Feasibility Evaluation of Compact Flow Features for Real-time DDoS Attacks Classifications

Abstract

According to the research trend, training the distributed denial of services (DDoS) attacks classifier using network flow features will yield higher classification performances and efficiency than the per-packet-based approach. Nonetheless, the existing flow-based classifier uses bloated features and offline flow extraction that is not suitable for real-time DDoS protection. This study investigates the feasibility of compact flow features that can be directly extracted using a programmable switch for real-time DDoS attack classification. The proposed method considers only four flow features: IP protocols, packet counter, total byte counter, and the delta time of a network flow. The evaluation results on the CICDDoS2019 dataset showed a comparable classification performance to the works that use bloated features (24 - 82 features). The best result was achieved by the decision tree and the random forest classifier showing ≥ 89.5% scores in accuracy, precision, recall, and F1 score. The proposed models can classify 10 out of 12 DDoS attacks correctly, failing only to discriminate between SSDP and UDP-based DDoS attacks. In addition, the trained classifier shows a better generalization ability by retaining similar performances on unseen 42.8 millions flow data while trained on ≤ 200 thousand flow data. At last, the proposed method is suitable for real-time application since it supports quick classification performance of up to 9.6 millions of flow inferring per second on the Decision Tree classifier.