+ (1 minus 1205792) (119874119861 (119875119900119903119905 (119878119863119863119894)) minus 1)
(3)
In this equation 0 le 1205792 le 1 119873119906119898(119878119863119863119894) is the numberof different source IP addresses in 119878119863119863119894
119874119860(119875119886119888119896 (119860119895)) = 119875119886119888119896 (119860119895) 119875119886119888119896 (119860119895)Δ119905gt 1205793 0 119875119886119888119896 (119860119895)Δ119905 le 1205793
(4)
119875119886119888119896(119860119895) is the number of source IP addresses 119860119895 in 119878119863119863119894and 1205793 is the threshold of the number of packets
119874119861 (119875119900119903119905 (119878119863119863119894)) = 119875119900119903119905 (119878119863119863119894) 119875119900119903119905 (119878119863119863119894)Δ119905gt 1205794 0 119875119900119903119905 (119878119863119863119894)Δ119905 le 1205794
(5)
119875119900119903119905(119878119863119863119894) is the number of different destination ports in119878119863119863119894 1205794 is the threshold of the number of ports and Δ119905 isthe sampling time
Definition 3 Assume that the IF flow is 1198681198651 1198681198652 119868119865119872 theSH class is denoted as 1198781198671 1198781198672 119878119867119878 and the DH class isdenoted as1198631198671 1198631198672 119863119867119872Then define IBF as follows
119868119861119865 = 1119872 + 1 (|119878 minus 119863| + 119878sum119894=1
119900V119890119903 (119875119900119903119905 (119878119867119894))
+ 119863sum119894=1
119900V119890119903 (119875119900119903119905 (119863119867119894)))(6)
119900V119890119903(119909) = 119909 119909Δ119905 gt 1205795 0 119909Δ119905 le 1205795 where 1205795 is thethreshold of the amount of port 119872 in formula (6) is thenumber of IF flows within Δ119905 and |119878 minus 119863| is the absolutevalue of the difference value between the number of sourceIP addresses and the number of destination IP addresses forall SH and DH flows in Δ119905Definition 4 Assume that the resulting SD classes are1198781198631 1198781198632 sdot sdot sdot 119878119863119897 and IF classes are 1198681198651 1198681198652 sdot sdot sdot 119868119865119872 Thenumber of packets of source IP address 119860 119894 in class 119868119865119894is denoted as 119878119899119894 where 119894 = 1 2 119872 the number ofpackets of all interworking flow classes is denoted as SNand the source semi-interactive flow class is denoted as1198781198671 1198781198672 sdot sdot sdot 119878119867119878 The number of different ports in class 119878119867119894
is denoted as 119875119900119903119905(119878119867119894) where 119894 = 1 2 119878 the destinationsemi-interactive class is denoted as D1198671 1198631198672 sdot sdot sdot 119863119867119863 andthe number of different ports in class 119863119867119894 is denoted as119875119900119903119905(119863119867119894) where 119894 = 1 2 119863
The weighted value of all packets in SH class is defined asfollows
119882119890119894119892ℎ119905119878119867 = 119904sum119894=1
119900V119890119903119904ℎ (119875119886119888119896119890119905 (119878119867119894)) (7)
The weighted value of all packets in SD classes is definedas follows
119882119890119894119892ℎ119905119878119863 = 119871sum119894=1
119900V119890119903119904119889 (119875119886119888119896119890119905 (119878119863119894)) (8)
The weighted value of the number of packets of networkflow F in unit time T is as follows
119882119890119894119892ℎ119905119901119886119888119896119890119905 = 119891119897119886119892 (119882119890119894119892ℎ119905119878119863)119882119890119894119892ℎ119905119878119863+ 119882119890119894119892ℎ119905119878119863 (9)
In these equations
119900V119890119903119904ℎ (119909) = 119909 119909119905 gt 1205796 0 119909119905 le 1205796 119900V119890119903119904119889 (119909) = 119909 119909119905 gt 1205797 0 119909119905 le 1205797 119891119897119886119892 (119909) = 0 119909 gt 0 1 119909 = 0
(10)
Security and Communication Networks 5
998779119905 is sampling time and 1205796 and 1205797 are SH-type packet numberabnormality thresholds119875119886119888119896119890119905(119878119863119894) is the number of packetsin 119878119863119894 119868 = 1 2 119899 The weighted value of the number ofdifferent ports in the SH and DH classes is as follows
119882119890119894119892ℎ119905119901119900119903119905 = 119878sum119894=1
119900V119890119903119901 (119875119900119903119905 (119878119867119894))
+ 119863sum119895=1
119900V119890119903119901 (119875119900119903119905 (119863119867119895))(11)
where 119900V119890119903119901(119909) = 119909 119909 119905 gt 1205798 0 119909 119905 le 1205798998779119905 is sampling time and 1205798 is the SH-type port numberabnormality threshold
In this part we define the MFF as follows
119872119865119865119865 = S + 119882119890119894119892ℎ119905119901119900119903119905 + 119882119890119894119892ℎ119905119901119886119888119896119890119905119872 + 1 (12)
where 119891(119909) = 119909 119909 ge 1 1 119909 le 1Definition 5 Thenumber of SH flowswith different source IPaddresses and the same destination IP address 119860 119894 is denotedas ℎ119899119894 The SH class with the same destination IP address 119860 119894
flow is denoted as119867119878119863(ℎ119899119894 119860 119894) where 119894 = 1 2 119899Assume that all HSD classes are 11986711987811986311198671198781198632 sdot sdot sdot 119867119878119863119896
and the number of different destination ports in the class119867119878119863119894 is expressed as 119875119900119903119905(119867119878119863119894) where 119894 = 1 2 119896The HIAD is defined as follows
119867119868119860119863119865 = ( 119896sum119894=1
(ℎ119899119894 + 119908119890119894119892ℎ119905 (119875119900119903119905 (119867119878119863119868)))) (13)
In (13) 119908119890119894119892ℎ119905(119909) = 119909 119909 119905 gt 1205799 0 119909 119905 le 1205799998779t is sampling time and 1205799 is the threshold for differentdestination ports
4 The DDoS Attack Detection Model
The establishment of an attack detection model is an impor-tant part of the whole detection process Based on thebehavior of DDoS attack we extract ACD IBFMFF HIADand FFV features to express the inherent rules of attack flowsThe disadvantages of the current DDoS attack detectionmodels are summarized as follows (1) some models highlydepend on the selection of kernel function (2) some modelsrequire data with highly stable value (3) some models canonly fit linear rules but DDoS attack can generate linearlyinseparable data due to abrupt unstable and stochasticcharacteristics Considering that themultiple-kernel learningmodel has a low requirement for data stability and can beused for nonlinear fitting and it can treat flexibly linearand nonlinear data this paper proposes an adaptive DDoSattack detection method based on the ensemble learningframework
41TheMultiple-Kernel LearningModel Themultiple-kernellearning (MKL) model is developed from the original single-kernel SVM In single-kernel SVM a SVM only uses one
kernel function to map the sample to high-dimensionalspaces By comparison the multiple-kernel learning modelusesmultiple-kernel functionswith weight tomap the sampleto high-dimensional spaceTherefore it has higher flexibilityand adaptability on heterogeneous data
The multiple-kernel learning is defined as follows giventraining set T = (1199091 1199101) (1199092 1199102) sdot sdot sdot (119909119899 119910119899)
testing set 119862 = 11990910158401 11990910158402 sdot sdot sdot 1199091015840119904 119909i isin 119877119889 1199091015840k isin 119877119889119910119894 isin (minus1 +1) R is real-number set d is data dimension 119894 =1 2 sdot sdot sdot 119899 119896 = 1 2 sdot sdot sdot 119904 1198701(119909 1199091015840) 1198702(119909 1199091015840) sdot sdot sdot 119870119872(119909 1199091015840)are kernel functions in 119877119889 times 119877119889 and 1206011 1206012 sdot sdot sdot 120601119872 is akernel mapping for each function In the classic multiple-kernel learning SimpleMKL [52] the objective function of thehyperplane is as follows
119891 (119909) = 119872sum119898=1
(120596119898 120601119898 (119909)) + 119887 (14)
where 120596119898 is the weight for each kernel function and 119887 isbias The relaxation factor is 120585 According to the principle ofminimum structure the objective function can be optimizedas follows
min 120595 (120596m 119887 120585 119889) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i (15)
st yi119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0
(16)
By the two-order alternation optimization the formula(15) can be converted to the optimization problem with 119889119898as the variable
min119889ge0
119869 (119889) 119872sum119898=1
119889119898 = 1 (17)
st min120596119898119887120585
= 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
119899sumiminus1
120585iyi
119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894120585119894 ge 0
(18)
The Lagrange function of 119869(119889) is as followsL = 12
119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumi=1
120585i+ msum
i=1120572i (1 minus 120585119894 minus yi
119872summ=1
120596119898 sdot 120593m (119909119894) + yi119887)
+ nsumi=1]119894120585119894
(19)
6 Security and Communication Networks
where 120572i ]119894 are Lagrange operators First 120596119898 119887 120585119894 arecalculated for partial derivatives Then the extremumsare gained when the partial derivatives are ldquo0rdquo Finallyextremums are brought into the Lagrange function whichcan be further changed to
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119909119894 119909119895) + 119899sum
119894=1
120572119894 (20)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119909119894 119909119895) = 119872sum
119898=1
119889119898119896119898 (119909119894 119909119895) (21)
The gradient descent method is used to adjust 119869(119889) on 119889update 119889 and optimize the 119889 as well as 119886 alternately Then anoptimal solution is obtained120572lowast = (1205721 1205722 sdotsdotsdot 120572119899) that is the original objective functioneventually turns into (22) The detailed formulation is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119909119894 119909119895) + 119887 (22)
119909119895 isin 119862 When the test set data as 119909119895 is inputted to 119891(119909)the object function candetermine the category of test set data
42 The Attack Detection Model Based on Multiple-KernelLearning The SimpleMKL model can be suitable for all thedimension weight values with ldquo1rdquo But it cannot fully exertthe different features This paper uses the feature weightsto control the effect of different features on the modelTo gain the appropriate feature weights in the SimpleMKLmodel we combine the gradient method to optimize theweight parameters so that the detection accuracy is furtherimproved
We marked ACD as 1199091 IBF as 1199092 MFF as 1199093 HIADas 1199094 and FFV as 1199095 then the feature value vector is 119865 =(1199091 1199092 1199093 1199094 1199095) and the marked weight vector is 119882 =(1199081 1199082 1199083 1199084 1199085) Combinatorial features are 119862119865 = 119865 lowast119882119879 and the mean value of each dimension of normal flowis 11990611 11990612 11990613 11990614 or 11990615 Note the mean value of eachdimension of the attack flow is 11990621 11990622 11990623 11990624 or 11990625
The interclass mean squared difference is expressed asfollows
119872 = [1199081 lowast (11990611 minus 11990621)]2 + [1199082 lowast (11990612 minus 11990622)]2+ [1199083 lowast (11990613 minus 11990623)]2 + [1199084 lowast (11990614 minus 11990624)]2+ [1199085 lowast (11990615 minus 11990625)]2
(23)
The normal intraclass variance is denoted
1198781 = 119899sumi=1
[1199081 lowast (1199091198941 minus 11990611)]2 + [1199082 lowast (1199091198942 minus 11990612)]2
+ [1199083 lowast (1199091198943 minus 11990613)]2 + [1199084 lowast (1199091198944 minus 11990614)]2+ [1199085 lowast (1199091198945 minus 11990615)]2
(24)
The attack intraclass variance is denoted
1198782 = 119899sum119894=1
[1199081 lowast (1199091198941 minus 11990621)]2 + [1199082 lowast (1199091198942 minus 11990622)]2
+ [1199083 lowast (1199091198943 minus 11990623)]2 + [1199084 lowast (1199091198944 minus 11990624)]2+ [1199085 lowast (1199091198945 minus 11990625)]2
(25)
The intraclass variance is 119878 = 1198781 + 1198782 To improveclassification accuracy and ensure a rapid convergence offunctions on the one hand we should try to improve themean difference between positive and negative samples sothat the two kinds of samples are far away from each otherthat is we should increase the M value On the other handwe should minimize the differences between samples Thevariance corresponding to each dimension should be assmall as possible thus reducing the S value Therefore theclassification model needs to train two different classifiersto classify the samples One classifier is interclass meansquared difference growth (M-SMKL) and the other classifieris intraclass variance descent (S-SMKL) In combination withthe SimpleMKL framework formula (15) the above problemscan be transformed into (26) The detailed formulation is asfollows
max119909119894119895isin119865
120572119872 +min119909119894119895isin119865
120573119878
min 120595 (120596m 119887 120585 119889 119908) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i(26)
st yi119872sum119898=1
120596119898 sdot 120593 (119908119909119894) + 119910i119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0119872 lt 1205901119878 gt 1205901
(27)
If 120572 ≫ 120573 the objective function is M-SMKL If 120573 ≫ 120572the objective function is S-SMKL 120572 and 120573 are converted tothe learning rate of formula (35)
To solve the above problems we use the way of updatingiterative weights to get the objective function The details areas follows Firstly the weights of each feature are assigned
Security and Communication Networks 7
initial values Secondly they are combined with (26) and (27)to gain optimal function of this timeThemathematical formis expressed as follows
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119908119909119894 119908119909119895) + 119899sum
119894=1
120572119894 (28)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119908119909119894 119908119909119895) = 119872sum
119898=1
119889119898119896119898 (119908119909119894 119908119909119895)(29)
The optimal equation obtained using (28) and (29) is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119908119909119894 119908119909119895) + 119887 (30)
To further determine whether the optimal equation hasachieved good results this paper sets two constraint condi-tions forM-SMKL and S-SMKL respectively without conflictwith formula (27) constraint conditions These constraintconditions are expressed as follows
The constraint conditions of M-SMKL are as follows
1199051 lt 1003816100381610038161003816119872119894+1 minus 1198721198941003816100381610038161003816 lt 1199052
lt 1003816100381610038161003816119872i minus 119872119894minus11003816100381610038161003816 lt 1199053
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199011119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199012
(31)
The constraint conditions of S-SMKL are as follows
1199054 lt 1003816100381610038161003816119878i minus 119878119894minus11003816100381610038161003816 lt 1199055 lt 1003816100381610038161003816119878119894+1 minus 1198781198941003816100381610038161003816lt 1199056
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199013119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199014
(32)
where the values of 1199011 1199012 1199013 and 1199014 are close to ldquo0rdquo thevalues of 1199051 1199052 and 1199053 are close to ldquo1rdquo the values of 1199054 1199055 and1199056 are close to ldquo75rdquo If the constraint condition is satisfied the
algorithm will be stopped and formula (30) will become theoptimal function otherwise each dimension weight will beupdated iteratively The gradient of M and S correspondingto each dimension weight is as follows
1205971198721205971199081 = 21199081 (11990611 minus 11990621)21205971198721205971199082 = 21199082 (11990612 minus 11990622)21205971198721205971199083 = 21199083 (11990613 minus 11990623)21205971198721205971199084 = 21199084 (11990614 minus 11990624)21205971198721205971199085 = 21199085 (11990615 minus 11990625)2
(33)
1205971198781205971199081= 2[1199081(
1198991sum119894=1
119909211 minus 1198991119906211) + 1199081 (1198992sum119894=1
119909221 minus 1198992119906221)]1205971198781205971199082= 2[1199082(
1198991sum119894=1
119909212 minus 1198991119906212) + 1199082 (1198992sum119894=1
119909222 minus 1198992119906222)]1205971198781205971199083= 2[1199083(
1198991sum119894=1
119909213 minus 1198991119906213) + 1199083 (1198992sum119894=1
119909223 minus 1198992119906223)]1205971198781205971199084= 2[1199084(
1198991sum119894=1
119909214 minus 1198991119906214) + 1199084 (1198992sum119894=1
119909224 minus 1198992119906224)]1205971198781205971199085= 2[1199085(
1198991sum119894=1
119909215 minus 1198991119906215) + 1199085 (1198992sum119894=1
119909225 minus 1198992119906225)]
(34)
where 1198991 is the number of the normal flow feature of thetraining sample 1198992 is the number of the attack flow feature of
8 Security and Communication Networks
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
Meet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
MMeet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training End S-SMKL Training
No No
Yes Yes
Figure 1 Flow chart of multiple-kernel learning training process based on ensemble learning
the training sample According to gradients in (33) and (34)the weight of each dimension is updated as follows (35)
1199081 = 1199081 + 2 lowast 1198971199031 lowast 1205971198721205971199081 minus 2 lowast 1198971199032 lowast 12059711987812059711990811199082 = 1199082 + 2 lowast 1198971199031 lowast 1205971198721205971199082 minus 2 lowast 1198971199032 lowast 12059711987812059711990821199083 = 1199083 + 2 lowast 1198971199031 lowast 1205971198721205971199083 minus 2 lowast 1198971199032 lowast 12059711987812059711990831199084 = 1199084 + 2 lowast 1198971199034 lowast 1205971198721205971199084 minus 2 lowast 1198971199032 lowast 12059711987812059711990841199085 = 1199085 + 2 lowast 1198971199031 lowast 1205971198721205971199085 minus 2 lowast 1198971199032 lowast 1205971198781205971199085
(35)
where 1198971199031 is the learning rate of gradient ascent 1198971199032 is thelearning rate of gradient descent 1198971199031 has the same functionas 120572 and 1198971199032 has the same function as 120573 Each updated weightismultiplied by each original feature accordingly and the nextround of iteration is carried out
43 Framework of Multiple-Kernel Learning Detection Basedon Ensemble Learning We input the multidimensional datawith weight and set the learning rate Then two differentclassifiers are trained M-SMKL is trained by increasing theM value mainly with reducing the S value secondarily andthe S-SMKL is trained by reducing the S value mainly withincreasing the M value secondarily During the trainingprocess the M value and the S value are constantly updatedwith the method of gradient rising and descending until theconstraint conditions are met The flowchart is provided inFigure 1
The detection process is as follows firstly the test datais multiplied with two different weight vectors which aretrained earlier secondly the calculated data are inputted tothe corresponding M-SMKL and S-SMKL model finally weuse the sliding window mechanism to coordinate two kindsof models The sliding window mechanism is described asfollows Firstly a sliding window with a size of 119899 is createdSecondly the trained M-SMKL classifies the test data andobtains the first classification results the trained S-SMKLclassifies the test data and obtains the second classificationresults Finally four ways are used to cooperatively treat thefirst classification results and the second classification resultsthe details are as follows (1) ifM-SMKL and S-SMKL identifythat the current data category is both normal the currentdata category is judged to be normal (2) if M-SMKL and S-SMKL identify that the current data category is both attackthe current data category is judged to be attack (3) if M-SMKL identifies that the current data category is normal butS-SMKL identifies that the current data category is attackthe current data category is judged to be attack (4) if M-SMKL identifies that the current data category is attack but S-SMKL identifies that the current data category is normal thenconsider the following Step 1Move the starting point of thesliding window to the current position of the test data in thefirst classification result and map the end point of the slidingwindow to the n-1 position of the first classification resultsStep 2 If the results in the sliding window are all attack thecurrent data category is judged to be attack otherwise thecurrent data category is judged to be normal The flow chartis provided in Figure 2
The reason for the training of two kinds of SMKL isthat S-SMKL focuses on reducing the difference betweenthe data of each dimension and can assemble the two typesof samples in their respective central positions However
Security and Communication Networks 9
Multiply initial data with new weightof S-SMKL
Multiply initial data with new weightof M-SMKL
Classify test set with S-SMKL Classify test set with M-SMKL
Classify Result 1 Classify Result 2
Slide Window Process
Final Predict Result
Figure 2 Flow chart of multiple-kernel learning detection process based on ensemble learning
S-SMKL does not consider the location of the two sample-center points Although a better classification feature can bemaintained on the whole it is impossible to identify DDoSattacks earlier because the center distance of the normal flowand attack flow is small M-SMKL focuses on the differencebetween the two types of data centers and maximizes thesample centers distance between the two types of samplecenters making the two samples as separate as possible M-SMKL can expand the distance of different class so that theattack flow can be identified earlier but it makes intraclassdata dispersed causing default results Therefore the slidingwindowmechanism is adopted to coordinate the two modelsto detect early DDoS accurately
5 Experimental Analysis
51 Experimental Data Sets and Evaluation Standards Thedata set used for this experiment is the CAIDA ldquoDDoS Attack2007rdquo data set [53]This data set contains an [L1]DistributedDenial of Service (DDoS) anonymous traffic attack forapproximately one hour on August 4 2007 The total size ofthe data set is 21 GB which accounts for approximately onehour (205008 UTCndash215616 UTC) Attacks began around2113 causing the network load to grow rapidly (in minutes)from approximately 200 kbitss to 80 megabitss One hourof attack traffic is divided into 5 minutes of files and stored inPCAP format The contents of this data set are TCP networktraffic packets Each TCP packet contains the source addressdestination address source port destination port packet sizeand protocol type The duration of normal flow data used inthis paper is 2minutes in total and the duration of attack datais 5 minutes in total
The hardware equipment adopted is 8 GB memory IntelCore i7 processor and a computer with a Windows 10 64-bit
system the development environment isMATLAB 2014a andCodeblocks 1005 The evaluation criteria used in this paperconsist of the detection rate (DR) the false alarm rate (FR)and total error rate (ER)
Assume that TP indicates that the number of normaltest samples is properly marked FP indicates the number ofnormal test samples that have been incorrectly marked TNindicates the number of attack test samples that are correctlymarked and FN indicates the number of attack test samplesthat have been incorrectly marked
119863119877 = 119879119873119879119873 + 119865119873119865119877 = 119865119875119879119875 + 119865119875119864119877 = 119865119873 + 119865119875119879119875 + 119865119875 + 119879119873 + 119865119873
(36)
We used the above five feature extraction algorithmsto extract features from the data set The extracted featurevalues are normalized and used as a training set The datain the training set can be regarded as the regularity ofthe change in network traffic The network traffic has anabrupt and volatile nature Therefore although the collectednetwork data have similarities with the conventional onesthey still have a certain degree of difference To simulate thisphenomenon for verifying the effectiveness of the presentedmethod three types of data are generated as follows (1)Normal flow feature values and attack flow feature valuesare multiplied by random number (2) only the attack flowfeature values are multiplied by random number and (3)only the normal flow feature values are multiplied by randomnumber
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 5
998779119905 is sampling time and 1205796 and 1205797 are SH-type packet numberabnormality thresholds119875119886119888119896119890119905(119878119863119894) is the number of packetsin 119878119863119894 119868 = 1 2 119899 The weighted value of the number ofdifferent ports in the SH and DH classes is as follows
119882119890119894119892ℎ119905119901119900119903119905 = 119878sum119894=1
119900V119890119903119901 (119875119900119903119905 (119878119867119894))
+ 119863sum119895=1
119900V119890119903119901 (119875119900119903119905 (119863119867119895))(11)
where 119900V119890119903119901(119909) = 119909 119909 119905 gt 1205798 0 119909 119905 le 1205798998779119905 is sampling time and 1205798 is the SH-type port numberabnormality threshold
In this part we define the MFF as follows
119872119865119865119865 = S + 119882119890119894119892ℎ119905119901119900119903119905 + 119882119890119894119892ℎ119905119901119886119888119896119890119905119872 + 1 (12)
where 119891(119909) = 119909 119909 ge 1 1 119909 le 1Definition 5 Thenumber of SH flowswith different source IPaddresses and the same destination IP address 119860 119894 is denotedas ℎ119899119894 The SH class with the same destination IP address 119860 119894
flow is denoted as119867119878119863(ℎ119899119894 119860 119894) where 119894 = 1 2 119899Assume that all HSD classes are 11986711987811986311198671198781198632 sdot sdot sdot 119867119878119863119896
and the number of different destination ports in the class119867119878119863119894 is expressed as 119875119900119903119905(119867119878119863119894) where 119894 = 1 2 119896The HIAD is defined as follows
119867119868119860119863119865 = ( 119896sum119894=1
(ℎ119899119894 + 119908119890119894119892ℎ119905 (119875119900119903119905 (119867119878119863119868)))) (13)
In (13) 119908119890119894119892ℎ119905(119909) = 119909 119909 119905 gt 1205799 0 119909 119905 le 1205799998779t is sampling time and 1205799 is the threshold for differentdestination ports
4 The DDoS Attack Detection Model
The establishment of an attack detection model is an impor-tant part of the whole detection process Based on thebehavior of DDoS attack we extract ACD IBFMFF HIADand FFV features to express the inherent rules of attack flowsThe disadvantages of the current DDoS attack detectionmodels are summarized as follows (1) some models highlydepend on the selection of kernel function (2) some modelsrequire data with highly stable value (3) some models canonly fit linear rules but DDoS attack can generate linearlyinseparable data due to abrupt unstable and stochasticcharacteristics Considering that themultiple-kernel learningmodel has a low requirement for data stability and can beused for nonlinear fitting and it can treat flexibly linearand nonlinear data this paper proposes an adaptive DDoSattack detection method based on the ensemble learningframework
41TheMultiple-Kernel LearningModel Themultiple-kernellearning (MKL) model is developed from the original single-kernel SVM In single-kernel SVM a SVM only uses one
kernel function to map the sample to high-dimensionalspaces By comparison the multiple-kernel learning modelusesmultiple-kernel functionswith weight tomap the sampleto high-dimensional spaceTherefore it has higher flexibilityand adaptability on heterogeneous data
The multiple-kernel learning is defined as follows giventraining set T = (1199091 1199101) (1199092 1199102) sdot sdot sdot (119909119899 119910119899)
testing set 119862 = 11990910158401 11990910158402 sdot sdot sdot 1199091015840119904 119909i isin 119877119889 1199091015840k isin 119877119889119910119894 isin (minus1 +1) R is real-number set d is data dimension 119894 =1 2 sdot sdot sdot 119899 119896 = 1 2 sdot sdot sdot 119904 1198701(119909 1199091015840) 1198702(119909 1199091015840) sdot sdot sdot 119870119872(119909 1199091015840)are kernel functions in 119877119889 times 119877119889 and 1206011 1206012 sdot sdot sdot 120601119872 is akernel mapping for each function In the classic multiple-kernel learning SimpleMKL [52] the objective function of thehyperplane is as follows
119891 (119909) = 119872sum119898=1
(120596119898 120601119898 (119909)) + 119887 (14)
where 120596119898 is the weight for each kernel function and 119887 isbias The relaxation factor is 120585 According to the principle ofminimum structure the objective function can be optimizedas follows
min 120595 (120596m 119887 120585 119889) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i (15)
st yi119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0
(16)
By the two-order alternation optimization the formula(15) can be converted to the optimization problem with 119889119898as the variable
min119889ge0
119869 (119889) 119872sum119898=1
119889119898 = 1 (17)
st min120596119898119887120585
= 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
119899sumiminus1
120585iyi
119872summ=1
120596119898 sdot 120593 (119909119894) + yi119887 ge 1 minus 120585119894120585119894 ge 0
(18)
The Lagrange function of 119869(119889) is as followsL = 12
119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumi=1
120585i+ msum
i=1120572i (1 minus 120585119894 minus yi
119872summ=1
120596119898 sdot 120593m (119909119894) + yi119887)
+ nsumi=1]119894120585119894
(19)
6 Security and Communication Networks
where 120572i ]119894 are Lagrange operators First 120596119898 119887 120585119894 arecalculated for partial derivatives Then the extremumsare gained when the partial derivatives are ldquo0rdquo Finallyextremums are brought into the Lagrange function whichcan be further changed to
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119909119894 119909119895) + 119899sum
119894=1
120572119894 (20)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119909119894 119909119895) = 119872sum
119898=1
119889119898119896119898 (119909119894 119909119895) (21)
The gradient descent method is used to adjust 119869(119889) on 119889update 119889 and optimize the 119889 as well as 119886 alternately Then anoptimal solution is obtained120572lowast = (1205721 1205722 sdotsdotsdot 120572119899) that is the original objective functioneventually turns into (22) The detailed formulation is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119909119894 119909119895) + 119887 (22)
119909119895 isin 119862 When the test set data as 119909119895 is inputted to 119891(119909)the object function candetermine the category of test set data
42 The Attack Detection Model Based on Multiple-KernelLearning The SimpleMKL model can be suitable for all thedimension weight values with ldquo1rdquo But it cannot fully exertthe different features This paper uses the feature weightsto control the effect of different features on the modelTo gain the appropriate feature weights in the SimpleMKLmodel we combine the gradient method to optimize theweight parameters so that the detection accuracy is furtherimproved
We marked ACD as 1199091 IBF as 1199092 MFF as 1199093 HIADas 1199094 and FFV as 1199095 then the feature value vector is 119865 =(1199091 1199092 1199093 1199094 1199095) and the marked weight vector is 119882 =(1199081 1199082 1199083 1199084 1199085) Combinatorial features are 119862119865 = 119865 lowast119882119879 and the mean value of each dimension of normal flowis 11990611 11990612 11990613 11990614 or 11990615 Note the mean value of eachdimension of the attack flow is 11990621 11990622 11990623 11990624 or 11990625
The interclass mean squared difference is expressed asfollows
119872 = [1199081 lowast (11990611 minus 11990621)]2 + [1199082 lowast (11990612 minus 11990622)]2+ [1199083 lowast (11990613 minus 11990623)]2 + [1199084 lowast (11990614 minus 11990624)]2+ [1199085 lowast (11990615 minus 11990625)]2
(23)
The normal intraclass variance is denoted
1198781 = 119899sumi=1
[1199081 lowast (1199091198941 minus 11990611)]2 + [1199082 lowast (1199091198942 minus 11990612)]2
+ [1199083 lowast (1199091198943 minus 11990613)]2 + [1199084 lowast (1199091198944 minus 11990614)]2+ [1199085 lowast (1199091198945 minus 11990615)]2
(24)
The attack intraclass variance is denoted
1198782 = 119899sum119894=1
[1199081 lowast (1199091198941 minus 11990621)]2 + [1199082 lowast (1199091198942 minus 11990622)]2
+ [1199083 lowast (1199091198943 minus 11990623)]2 + [1199084 lowast (1199091198944 minus 11990624)]2+ [1199085 lowast (1199091198945 minus 11990625)]2
(25)
The intraclass variance is 119878 = 1198781 + 1198782 To improveclassification accuracy and ensure a rapid convergence offunctions on the one hand we should try to improve themean difference between positive and negative samples sothat the two kinds of samples are far away from each otherthat is we should increase the M value On the other handwe should minimize the differences between samples Thevariance corresponding to each dimension should be assmall as possible thus reducing the S value Therefore theclassification model needs to train two different classifiersto classify the samples One classifier is interclass meansquared difference growth (M-SMKL) and the other classifieris intraclass variance descent (S-SMKL) In combination withthe SimpleMKL framework formula (15) the above problemscan be transformed into (26) The detailed formulation is asfollows
max119909119894119895isin119865
120572119872 +min119909119894119895isin119865
120573119878
min 120595 (120596m 119887 120585 119889 119908) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i(26)
st yi119872sum119898=1
120596119898 sdot 120593 (119908119909119894) + 119910i119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0119872 lt 1205901119878 gt 1205901
(27)
If 120572 ≫ 120573 the objective function is M-SMKL If 120573 ≫ 120572the objective function is S-SMKL 120572 and 120573 are converted tothe learning rate of formula (35)
To solve the above problems we use the way of updatingiterative weights to get the objective function The details areas follows Firstly the weights of each feature are assigned
Security and Communication Networks 7
initial values Secondly they are combined with (26) and (27)to gain optimal function of this timeThemathematical formis expressed as follows
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119908119909119894 119908119909119895) + 119899sum
119894=1
120572119894 (28)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119908119909119894 119908119909119895) = 119872sum
119898=1
119889119898119896119898 (119908119909119894 119908119909119895)(29)
The optimal equation obtained using (28) and (29) is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119908119909119894 119908119909119895) + 119887 (30)
To further determine whether the optimal equation hasachieved good results this paper sets two constraint condi-tions forM-SMKL and S-SMKL respectively without conflictwith formula (27) constraint conditions These constraintconditions are expressed as follows
The constraint conditions of M-SMKL are as follows
1199051 lt 1003816100381610038161003816119872119894+1 minus 1198721198941003816100381610038161003816 lt 1199052
lt 1003816100381610038161003816119872i minus 119872119894minus11003816100381610038161003816 lt 1199053
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199011119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199012
(31)
The constraint conditions of S-SMKL are as follows
1199054 lt 1003816100381610038161003816119878i minus 119878119894minus11003816100381610038161003816 lt 1199055 lt 1003816100381610038161003816119878119894+1 minus 1198781198941003816100381610038161003816lt 1199056
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199013119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199014
(32)
where the values of 1199011 1199012 1199013 and 1199014 are close to ldquo0rdquo thevalues of 1199051 1199052 and 1199053 are close to ldquo1rdquo the values of 1199054 1199055 and1199056 are close to ldquo75rdquo If the constraint condition is satisfied the
algorithm will be stopped and formula (30) will become theoptimal function otherwise each dimension weight will beupdated iteratively The gradient of M and S correspondingto each dimension weight is as follows
1205971198721205971199081 = 21199081 (11990611 minus 11990621)21205971198721205971199082 = 21199082 (11990612 minus 11990622)21205971198721205971199083 = 21199083 (11990613 minus 11990623)21205971198721205971199084 = 21199084 (11990614 minus 11990624)21205971198721205971199085 = 21199085 (11990615 minus 11990625)2
(33)
1205971198781205971199081= 2[1199081(
1198991sum119894=1
119909211 minus 1198991119906211) + 1199081 (1198992sum119894=1
119909221 minus 1198992119906221)]1205971198781205971199082= 2[1199082(
1198991sum119894=1
119909212 minus 1198991119906212) + 1199082 (1198992sum119894=1
119909222 minus 1198992119906222)]1205971198781205971199083= 2[1199083(
1198991sum119894=1
119909213 minus 1198991119906213) + 1199083 (1198992sum119894=1
119909223 minus 1198992119906223)]1205971198781205971199084= 2[1199084(
1198991sum119894=1
119909214 minus 1198991119906214) + 1199084 (1198992sum119894=1
119909224 minus 1198992119906224)]1205971198781205971199085= 2[1199085(
1198991sum119894=1
119909215 minus 1198991119906215) + 1199085 (1198992sum119894=1
119909225 minus 1198992119906225)]
(34)
where 1198991 is the number of the normal flow feature of thetraining sample 1198992 is the number of the attack flow feature of
8 Security and Communication Networks
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
Meet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
MMeet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training End S-SMKL Training
No No
Yes Yes
Figure 1 Flow chart of multiple-kernel learning training process based on ensemble learning
the training sample According to gradients in (33) and (34)the weight of each dimension is updated as follows (35)
1199081 = 1199081 + 2 lowast 1198971199031 lowast 1205971198721205971199081 minus 2 lowast 1198971199032 lowast 12059711987812059711990811199082 = 1199082 + 2 lowast 1198971199031 lowast 1205971198721205971199082 minus 2 lowast 1198971199032 lowast 12059711987812059711990821199083 = 1199083 + 2 lowast 1198971199031 lowast 1205971198721205971199083 minus 2 lowast 1198971199032 lowast 12059711987812059711990831199084 = 1199084 + 2 lowast 1198971199034 lowast 1205971198721205971199084 minus 2 lowast 1198971199032 lowast 12059711987812059711990841199085 = 1199085 + 2 lowast 1198971199031 lowast 1205971198721205971199085 minus 2 lowast 1198971199032 lowast 1205971198781205971199085
(35)
where 1198971199031 is the learning rate of gradient ascent 1198971199032 is thelearning rate of gradient descent 1198971199031 has the same functionas 120572 and 1198971199032 has the same function as 120573 Each updated weightismultiplied by each original feature accordingly and the nextround of iteration is carried out
43 Framework of Multiple-Kernel Learning Detection Basedon Ensemble Learning We input the multidimensional datawith weight and set the learning rate Then two differentclassifiers are trained M-SMKL is trained by increasing theM value mainly with reducing the S value secondarily andthe S-SMKL is trained by reducing the S value mainly withincreasing the M value secondarily During the trainingprocess the M value and the S value are constantly updatedwith the method of gradient rising and descending until theconstraint conditions are met The flowchart is provided inFigure 1
The detection process is as follows firstly the test datais multiplied with two different weight vectors which aretrained earlier secondly the calculated data are inputted tothe corresponding M-SMKL and S-SMKL model finally weuse the sliding window mechanism to coordinate two kindsof models The sliding window mechanism is described asfollows Firstly a sliding window with a size of 119899 is createdSecondly the trained M-SMKL classifies the test data andobtains the first classification results the trained S-SMKLclassifies the test data and obtains the second classificationresults Finally four ways are used to cooperatively treat thefirst classification results and the second classification resultsthe details are as follows (1) ifM-SMKL and S-SMKL identifythat the current data category is both normal the currentdata category is judged to be normal (2) if M-SMKL and S-SMKL identify that the current data category is both attackthe current data category is judged to be attack (3) if M-SMKL identifies that the current data category is normal butS-SMKL identifies that the current data category is attackthe current data category is judged to be attack (4) if M-SMKL identifies that the current data category is attack but S-SMKL identifies that the current data category is normal thenconsider the following Step 1Move the starting point of thesliding window to the current position of the test data in thefirst classification result and map the end point of the slidingwindow to the n-1 position of the first classification resultsStep 2 If the results in the sliding window are all attack thecurrent data category is judged to be attack otherwise thecurrent data category is judged to be normal The flow chartis provided in Figure 2
The reason for the training of two kinds of SMKL isthat S-SMKL focuses on reducing the difference betweenthe data of each dimension and can assemble the two typesof samples in their respective central positions However
Security and Communication Networks 9
Multiply initial data with new weightof S-SMKL
Multiply initial data with new weightof M-SMKL
Classify test set with S-SMKL Classify test set with M-SMKL
Classify Result 1 Classify Result 2
Slide Window Process
Final Predict Result
Figure 2 Flow chart of multiple-kernel learning detection process based on ensemble learning
S-SMKL does not consider the location of the two sample-center points Although a better classification feature can bemaintained on the whole it is impossible to identify DDoSattacks earlier because the center distance of the normal flowand attack flow is small M-SMKL focuses on the differencebetween the two types of data centers and maximizes thesample centers distance between the two types of samplecenters making the two samples as separate as possible M-SMKL can expand the distance of different class so that theattack flow can be identified earlier but it makes intraclassdata dispersed causing default results Therefore the slidingwindowmechanism is adopted to coordinate the two modelsto detect early DDoS accurately
5 Experimental Analysis
51 Experimental Data Sets and Evaluation Standards Thedata set used for this experiment is the CAIDA ldquoDDoS Attack2007rdquo data set [53]This data set contains an [L1]DistributedDenial of Service (DDoS) anonymous traffic attack forapproximately one hour on August 4 2007 The total size ofthe data set is 21 GB which accounts for approximately onehour (205008 UTCndash215616 UTC) Attacks began around2113 causing the network load to grow rapidly (in minutes)from approximately 200 kbitss to 80 megabitss One hourof attack traffic is divided into 5 minutes of files and stored inPCAP format The contents of this data set are TCP networktraffic packets Each TCP packet contains the source addressdestination address source port destination port packet sizeand protocol type The duration of normal flow data used inthis paper is 2minutes in total and the duration of attack datais 5 minutes in total
The hardware equipment adopted is 8 GB memory IntelCore i7 processor and a computer with a Windows 10 64-bit
system the development environment isMATLAB 2014a andCodeblocks 1005 The evaluation criteria used in this paperconsist of the detection rate (DR) the false alarm rate (FR)and total error rate (ER)
Assume that TP indicates that the number of normaltest samples is properly marked FP indicates the number ofnormal test samples that have been incorrectly marked TNindicates the number of attack test samples that are correctlymarked and FN indicates the number of attack test samplesthat have been incorrectly marked
119863119877 = 119879119873119879119873 + 119865119873119865119877 = 119865119875119879119875 + 119865119875119864119877 = 119865119873 + 119865119875119879119875 + 119865119875 + 119879119873 + 119865119873
(36)
We used the above five feature extraction algorithmsto extract features from the data set The extracted featurevalues are normalized and used as a training set The datain the training set can be regarded as the regularity ofthe change in network traffic The network traffic has anabrupt and volatile nature Therefore although the collectednetwork data have similarities with the conventional onesthey still have a certain degree of difference To simulate thisphenomenon for verifying the effectiveness of the presentedmethod three types of data are generated as follows (1)Normal flow feature values and attack flow feature valuesare multiplied by random number (2) only the attack flowfeature values are multiplied by random number and (3)only the normal flow feature values are multiplied by randomnumber
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
6 Security and Communication Networks
where 120572i ]119894 are Lagrange operators First 120596119898 119887 120585119894 arecalculated for partial derivatives Then the extremumsare gained when the partial derivatives are ldquo0rdquo Finallyextremums are brought into the Lagrange function whichcan be further changed to
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119909119894 119909119895) + 119899sum
119894=1
120572119894 (20)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119909119894 119909119895) = 119872sum
119898=1
119889119898119896119898 (119909119894 119909119895) (21)
The gradient descent method is used to adjust 119869(119889) on 119889update 119889 and optimize the 119889 as well as 119886 alternately Then anoptimal solution is obtained120572lowast = (1205721 1205722 sdotsdotsdot 120572119899) that is the original objective functioneventually turns into (22) The detailed formulation is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119909119894 119909119895) + 119887 (22)
119909119895 isin 119862 When the test set data as 119909119895 is inputted to 119891(119909)the object function candetermine the category of test set data
42 The Attack Detection Model Based on Multiple-KernelLearning The SimpleMKL model can be suitable for all thedimension weight values with ldquo1rdquo But it cannot fully exertthe different features This paper uses the feature weightsto control the effect of different features on the modelTo gain the appropriate feature weights in the SimpleMKLmodel we combine the gradient method to optimize theweight parameters so that the detection accuracy is furtherimproved
We marked ACD as 1199091 IBF as 1199092 MFF as 1199093 HIADas 1199094 and FFV as 1199095 then the feature value vector is 119865 =(1199091 1199092 1199093 1199094 1199095) and the marked weight vector is 119882 =(1199081 1199082 1199083 1199084 1199085) Combinatorial features are 119862119865 = 119865 lowast119882119879 and the mean value of each dimension of normal flowis 11990611 11990612 11990613 11990614 or 11990615 Note the mean value of eachdimension of the attack flow is 11990621 11990622 11990623 11990624 or 11990625
The interclass mean squared difference is expressed asfollows
119872 = [1199081 lowast (11990611 minus 11990621)]2 + [1199082 lowast (11990612 minus 11990622)]2+ [1199083 lowast (11990613 minus 11990623)]2 + [1199084 lowast (11990614 minus 11990624)]2+ [1199085 lowast (11990615 minus 11990625)]2
(23)
The normal intraclass variance is denoted
1198781 = 119899sumi=1
[1199081 lowast (1199091198941 minus 11990611)]2 + [1199082 lowast (1199091198942 minus 11990612)]2
+ [1199083 lowast (1199091198943 minus 11990613)]2 + [1199084 lowast (1199091198944 minus 11990614)]2+ [1199085 lowast (1199091198945 minus 11990615)]2
(24)
The attack intraclass variance is denoted
1198782 = 119899sum119894=1
[1199081 lowast (1199091198941 minus 11990621)]2 + [1199082 lowast (1199091198942 minus 11990622)]2
+ [1199083 lowast (1199091198943 minus 11990623)]2 + [1199084 lowast (1199091198944 minus 11990624)]2+ [1199085 lowast (1199091198945 minus 11990625)]2
(25)
The intraclass variance is 119878 = 1198781 + 1198782 To improveclassification accuracy and ensure a rapid convergence offunctions on the one hand we should try to improve themean difference between positive and negative samples sothat the two kinds of samples are far away from each otherthat is we should increase the M value On the other handwe should minimize the differences between samples Thevariance corresponding to each dimension should be assmall as possible thus reducing the S value Therefore theclassification model needs to train two different classifiersto classify the samples One classifier is interclass meansquared difference growth (M-SMKL) and the other classifieris intraclass variance descent (S-SMKL) In combination withthe SimpleMKL framework formula (15) the above problemscan be transformed into (26) The detailed formulation is asfollows
max119909119894119895isin119865
120572119872 +min119909119894119895isin119865
120573119878
min 120595 (120596m 119887 120585 119889 119908) = 12119872sum119898minus1
11198891198981003817100381710038171003817120596m
10038171003817100381710038172Hm+ C
nsumiminus1
120585i(26)
st yi119872sum119898=1
120596119898 sdot 120593 (119908119909119894) + 119910i119887 ge 1 minus 120585119894119872sum119898=1
119889119898 = 1 119889119898 ge 0120585119894 ge 0119872 lt 1205901119878 gt 1205901
(27)
If 120572 ≫ 120573 the objective function is M-SMKL If 120573 ≫ 120572the objective function is S-SMKL 120572 and 120573 are converted tothe learning rate of formula (35)
To solve the above problems we use the way of updatingiterative weights to get the objective function The details areas follows Firstly the weights of each feature are assigned
Security and Communication Networks 7
initial values Secondly they are combined with (26) and (27)to gain optimal function of this timeThemathematical formis expressed as follows
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119908119909119894 119908119909119895) + 119899sum
119894=1
120572119894 (28)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119908119909119894 119908119909119895) = 119872sum
119898=1
119889119898119896119898 (119908119909119894 119908119909119895)(29)
The optimal equation obtained using (28) and (29) is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119908119909119894 119908119909119895) + 119887 (30)
To further determine whether the optimal equation hasachieved good results this paper sets two constraint condi-tions forM-SMKL and S-SMKL respectively without conflictwith formula (27) constraint conditions These constraintconditions are expressed as follows
The constraint conditions of M-SMKL are as follows
1199051 lt 1003816100381610038161003816119872119894+1 minus 1198721198941003816100381610038161003816 lt 1199052
lt 1003816100381610038161003816119872i minus 119872119894minus11003816100381610038161003816 lt 1199053
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199011119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199012
(31)
The constraint conditions of S-SMKL are as follows
1199054 lt 1003816100381610038161003816119878i minus 119878119894minus11003816100381610038161003816 lt 1199055 lt 1003816100381610038161003816119878119894+1 minus 1198781198941003816100381610038161003816lt 1199056
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199013119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199014
(32)
where the values of 1199011 1199012 1199013 and 1199014 are close to ldquo0rdquo thevalues of 1199051 1199052 and 1199053 are close to ldquo1rdquo the values of 1199054 1199055 and1199056 are close to ldquo75rdquo If the constraint condition is satisfied the
algorithm will be stopped and formula (30) will become theoptimal function otherwise each dimension weight will beupdated iteratively The gradient of M and S correspondingto each dimension weight is as follows
1205971198721205971199081 = 21199081 (11990611 minus 11990621)21205971198721205971199082 = 21199082 (11990612 minus 11990622)21205971198721205971199083 = 21199083 (11990613 minus 11990623)21205971198721205971199084 = 21199084 (11990614 minus 11990624)21205971198721205971199085 = 21199085 (11990615 minus 11990625)2
(33)
1205971198781205971199081= 2[1199081(
1198991sum119894=1
119909211 minus 1198991119906211) + 1199081 (1198992sum119894=1
119909221 minus 1198992119906221)]1205971198781205971199082= 2[1199082(
1198991sum119894=1
119909212 minus 1198991119906212) + 1199082 (1198992sum119894=1
119909222 minus 1198992119906222)]1205971198781205971199083= 2[1199083(
1198991sum119894=1
119909213 minus 1198991119906213) + 1199083 (1198992sum119894=1
119909223 minus 1198992119906223)]1205971198781205971199084= 2[1199084(
1198991sum119894=1
119909214 minus 1198991119906214) + 1199084 (1198992sum119894=1
119909224 minus 1198992119906224)]1205971198781205971199085= 2[1199085(
1198991sum119894=1
119909215 minus 1198991119906215) + 1199085 (1198992sum119894=1
119909225 minus 1198992119906225)]
(34)
where 1198991 is the number of the normal flow feature of thetraining sample 1198992 is the number of the attack flow feature of
8 Security and Communication Networks
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
Meet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
MMeet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training End S-SMKL Training
No No
Yes Yes
Figure 1 Flow chart of multiple-kernel learning training process based on ensemble learning
the training sample According to gradients in (33) and (34)the weight of each dimension is updated as follows (35)
1199081 = 1199081 + 2 lowast 1198971199031 lowast 1205971198721205971199081 minus 2 lowast 1198971199032 lowast 12059711987812059711990811199082 = 1199082 + 2 lowast 1198971199031 lowast 1205971198721205971199082 minus 2 lowast 1198971199032 lowast 12059711987812059711990821199083 = 1199083 + 2 lowast 1198971199031 lowast 1205971198721205971199083 minus 2 lowast 1198971199032 lowast 12059711987812059711990831199084 = 1199084 + 2 lowast 1198971199034 lowast 1205971198721205971199084 minus 2 lowast 1198971199032 lowast 12059711987812059711990841199085 = 1199085 + 2 lowast 1198971199031 lowast 1205971198721205971199085 minus 2 lowast 1198971199032 lowast 1205971198781205971199085
(35)
where 1198971199031 is the learning rate of gradient ascent 1198971199032 is thelearning rate of gradient descent 1198971199031 has the same functionas 120572 and 1198971199032 has the same function as 120573 Each updated weightismultiplied by each original feature accordingly and the nextround of iteration is carried out
43 Framework of Multiple-Kernel Learning Detection Basedon Ensemble Learning We input the multidimensional datawith weight and set the learning rate Then two differentclassifiers are trained M-SMKL is trained by increasing theM value mainly with reducing the S value secondarily andthe S-SMKL is trained by reducing the S value mainly withincreasing the M value secondarily During the trainingprocess the M value and the S value are constantly updatedwith the method of gradient rising and descending until theconstraint conditions are met The flowchart is provided inFigure 1
The detection process is as follows firstly the test datais multiplied with two different weight vectors which aretrained earlier secondly the calculated data are inputted tothe corresponding M-SMKL and S-SMKL model finally weuse the sliding window mechanism to coordinate two kindsof models The sliding window mechanism is described asfollows Firstly a sliding window with a size of 119899 is createdSecondly the trained M-SMKL classifies the test data andobtains the first classification results the trained S-SMKLclassifies the test data and obtains the second classificationresults Finally four ways are used to cooperatively treat thefirst classification results and the second classification resultsthe details are as follows (1) ifM-SMKL and S-SMKL identifythat the current data category is both normal the currentdata category is judged to be normal (2) if M-SMKL and S-SMKL identify that the current data category is both attackthe current data category is judged to be attack (3) if M-SMKL identifies that the current data category is normal butS-SMKL identifies that the current data category is attackthe current data category is judged to be attack (4) if M-SMKL identifies that the current data category is attack but S-SMKL identifies that the current data category is normal thenconsider the following Step 1Move the starting point of thesliding window to the current position of the test data in thefirst classification result and map the end point of the slidingwindow to the n-1 position of the first classification resultsStep 2 If the results in the sliding window are all attack thecurrent data category is judged to be attack otherwise thecurrent data category is judged to be normal The flow chartis provided in Figure 2
The reason for the training of two kinds of SMKL isthat S-SMKL focuses on reducing the difference betweenthe data of each dimension and can assemble the two typesof samples in their respective central positions However
Security and Communication Networks 9
Multiply initial data with new weightof S-SMKL
Multiply initial data with new weightof M-SMKL
Classify test set with S-SMKL Classify test set with M-SMKL
Classify Result 1 Classify Result 2
Slide Window Process
Final Predict Result
Figure 2 Flow chart of multiple-kernel learning detection process based on ensemble learning
S-SMKL does not consider the location of the two sample-center points Although a better classification feature can bemaintained on the whole it is impossible to identify DDoSattacks earlier because the center distance of the normal flowand attack flow is small M-SMKL focuses on the differencebetween the two types of data centers and maximizes thesample centers distance between the two types of samplecenters making the two samples as separate as possible M-SMKL can expand the distance of different class so that theattack flow can be identified earlier but it makes intraclassdata dispersed causing default results Therefore the slidingwindowmechanism is adopted to coordinate the two modelsto detect early DDoS accurately
5 Experimental Analysis
51 Experimental Data Sets and Evaluation Standards Thedata set used for this experiment is the CAIDA ldquoDDoS Attack2007rdquo data set [53]This data set contains an [L1]DistributedDenial of Service (DDoS) anonymous traffic attack forapproximately one hour on August 4 2007 The total size ofthe data set is 21 GB which accounts for approximately onehour (205008 UTCndash215616 UTC) Attacks began around2113 causing the network load to grow rapidly (in minutes)from approximately 200 kbitss to 80 megabitss One hourof attack traffic is divided into 5 minutes of files and stored inPCAP format The contents of this data set are TCP networktraffic packets Each TCP packet contains the source addressdestination address source port destination port packet sizeand protocol type The duration of normal flow data used inthis paper is 2minutes in total and the duration of attack datais 5 minutes in total
The hardware equipment adopted is 8 GB memory IntelCore i7 processor and a computer with a Windows 10 64-bit
system the development environment isMATLAB 2014a andCodeblocks 1005 The evaluation criteria used in this paperconsist of the detection rate (DR) the false alarm rate (FR)and total error rate (ER)
Assume that TP indicates that the number of normaltest samples is properly marked FP indicates the number ofnormal test samples that have been incorrectly marked TNindicates the number of attack test samples that are correctlymarked and FN indicates the number of attack test samplesthat have been incorrectly marked
119863119877 = 119879119873119879119873 + 119865119873119865119877 = 119865119875119879119875 + 119865119875119864119877 = 119865119873 + 119865119875119879119875 + 119865119875 + 119879119873 + 119865119873
(36)
We used the above five feature extraction algorithmsto extract features from the data set The extracted featurevalues are normalized and used as a training set The datain the training set can be regarded as the regularity ofthe change in network traffic The network traffic has anabrupt and volatile nature Therefore although the collectednetwork data have similarities with the conventional onesthey still have a certain degree of difference To simulate thisphenomenon for verifying the effectiveness of the presentedmethod three types of data are generated as follows (1)Normal flow feature values and attack flow feature valuesare multiplied by random number (2) only the attack flowfeature values are multiplied by random number and (3)only the normal flow feature values are multiplied by randomnumber
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 7
initial values Secondly they are combined with (26) and (27)to gain optimal function of this timeThemathematical formis expressed as follows
max 119876 (120572) = minus12119898sum
ij=1120572119894120572119895119910119894119910119895119870119889 (119908119909119894 119908119909119895) + 119899sum
119894=1
120572119894 (28)
st 119899sumi120572119894119910119894 = 0
119862 ge 120572119894 ge 0119870119889 (119908119909119894 119908119909119895) = 119872sum
119898=1
119889119898119896119898 (119908119909119894 119908119909119895)(29)
The optimal equation obtained using (28) and (29) is asfollows
119891 (119909) = 119899sum119894=1
120572lowast119894 119910119894119872sum119898=1
119889119898119870119889 (119908119909119894 119908119909119895) + 119887 (30)
To further determine whether the optimal equation hasachieved good results this paper sets two constraint condi-tions forM-SMKL and S-SMKL respectively without conflictwith formula (27) constraint conditions These constraintconditions are expressed as follows
The constraint conditions of M-SMKL are as follows
1199051 lt 1003816100381610038161003816119872119894+1 minus 1198721198941003816100381610038161003816 lt 1199052
lt 1003816100381610038161003816119872i minus 119872119894minus11003816100381610038161003816 lt 1199053
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199011119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199012
(31)
The constraint conditions of S-SMKL are as follows
1199054 lt 1003816100381610038161003816119878i minus 119878119894minus11003816100381610038161003816 lt 1199055 lt 1003816100381610038161003816119878119894+1 minus 1198781198941003816100381610038161003816lt 1199056
119891 (119872119894)119891 (119878119894) minus 119891 (119872119894minus1)119891 (119878119894minus1) gt 1199013119891 (119872119894)119891 (119878119894) minus 119891 (119872119894+1)119891 (119878119894+1) gt 1199014
(32)
where the values of 1199011 1199012 1199013 and 1199014 are close to ldquo0rdquo thevalues of 1199051 1199052 and 1199053 are close to ldquo1rdquo the values of 1199054 1199055 and1199056 are close to ldquo75rdquo If the constraint condition is satisfied the
algorithm will be stopped and formula (30) will become theoptimal function otherwise each dimension weight will beupdated iteratively The gradient of M and S correspondingto each dimension weight is as follows
1205971198721205971199081 = 21199081 (11990611 minus 11990621)21205971198721205971199082 = 21199082 (11990612 minus 11990622)21205971198721205971199083 = 21199083 (11990613 minus 11990623)21205971198721205971199084 = 21199084 (11990614 minus 11990624)21205971198721205971199085 = 21199085 (11990615 minus 11990625)2
(33)
1205971198781205971199081= 2[1199081(
1198991sum119894=1
119909211 minus 1198991119906211) + 1199081 (1198992sum119894=1
119909221 minus 1198992119906221)]1205971198781205971199082= 2[1199082(
1198991sum119894=1
119909212 minus 1198991119906212) + 1199082 (1198992sum119894=1
119909222 minus 1198992119906222)]1205971198781205971199083= 2[1199083(
1198991sum119894=1
119909213 minus 1198991119906213) + 1199083 (1198992sum119894=1
119909223 minus 1198992119906223)]1205971198781205971199084= 2[1199084(
1198991sum119894=1
119909214 minus 1198991119906214) + 1199084 (1198992sum119894=1
119909224 minus 1198992119906224)]1205971198781205971199085= 2[1199085(
1198991sum119894=1
119909215 minus 1198991119906215) + 1199085 (1198992sum119894=1
119909225 minus 1198992119906225)]
(34)
where 1198991 is the number of the normal flow feature of thetraining sample 1198992 is the number of the attack flow feature of
8 Security and Communication Networks
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
Meet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
MMeet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training End S-SMKL Training
No No
Yes Yes
Figure 1 Flow chart of multiple-kernel learning training process based on ensemble learning
the training sample According to gradients in (33) and (34)the weight of each dimension is updated as follows (35)
1199081 = 1199081 + 2 lowast 1198971199031 lowast 1205971198721205971199081 minus 2 lowast 1198971199032 lowast 12059711987812059711990811199082 = 1199082 + 2 lowast 1198971199031 lowast 1205971198721205971199082 minus 2 lowast 1198971199032 lowast 12059711987812059711990821199083 = 1199083 + 2 lowast 1198971199031 lowast 1205971198721205971199083 minus 2 lowast 1198971199032 lowast 12059711987812059711990831199084 = 1199084 + 2 lowast 1198971199034 lowast 1205971198721205971199084 minus 2 lowast 1198971199032 lowast 12059711987812059711990841199085 = 1199085 + 2 lowast 1198971199031 lowast 1205971198721205971199085 minus 2 lowast 1198971199032 lowast 1205971198781205971199085
(35)
where 1198971199031 is the learning rate of gradient ascent 1198971199032 is thelearning rate of gradient descent 1198971199031 has the same functionas 120572 and 1198971199032 has the same function as 120573 Each updated weightismultiplied by each original feature accordingly and the nextround of iteration is carried out
43 Framework of Multiple-Kernel Learning Detection Basedon Ensemble Learning We input the multidimensional datawith weight and set the learning rate Then two differentclassifiers are trained M-SMKL is trained by increasing theM value mainly with reducing the S value secondarily andthe S-SMKL is trained by reducing the S value mainly withincreasing the M value secondarily During the trainingprocess the M value and the S value are constantly updatedwith the method of gradient rising and descending until theconstraint conditions are met The flowchart is provided inFigure 1
The detection process is as follows firstly the test datais multiplied with two different weight vectors which aretrained earlier secondly the calculated data are inputted tothe corresponding M-SMKL and S-SMKL model finally weuse the sliding window mechanism to coordinate two kindsof models The sliding window mechanism is described asfollows Firstly a sliding window with a size of 119899 is createdSecondly the trained M-SMKL classifies the test data andobtains the first classification results the trained S-SMKLclassifies the test data and obtains the second classificationresults Finally four ways are used to cooperatively treat thefirst classification results and the second classification resultsthe details are as follows (1) ifM-SMKL and S-SMKL identifythat the current data category is both normal the currentdata category is judged to be normal (2) if M-SMKL and S-SMKL identify that the current data category is both attackthe current data category is judged to be attack (3) if M-SMKL identifies that the current data category is normal butS-SMKL identifies that the current data category is attackthe current data category is judged to be attack (4) if M-SMKL identifies that the current data category is attack but S-SMKL identifies that the current data category is normal thenconsider the following Step 1Move the starting point of thesliding window to the current position of the test data in thefirst classification result and map the end point of the slidingwindow to the n-1 position of the first classification resultsStep 2 If the results in the sliding window are all attack thecurrent data category is judged to be attack otherwise thecurrent data category is judged to be normal The flow chartis provided in Figure 2
The reason for the training of two kinds of SMKL isthat S-SMKL focuses on reducing the difference betweenthe data of each dimension and can assemble the two typesof samples in their respective central positions However
Security and Communication Networks 9
Multiply initial data with new weightof S-SMKL
Multiply initial data with new weightof M-SMKL
Classify test set with S-SMKL Classify test set with M-SMKL
Classify Result 1 Classify Result 2
Slide Window Process
Final Predict Result
Figure 2 Flow chart of multiple-kernel learning detection process based on ensemble learning
S-SMKL does not consider the location of the two sample-center points Although a better classification feature can bemaintained on the whole it is impossible to identify DDoSattacks earlier because the center distance of the normal flowand attack flow is small M-SMKL focuses on the differencebetween the two types of data centers and maximizes thesample centers distance between the two types of samplecenters making the two samples as separate as possible M-SMKL can expand the distance of different class so that theattack flow can be identified earlier but it makes intraclassdata dispersed causing default results Therefore the slidingwindowmechanism is adopted to coordinate the two modelsto detect early DDoS accurately
5 Experimental Analysis
51 Experimental Data Sets and Evaluation Standards Thedata set used for this experiment is the CAIDA ldquoDDoS Attack2007rdquo data set [53]This data set contains an [L1]DistributedDenial of Service (DDoS) anonymous traffic attack forapproximately one hour on August 4 2007 The total size ofthe data set is 21 GB which accounts for approximately onehour (205008 UTCndash215616 UTC) Attacks began around2113 causing the network load to grow rapidly (in minutes)from approximately 200 kbitss to 80 megabitss One hourof attack traffic is divided into 5 minutes of files and stored inPCAP format The contents of this data set are TCP networktraffic packets Each TCP packet contains the source addressdestination address source port destination port packet sizeand protocol type The duration of normal flow data used inthis paper is 2minutes in total and the duration of attack datais 5 minutes in total
The hardware equipment adopted is 8 GB memory IntelCore i7 processor and a computer with a Windows 10 64-bit
system the development environment isMATLAB 2014a andCodeblocks 1005 The evaluation criteria used in this paperconsist of the detection rate (DR) the false alarm rate (FR)and total error rate (ER)
Assume that TP indicates that the number of normaltest samples is properly marked FP indicates the number ofnormal test samples that have been incorrectly marked TNindicates the number of attack test samples that are correctlymarked and FN indicates the number of attack test samplesthat have been incorrectly marked
119863119877 = 119879119873119879119873 + 119865119873119865119877 = 119865119875119879119875 + 119865119875119864119877 = 119865119873 + 119865119875119879119875 + 119865119875 + 119879119873 + 119865119873
(36)
We used the above five feature extraction algorithmsto extract features from the data set The extracted featurevalues are normalized and used as a training set The datain the training set can be regarded as the regularity ofthe change in network traffic The network traffic has anabrupt and volatile nature Therefore although the collectednetwork data have similarities with the conventional onesthey still have a certain degree of difference To simulate thisphenomenon for verifying the effectiveness of the presentedmethod three types of data are generated as follows (1)Normal flow feature values and attack flow feature valuesare multiplied by random number (2) only the attack flowfeature values are multiplied by random number and (3)only the normal flow feature values are multiplied by randomnumber
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
8 Security and Communication Networks
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
Meet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training
MultiDimension Data of Initial Weight
Increase M to update weights of different dimensions with gradient
ascent
Decrease S to update weights of different dimensions with gradient
descent
Multiply updated weight and training dataset update and improve the core
parameters of M-SMKL
Multiply updated weight and training dataset update and decrease the core
parameters of S-SMKL
MMeet the constraint conditions of M-SMKL Meet constraint conditions of S-SMKL
End M-SMKL Training End S-SMKL Training
No No
Yes Yes
Figure 1 Flow chart of multiple-kernel learning training process based on ensemble learning
the training sample According to gradients in (33) and (34)the weight of each dimension is updated as follows (35)
1199081 = 1199081 + 2 lowast 1198971199031 lowast 1205971198721205971199081 minus 2 lowast 1198971199032 lowast 12059711987812059711990811199082 = 1199082 + 2 lowast 1198971199031 lowast 1205971198721205971199082 minus 2 lowast 1198971199032 lowast 12059711987812059711990821199083 = 1199083 + 2 lowast 1198971199031 lowast 1205971198721205971199083 minus 2 lowast 1198971199032 lowast 12059711987812059711990831199084 = 1199084 + 2 lowast 1198971199034 lowast 1205971198721205971199084 minus 2 lowast 1198971199032 lowast 12059711987812059711990841199085 = 1199085 + 2 lowast 1198971199031 lowast 1205971198721205971199085 minus 2 lowast 1198971199032 lowast 1205971198781205971199085
(35)
where 1198971199031 is the learning rate of gradient ascent 1198971199032 is thelearning rate of gradient descent 1198971199031 has the same functionas 120572 and 1198971199032 has the same function as 120573 Each updated weightismultiplied by each original feature accordingly and the nextround of iteration is carried out
43 Framework of Multiple-Kernel Learning Detection Basedon Ensemble Learning We input the multidimensional datawith weight and set the learning rate Then two differentclassifiers are trained M-SMKL is trained by increasing theM value mainly with reducing the S value secondarily andthe S-SMKL is trained by reducing the S value mainly withincreasing the M value secondarily During the trainingprocess the M value and the S value are constantly updatedwith the method of gradient rising and descending until theconstraint conditions are met The flowchart is provided inFigure 1
The detection process is as follows firstly the test datais multiplied with two different weight vectors which aretrained earlier secondly the calculated data are inputted tothe corresponding M-SMKL and S-SMKL model finally weuse the sliding window mechanism to coordinate two kindsof models The sliding window mechanism is described asfollows Firstly a sliding window with a size of 119899 is createdSecondly the trained M-SMKL classifies the test data andobtains the first classification results the trained S-SMKLclassifies the test data and obtains the second classificationresults Finally four ways are used to cooperatively treat thefirst classification results and the second classification resultsthe details are as follows (1) ifM-SMKL and S-SMKL identifythat the current data category is both normal the currentdata category is judged to be normal (2) if M-SMKL and S-SMKL identify that the current data category is both attackthe current data category is judged to be attack (3) if M-SMKL identifies that the current data category is normal butS-SMKL identifies that the current data category is attackthe current data category is judged to be attack (4) if M-SMKL identifies that the current data category is attack but S-SMKL identifies that the current data category is normal thenconsider the following Step 1Move the starting point of thesliding window to the current position of the test data in thefirst classification result and map the end point of the slidingwindow to the n-1 position of the first classification resultsStep 2 If the results in the sliding window are all attack thecurrent data category is judged to be attack otherwise thecurrent data category is judged to be normal The flow chartis provided in Figure 2
The reason for the training of two kinds of SMKL isthat S-SMKL focuses on reducing the difference betweenthe data of each dimension and can assemble the two typesof samples in their respective central positions However
Security and Communication Networks 9
Multiply initial data with new weightof S-SMKL
Multiply initial data with new weightof M-SMKL
Classify test set with S-SMKL Classify test set with M-SMKL
Classify Result 1 Classify Result 2
Slide Window Process
Final Predict Result
Figure 2 Flow chart of multiple-kernel learning detection process based on ensemble learning
S-SMKL does not consider the location of the two sample-center points Although a better classification feature can bemaintained on the whole it is impossible to identify DDoSattacks earlier because the center distance of the normal flowand attack flow is small M-SMKL focuses on the differencebetween the two types of data centers and maximizes thesample centers distance between the two types of samplecenters making the two samples as separate as possible M-SMKL can expand the distance of different class so that theattack flow can be identified earlier but it makes intraclassdata dispersed causing default results Therefore the slidingwindowmechanism is adopted to coordinate the two modelsto detect early DDoS accurately
5 Experimental Analysis
51 Experimental Data Sets and Evaluation Standards Thedata set used for this experiment is the CAIDA ldquoDDoS Attack2007rdquo data set [53]This data set contains an [L1]DistributedDenial of Service (DDoS) anonymous traffic attack forapproximately one hour on August 4 2007 The total size ofthe data set is 21 GB which accounts for approximately onehour (205008 UTCndash215616 UTC) Attacks began around2113 causing the network load to grow rapidly (in minutes)from approximately 200 kbitss to 80 megabitss One hourof attack traffic is divided into 5 minutes of files and stored inPCAP format The contents of this data set are TCP networktraffic packets Each TCP packet contains the source addressdestination address source port destination port packet sizeand protocol type The duration of normal flow data used inthis paper is 2minutes in total and the duration of attack datais 5 minutes in total
The hardware equipment adopted is 8 GB memory IntelCore i7 processor and a computer with a Windows 10 64-bit
system the development environment isMATLAB 2014a andCodeblocks 1005 The evaluation criteria used in this paperconsist of the detection rate (DR) the false alarm rate (FR)and total error rate (ER)
Assume that TP indicates that the number of normaltest samples is properly marked FP indicates the number ofnormal test samples that have been incorrectly marked TNindicates the number of attack test samples that are correctlymarked and FN indicates the number of attack test samplesthat have been incorrectly marked
119863119877 = 119879119873119879119873 + 119865119873119865119877 = 119865119875119879119875 + 119865119875119864119877 = 119865119873 + 119865119875119879119875 + 119865119875 + 119879119873 + 119865119873
(36)
We used the above five feature extraction algorithmsto extract features from the data set The extracted featurevalues are normalized and used as a training set The datain the training set can be regarded as the regularity ofthe change in network traffic The network traffic has anabrupt and volatile nature Therefore although the collectednetwork data have similarities with the conventional onesthey still have a certain degree of difference To simulate thisphenomenon for verifying the effectiveness of the presentedmethod three types of data are generated as follows (1)Normal flow feature values and attack flow feature valuesare multiplied by random number (2) only the attack flowfeature values are multiplied by random number and (3)only the normal flow feature values are multiplied by randomnumber
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 9
Multiply initial data with new weightof S-SMKL
Multiply initial data with new weightof M-SMKL
Classify test set with S-SMKL Classify test set with M-SMKL
Classify Result 1 Classify Result 2
Slide Window Process
Final Predict Result
Figure 2 Flow chart of multiple-kernel learning detection process based on ensemble learning
S-SMKL does not consider the location of the two sample-center points Although a better classification feature can bemaintained on the whole it is impossible to identify DDoSattacks earlier because the center distance of the normal flowand attack flow is small M-SMKL focuses on the differencebetween the two types of data centers and maximizes thesample centers distance between the two types of samplecenters making the two samples as separate as possible M-SMKL can expand the distance of different class so that theattack flow can be identified earlier but it makes intraclassdata dispersed causing default results Therefore the slidingwindowmechanism is adopted to coordinate the two modelsto detect early DDoS accurately
5 Experimental Analysis
51 Experimental Data Sets and Evaluation Standards Thedata set used for this experiment is the CAIDA ldquoDDoS Attack2007rdquo data set [53]This data set contains an [L1]DistributedDenial of Service (DDoS) anonymous traffic attack forapproximately one hour on August 4 2007 The total size ofthe data set is 21 GB which accounts for approximately onehour (205008 UTCndash215616 UTC) Attacks began around2113 causing the network load to grow rapidly (in minutes)from approximately 200 kbitss to 80 megabitss One hourof attack traffic is divided into 5 minutes of files and stored inPCAP format The contents of this data set are TCP networktraffic packets Each TCP packet contains the source addressdestination address source port destination port packet sizeand protocol type The duration of normal flow data used inthis paper is 2minutes in total and the duration of attack datais 5 minutes in total
The hardware equipment adopted is 8 GB memory IntelCore i7 processor and a computer with a Windows 10 64-bit
system the development environment isMATLAB 2014a andCodeblocks 1005 The evaluation criteria used in this paperconsist of the detection rate (DR) the false alarm rate (FR)and total error rate (ER)
Assume that TP indicates that the number of normaltest samples is properly marked FP indicates the number ofnormal test samples that have been incorrectly marked TNindicates the number of attack test samples that are correctlymarked and FN indicates the number of attack test samplesthat have been incorrectly marked
119863119877 = 119879119873119879119873 + 119865119873119865119877 = 119865119875119879119875 + 119865119875119864119877 = 119865119873 + 119865119875119879119875 + 119865119875 + 119879119873 + 119865119873
(36)
We used the above five feature extraction algorithmsto extract features from the data set The extracted featurevalues are normalized and used as a training set The datain the training set can be regarded as the regularity ofthe change in network traffic The network traffic has anabrupt and volatile nature Therefore although the collectednetwork data have similarities with the conventional onesthey still have a certain degree of difference To simulate thisphenomenon for verifying the effectiveness of the presentedmethod three types of data are generated as follows (1)Normal flow feature values and attack flow feature valuesare multiplied by random number (2) only the attack flowfeature values are multiplied by random number and (3)only the normal flow feature values are multiplied by randomnumber
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
10 Security and Communication Networks
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 3 The ACD feature graph of DDoS attack flow and normalflow
0 50 100 150 200 250 300time (s)
0
5000
10000
15000
The I
BF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 4 The IBF feature graph of DDoS attack flow and normalflow
52 Experimental Results and Analysis Five features are usedto extract feature data from attack data and normal dataand positive as well as negative sample sets are obtained Thesampling time is set to 1 s and the remaining parameters ofthe five feature extraction methods are set as follows 1205791 = 051205792 = 05 1205793 = 3 1205794 = 3 1205795 = 3 1205796 = 3 1205797 = 3 1205798 = 3 and 1205799 = 3The total of normal feature values is 211 and the total of attackfeature values is 280 Figures 3ndash9 illustrate the feature valuesextracted by the five algorithms
As illustrated in Figure 3 the early attack feature valuesof DDoS attack are close to the normal feature values This isbecause there are a large number of bidirectional flows in theearly stage of the DDoS attack and these bidirectional flowsgradually decrease with the increase of the attack degree
0 50 100 150 200 250 300time (s)
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 5 The FFV feature graph of DDoS attack flow and normalflow
time (s)0 987654321 10
0
10
20
30
40
50
60
The A
CD fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 6 The ACD feature graph of DDoS attack flow and normalflow in the first 10 seconds
Therefore using the ACD as a feature after 70 seconds cansignificantly reflect the difference between the attack flowand the normal flow ACD can reflect the difference betweennormal flow and attack flow the earliest
As illustrated in Figure 4 compared with ACD althoughIBF does not recognize the attack flow earlier the distributionrange of its feature values is more uniform and presentsa certain degree of volatility This makes the feature lesssusceptible to individual outliers
As illustrated in Figure 5 the FFV feature is very similarto the ACD but as illustrated in Figures 6 and 7 in the initialstage the FFV is more capable of reflecting the differencebetween the attack flow and the normal flow than the ACDis
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 11
time (s)0 987654321 10
0
10
20
30
40
50
60
The F
FV fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
Figure 7 The FFV feature graph of DDoS attack flow and normalflow in the first 10 seconds
0
2000
4000
6000
8000
10000
12000
14000
16000
The M
FF fe
atur
e val
ue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
Figure 8 The MFF feature graph of DDoS attack flow and normalflow
As illustrated in Figure 8 although the MFF featurecannot determine the attack flow and the normal flow as earlyas possible it can make the feature values of the attack stagemore stable so that it can avoid the outliers of attack flows
As illustrated in Figure 9 it can be seen from the valueof the ordinate that the HIAD best reflects the differencebetween the normal flow and the attack flow while havingbetter stability in the latter half of the attack flow After theearly data this feature can greatly distinguish betweennormalflow and abnormal flow influence the classifier more andmake better decisions
In summary all five features have their own uniquecharacteristics To make full use of the characteristics of eachfeature the feature values extracted by these five algorithms
0
05
1
15
2
25
The H
IAD
feat
ure v
alue
The DDoS attack feature valueThe normal feature value
0 50 100 150 200 250 300time (s)
times104
Figure 9The HIAD feature graph of DDoS attack flow and normalflow
are each used as a five-dimensional-feature data set Usingthese five feature values as training sets two multiple-kernellearning models dominated by gradient ascent and gradientdescent are trained into the algorithm and correspondingfive-dimensional feature weight vectors are obtained Finallyaccording to the framework of Figure 2 the classificationresults of test set are obtained and are used to verify theeffectiveness of method The parameters of M-SMKL are setas follows l1199031 = 2 lowast 10minus5 l1199032 = 2 lowast 10minus3 1199051 = 10021199052 = 10065 1199053 = 1007 1199011 = 0000084 and 1199012 = 0000001The parameters of S-SMKL are set as follows l1199031 = 2 lowast 10minus5l1199032 = 2 lowast 10minus2 1199054 = 73425 1199055 = 78340 1199056 = 783501199013 = 0000775 and 1199014 = 0000680 The size of the slidingwindow is 8 The parameters for multiple-kernel learningare all default values and the kernel function includes twoGaussian functions and two polynomial functions The SVMparameters are all default values and the kernel function islinear function The experimental results are illustrated inFigures 10ndash18
As shown in Figures 10ndash18 under the three types ofexperiments according to the three evaluation criteria theoverall performance of the algorithms from the highest to thelowest is the ADADM the SVMmethod the SMKLmethodand Nezhad et alrsquos method [16]
This is because although themethod described byNezhadet al [16] is visibly superior to other methods in terms of DRindicators it is far worse than other methods with respectto other indicators The reason is that the Nezhad et al [16]method relies excessively on the first reference point Whenthe first reference point fluctuates this method recognizeseasily some normal samples as attack samples
Although the classification accuracy of the attack samplesis high a large number of normal samples are misjudgedso this method is superior in terms of DR and its otherindicators are inferior to those of other methods This is
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
12 Security and Communication Networks
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
Figure 10 The DR contrast diagram of four algorithms for scalingattack flow and normal flow
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 11 The ER contrast diagram of four algorithms for scalingattack flow and normal flow
why in this case the Nezhad et al [16] method performsthe worst The effect of SVM is generally better than thatof the SMKL method because although the SMKL methodcoordinates multiple-kernel functions to map the sample toa high-dimensional Hilbert space the linear kernel functionis obviously more suitable for the sample Using the linearkernel SVM can establish a better hyperplane than the SMKLmethod to identify the data containing early DDoS attacksHowever although themultiple-kernel learning method doesnot use a linear kernel function that is more suitable for the
06-07 40-5030-4020-3015-2010-1509-1108-0907-08
The value of multiplier
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
Figure 12 The FR contrast diagram of four algorithms for scalingattack flow and normal flow
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 13 The DR contrast diagram of four algorithms for narrow-ing the attack flow
sample space it can still maintain high accuracy indicatingthat multiple-kernel learning has a lower dependence onthe selection of kernel functions than the single-kernelSVM
We compared the ADADM to the SVM method TheADADM method uses the same kernel function as SMKLmethod Because the multikernel learning method is flexibleand adaptable it is possible to continuously optimize thehyperplane by adjusting the weights of the feature of eachdimension to recognize the DDoS as early as possible Attack
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 13
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
01
015
02
025
03
035
The v
alue
of E
R
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
Figure 14 The ER contrast diagram of four algorithms for narrow-ing the attack flow
0
01
02
03
04
05
06
07
08
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier01-02 09-1008-0907-0806-0705-0604-0503-0402-03
Figure 15 The FR contrast diagram of four algorithms for narrow-ing the attack flow
flow data and normal flow data are located on both sides ofthe hyperplane
In addition using the idea of ensemble learning to traintwo different classifiers and using the sliding window mech-anism to further synthesize the advantage of each classifierimproves the algorithmrsquos performance in the three types ofexperiments This method we propose outperforms not onlythe SVM method but also other methods of DDoS attack
075
08
085
09
095
1
The v
alue
of D
R
The DR value of ADADMThe DR value of SimpleMKLThe DR value of SVMThe DR value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
The value of multiplier
Figure 16TheDR contrast diagram of four algorithms for amplify-ing the normal flow
012
014
016
018
02
022
024
026
028
03
032
The v
alue
of E
R
The value of multiplier
The ER value of ADADMThe ER value of SimpleMKLThe ER value of SVMThe ER value of Nezhad et al [16]
10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 17 The ER contrast diagram of four algorithms for amplify-ing the normal flow
detection The experimental data are presented in Tables 12 and 3
6 Conclusion
In this paper five-dimensional features are defined fordescribing the burstiness of DDoS attack flows thedistribution of IP source addresses and the interactivityof DDoS attack flows Based on the five-dimensional
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
14 Security and Communication Networks
Table1Com
paris
onresults
offour
algorithm
sfor
scalingattack
flowandno
rmalflo
w
Thev
alue
ofther
ando
mmultip
lier
06ndash
07
07ndash08
08ndash09
09ndash
1110
ndash15
15ndash20
20ndash
30
30ndash
40
40ndash
50
ADADM
metho
dDR(
)7857
7857
7857
7857
7821
7821
7821
7821
7857
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1222
1222
1222
1222
1242
1242
1242
1242
1222
SimpleM
KLmetho
dDR(
)7643
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1344
1344
1344
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7750
7750
7786
7786
7679
7750
7786
7679
7786
FR(
)001
001
001
001
001
001
001
001
001
ER(
)1283
1283
1263
1263
1324
1283
1263
1324
1263
Nezhadetalrsquos[16]
metho
dDR(
)9821
9785
9821
9785
9821
9821
9821
9785
9821
FR(
)7429
7476
7429
7476
7571
7429
7429
7429
7238
ER(
)3292
3333
3292
3333
3354
3292
3292
3313
3211
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 15
Table2Com
paris
onresults
offour
algorithm
sfor
narrow
ingthea
ttack
flow
Thev
alue
ofther
ando
mmultip
lier
01ndash02
02ndash03
03ndash04
04ndash
05
05ndash06
06ndash
07
07ndash08
08ndash
09
09ndash
10
ADADM
metho
dDR(
)7821
7821
7821
7857
7857
7857
7857
7857
7857
FR(
)1099
142
001
001
001
001
001
001
001
ER(
)1715
1304
1242
1222
1222
1222
1222
1222
1222
SimpleM
KLmetho
dDR(
)7571
7643
7643
7643
7643
7643
7643
7643
7643
FR(
)2275
474
142
001
001
001
001
001
001
ER(
)2363
1548
1405
1344
1344
1344
1344
1344
1344
SVM
metho
dDR(
)7607
7714
7750
7786
7750
7786
7786
7750
7786
FR(
)2275
474
142
047
001
001
001
001
001
ER(
)2342
1507
1344
1283
1283
1263
1263
1283
1263
Nezhadetalrsquos[16]
metho
dDR()
9713
9785
9857
9821
9857
9857
9821
9821
9785
FR(
)7429
7429
7429
7429
7429
7429
7429
7429
7429
ER(
)3354
3313
3272
3292
3272
3272
3292
3292
3313
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
16 Security and Communication Networks
Table3Com
paris
onresults
offour
algorithm
sfor
amplify
ingthen
ormalflo
w
Thev
alue
ofrand
ommultip
lier
10ndash15
15ndash20
20ndash
25
25ndash30
30ndash
35
35ndash40
40ndash
45
45ndash50
50ndash
55
ADADM
metho
dDR(
)7893
7893
7893
7893
7893
7893
7893
7893
7893
FR(
)001
001
001
047
142
190
474
664
1043
ER(
)1202
1202
1202
1222
1263
1283
1405
1487
1650
SimpleM
KLmetho
dDR(
)7714
7714
7714
7714
7714
7714
7714
7714
7714
FR(
)001
001
047
142
427
664
1090
1706
2180
ER(
)1304
1304
1324
1365
1487
1589
1772
2037
2240
SVM
metho
dDR(
)7786
7786
7786
7786
7786
7786
7786
7786
7786
FR(
)001
001
095
142
379
806
1185
1801
2275
ER(
)1263
1263
1304
1324
1426
1609
1772
2037
2240
Nezhadetalrsquos[16]
metho
dDR(
)9749
9713
9713
9713
9677
9677
9677
9677
9677
FR(
)6524
6524
6619
6667
6667
6667
6714
6714
6762
ER(
)2947
2967
3008
3028
3049
3049
3069
3069
3090
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 17
0
01
02
03
04
05
06
07
The v
alue
of F
R
The FR value of ADADMThe FR value of SimpleMKLThe FR value of SVMThe FR value of Nezhad et al [16]
The value of multiplier10-15 50-5545-5040-4535-4030-3525-3020-2515-20
Figure 18 The FR contrast diagram of four algorithms for amplify-ing the normal flow
features and the ensemble learning framework adaptivefeature weights are obtained and the M-SMKL and S-SMKLmultiple-kernel learning models are trained to detect DDoSattack For identifying early attacks effectively the slidingwindow mechanism is used to coordinate the S-SMKL andtheM-SMKL to deal with the detection results Experimentalresults show that compared with similar methods ourmethod can produce more accurate results for detectingearly DDoS attack
In the follow-up work we will further study how totransform the multidimensional weight adaptive problembased onmultiple-kernel learning into a convex optimizationproblem and improve the detection rate and convergencespeed of the method
Data Availability
The data used to support the findings of this study areavailable from the corresponding author upon request
Conflicts of Interest
There are no conflicts of interest in this paper
Acknowledgments
This work was supported by the Hainan Provincial NaturalScience Foundation of China [2018CXTD333 617048] theNational Natural Science Foundation of China [6176203361702539] Hainan University Doctor Start Fund Project[kyqd1328] and Hainan University Youth Fund Project[qnjj1444]
References
[1] Z Cai Z Wang K Zheng and J Cao ldquoA Distributed TCAMcoprocessor architecture for integrated longest prefixmatchingpolicy filtering and content filteringrdquo IEEE Transactions onComputers vol 62 no 3 pp 417ndash427 2013
[2] J H Cui Y Y Zhang Z P Cai et al ldquoSecuring display path forsecurity-sensitive applications on mobile devicesrdquo ComputerMaterials amp Continua vol 55 no 1 pp 17ndash35 2018
[3] S Liu ZCaiHXu andMXu ldquoTowards security-aware virtualnetwork embeddingrdquo Computer Networks vol 91 pp 151ndash1632015
[4] A S Pimpalkar and A R Bhagat Patil ldquoDetection and defensemechanisms against DDoS attacksrdquo in Proceedings of the Inter-national Conference on Innovations in Information Embeddedand Communication Systems pp 1ndash6 IEEE 2015
[5] J R Cheng R M Xu and X Y Tang ldquoAn Abnormal NetworkFlow Feature Sequence Prediction Approach for DDoS AttacksDetection in Big Data Environmentrdquo Computers Materials ampContinua vol 55 no 1 pp 95ndash119 2018
[6] N Hoque D K Bhattacharyya and J K Kalita ldquoBotnet inDDoS attacks trends and challengesrdquo IEEE CommunicationsSurveys amp Tutorials vol 17 no 4 pp 2242ndash2270 2015
[7] K Zeb O Baig and M K Asif ldquoDDoS attacks and counter-measures in cyberspacerdquo in Proceedings of the 2015 2nd WorldSymposium on Web Applications and Networking WSWAN rsquo15pp 1ndash6 IEEE 2015
[8] J Shen Z Gui S Ji J Shen H Tan and Y Tang ldquoCloud-aided lightweight certificateless authentication protocol withanonymity for wireless body area networksrdquo Journal of Networkand Computer Applications vol 106 pp 117ndash123 2018
[9] D Kreutz F M V Ramos P E Verissimo C E RothenbergS Azodolmolky and S Uhlig ldquoSoftware-defined networking acomprehensive surveyrdquo Proceedings of the IEEE vol 103 no 1pp 14ndash76 2015
[10] Z Zhou M Dong K Ota G Wang and L T Yang ldquoEnergy-efficient resource allocation for d2d communications under-laying cloud-ran-based lte-a networksrdquo IEEE Internet of ThingsJournal vol 3 no 3 pp 428ndash438 2016
[11] W Lin S Xu L He and J Li ldquoMulti-resource scheduling andpower simulation for cloud computingrdquo Information Sciencesvol 397-398 pp 168ndash186 2017
[12] W Jiang G Wang M Z A Bhuiyan and J Wu ldquoUnderstand-ing graph-based trust evaluation in online social networksMethodologies and challengesrdquo ACM Computing Surveys vol49 no 1 2016
[13] E Luo Q Liu and G Wang ldquoHierarchical Multi-Authorityand Attribute-Based Encryption Friend Discovery Scheme inMobile Social Networksrdquo IEEE Communications Letters vol 20no 9 pp 1772ndash1775 2016
[14] S Peng A Yang L Cao S Yu and D Xie ldquoSocial influencemodeling using information theory in mobile social networksrdquoInformation Sciences vol 379 pp 146ndash159 2017
[15] T Peng Q Liu D Meng and G Wang ldquoCollaborative tra-jectory privacy preserving scheme in location-based servicesrdquoInformation Sciences vol 387 pp 165ndash179 2017
[16] S M T Nezhad M Nazari and E A Gharavol ldquoA Novel DoSand DDoS Attacks Detection Algorithm Using ARIMA TimeSeriesModel andChaotic System inComputerNetworksrdquo IEEECommunications Letters vol 20 no 4 pp 700ndash703 2016
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
18 Security and Communication Networks
[17] R H Meng S G Rice and J Wang ldquoA Fusion SteganographicAlgorithm Based on Faster R-CNNrdquo Computers Materials ampContinua vol 55 no 1 pp 1ndash16 2018
[18] L Sun Z LiQYanW Srisa-an andY Pan ldquoSigPID significantpermission identification for android malware detectionrdquo inProceedings of the 2016 11th International Conference on Mali-cious and Unwanted Software (MALWARE rsquo16) pp 1ndash8 FajardoPuerto Rico USA October 2016
[19] C Yuan X Li Q M J Wu et al ldquoFingerprint Liveness Detec-tion from Different Fingerprint Materials Using ConvolutionalNeural Network and Principal Component Analysisrdquo CMCComputers Materials amp Continua vol 53 no 3 pp 357ndash3712017
[20] M I Jordan and T M Mitchell ldquoMachine learning trendsperspectives and prospectsrdquo Science vol 349 no 6245 pp 255ndash260 2015
[21] Y Li G Wang L Nie Q Wang and W Tan ldquoDistancemetric optimization driven convolutional neural network forage invariant face recognitionrdquo Pattern Recognition vol 75 pp51ndash62 2018
[22] P Li J Li Z Huang et al ldquoMulti-key privacy-preserving deeplearning in cloud computingrdquo Future Generation ComputerSystems vol 74 pp 76ndash85 2017
[23] T Li J Li Z Liu P Li and C Jia ldquoDifferentially private NaiveBayes learning overmultiple data sourcesrdquo Information Sciencesvol 444 pp 89ndash104 2018
[24] Z Huang S Liu X Mao K Chen and J Li ldquoInsight of theprotection for data security under selective opening attacksrdquoInformation Sciences vol 412-413 pp 223ndash241 2017
[25] CGaoQ Cheng PHeW Susilo and J Li ldquoPrivacy-preservingNaive Bayes classifiers secure against the substitution-then-comparison attackrdquo Information Sciences vol 444 pp 72ndash882018
[26] A Saied R E Overill andT Radzik ldquoArtificial neural networksin the detection of known and unknown DDoS attacks proof-of-conceptrdquo in Proceedings of PAAMS 2014 International Work-shops (PAAMS rsquo14) Salamanca Spain 2014
[27] M H Bhuyan D K Bhattacharyya and J K Kalita ldquoAnempirical evaluation of information metrics for low-rate andhigh-rate DDoS attack detectionrdquo Pattern Recognition Lettersvol 51 pp 1ndash7 2015
[28] Z Y Tan A Jamdagni X He P Nanda and R P Liu ldquoA systemfor denial-of-service attackdetection based onmultivariate cor-relation analysisrdquo IEEE Transactions on Parallel and DistributedSystems vol 25 no 2 pp 447ndash456 2014
[29] S Yu W Zhou W Jia S Guo Y Xiang and F TangldquoDiscriminating DDoS attacks from flash crowds using flowcorrelation coefficientrdquo IEEE Transactions on Parallel and Dis-tributed Systems vol 23 no 6 pp 1073ndash1080 2012
[30] A Wang A Mohaisen W Chang and S Chen ldquoDelving intoInternet DDoS Attacks by Botnets Characterization and Anal-ysisrdquo in Proceedings of the 45th Annual IEEEIFIP InternationalConference on Dependable Systems and Networks DSN rsquo15 pp379ndash390 2015
[31] G D Kumar C V G Rao M K Singh and F Ahmad ldquoUsingJpcap API to monitor analyze and report network traffic forDDoS attacksrdquo in Proceedings of the 14th International Confer-ence on Computational Science and Its Applications ICCSA rsquo14vol 39 p 35 2014
[32] K J Singh KThongam and T De ldquoEntropy-based applicationlayer DDoS attack detection using artificial neural networksrdquoEntropy vol 18 no 10 2016
[33] A Rukavitsyn K Borisenko and A Shorov ldquoSelf-learningmethod for DDoS detection model in cloud computingrdquo inProceedings of the 2017 IEEE Russia Section Young Researchers inElectrical and Electronic Engineering Conference ElConRus rsquo17pp 544ndash547 2017
[34] H Zhang Z Cai Q Liu et al ldquoA Survey on Security-AwareMeasurement in SDNrdquo Security and Communication Networksvol 2018 Article ID 2459154 14 pages 2018
[35] J Ashraf and S Latif ldquoHandling intrusion and DDoS attacksin Software Defined Networks using machine learning tech-niquesrdquo inProceedings of the 2014National Software EngineeringConference NSEC rsquo14 pp 55ndash60 Karachi Pakistan 2014
[36] I Mihai-Gabriel and P Victor-Valeriu ldquoAchieving DDoSresiliency in a software defined network by intelligent riskassessment based on neural networks and danger theoryrdquoin Proceedings of the 15th IEEE International Symposium onComputational Intelligence and Informatics CINTI rsquo14 pp 319ndash324 Hungary 2014
[37] Q Yan Q Gong and F R Yu ldquoEffective software-definednetworking controller scheduling method to mitigate DDoSattacksrdquo IEEE Electronics Letters vol 53 no 7 pp 469ndash471 2017
[38] T Chin X Mountrouidou X Li and K Xiong ldquoSelectivepacket inspection to detectDoS flooding using software definednetworking (SDN)rdquo in Proceedings of the 2015 35th IEEEInternational Conference on Distributed Computing SystemsWorkshops ICDCSW rsquo15 pp 95ndash99 2015
[39] NDayal and S Srivastava ldquoAnalyzing behavior ofDDoS attacksto identify DDoS detection features in SDNrdquo in Proceedings ofthe 9th International Conference onCommunication Systems andNetworks COMSNETS rsquo17 pp 274ndash281 2017
[40] J Ye X Cheng J Zhu L Feng and L Song ldquoA DDoSAttack Detection Method Based on SVM in Software DefinedNetworkrdquo Security and Communication Networks vol 2018Article ID 9804061 8 pages 2018
[41] J Xu L Wei Y Zhang A Wang F Zhou and C GaoldquoDynamic Fully Homomorphic encryption-based Merkle Treefor lightweight streaming authenticated data structuresrdquo Jour-nal of Network and Computer Applications vol 107 pp 113ndash1242018
[42] X Zhang Y Tan C Liang Y Li and J Li ldquoA Covert ChannelOver VoLTE via Adjusting Silence Periodsrdquo IEEE Access vol 6pp 9292ndash9302 2018
[43] Q Lin H Yan Z Huang W Chen J Shen and Y TangldquoAn ID-based linearly homomorphic signature scheme and itsapplication in blockchainrdquo IEEE Access vol 6 no 1 pp 20632ndash20640 2018
[44] Q Lin J Li Z Huang W Chen and J Shen ldquoA short linearlyhomomorphic proxy signature schemerdquo IEEE Access vol 6 pp12966ndash12972 2018
[45] J Cheng X Tang and J Yin ldquoA change-point DDoS attackdetection method based on half interaction anomaly degreerdquoInternational Journal of Autonomous and Adaptive Communi-cations Systems vol 10 no 1 pp 38ndash54 2017
[46] J R Cheng J Yin Y Liu Z Cai and C Wu ldquoDDoS AttackDetectionUsing IP Address Feature Interactionrdquo in Proceedingsof the 2009 International Conference on Intelligent Networkingand Collaborative Systems (INCOS rsquo09) pp 113ndash118 2009
[47] J Cheng B Zhang J Yin et al ldquoDDoS Attack Detection UsingThree-State Partition Based on Flow Interactionrdquo Communica-tions in Computer amp Information Science vol 29 no 4 pp 176ndash184 2009
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
Security and Communication Networks 19
[48] J Cheng J Yin Y Liu Z Cai and C Wu ldquoDetectingDistributed Denial of Service Attack Based on Multi-featureFusionrdquo in Security Technology vol 58 pp 132ndash139 2009
[49] J R Cheng X Tang X Zhu and J Yin ldquoDistributed denialof service attack detection based on IP Flow Interactionrdquo inProceedings of the 2011 International Conference on E-Businessand E-Government (ICEE rsquo11) pp 1ndash4 2011
[50] J Cheng J Yin and L Yun ldquoDetecting Distributed Denial ofService Attack Based on Address Correlation Valuerdquo Journal ofComputer ResearchampDevelopment vol 46 no 8 pp 1334ndash13402009
[51] J Cheng J Zhou X Tang and J Shi ldquoA distributed denial ofservice attack detectionmethod based on time series predictionmodelrdquo Network Security Technology and Application vol 10pp 71ndash89 2016
[52] A Rakotomamonjy F R Bach S Canu and Y GrandvaletldquoSimple MKLrdquo Journal of Machine Learning Research vol 9 no3 pp 2491ndash2521 2008
[53] The Cooperative Association for Internet Data Analysis TheCaida Ucsd DDoS Attack 2007 httpwwwcaidaorgdatapassiveddos-20070804 datasetxml
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom
International Journal of
AerospaceEngineeringHindawiwwwhindawicom Volume 2018
RoboticsJournal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Active and Passive Electronic Components
VLSI Design
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Shock and Vibration
Hindawiwwwhindawicom Volume 2018
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawiwwwhindawicom
Volume 2018
Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom
The Scientific World Journal
Volume 2018
Control Scienceand Engineering
Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom
Journal ofEngineeringVolume 2018
SensorsJournal of
Hindawiwwwhindawicom Volume 2018
International Journal of
RotatingMachinery
Hindawiwwwhindawicom Volume 2018
Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawiwwwhindawicom Volume 2018
Hindawiwwwhindawicom Volume 2018
Navigation and Observation
International Journal of
Hindawi
wwwhindawicom Volume 2018
Advances in
Multimedia
Submit your manuscripts atwwwhindawicom