Int
ern
at
i
onal
Journ
al of Ele
ctrical
an
d
Co
mput
er
En
gin
eeri
ng
(IJ
E
C
E)
Vo
l.
15
,
No.
1
,
Febr
uary
20
25
, pp.
817
~
826
IS
S
N:
20
88
-
8708
, DO
I: 10
.11
591/
ij
ece.v
15
i
1
.
pp
817
-
826
817
Journ
al h
om
e
page
:
http:
//
ij
ece.i
aesc
or
e.c
om
Floodi
ng
d
ist
ribute
d
d
eni
al of
s
er
vice
detection i
n
s
oftwar
e
-
d
efined
n
etw
or
ki
ng
usin
g
k
-
means
and
n
aïve Ba
yes
Hicham
Y
zz
ogh
,
H
af
ss
a
Be
na
b
oud
Intellig
en
t Pr
o
cess
in
g
an
d
Secu
rity o
f
Sy
stems
,
Faculty
o
f
Scien
ces,
M
o
h
a
m
m
ed
V
Un
iv
ersit
y
in Rab
at,
Rab
at,
Moro
cco
Art
ic
le
In
f
o
ABSTR
A
CT
Art
ic
le
history:
Re
cei
ved
M
a
y 25,
2024
Re
vised
Sep 6
,
2024
Accepte
d
Oct
1,
2024
Software
-
def
in
e
d
net
working
(SD
N)
is
a
n
et
wo
rk
arc
h
itect
ur
e
t
hat
ena
bl
es
the
sepa
r
at
ion
o
f
the
con
trol
pl
ane
and
d
ata
pl
ane
,
f
acilitating
ce
ntr
al
i
ze
d
ma
nag
em
en
t
of
the
ne
twork.
Whi
l
e
ce
n
tralized
cont
ro
l
offe
r
s
nume
rous
bene
fi
ts,
it
al
so c
ome
s
with
c
ert
a
i
n
dra
wba
cks.
Fl
ooding
distr
ibut
e
d
denial
of
servic
e
(DD
oS)
a
tt
a
cks
pose
a
signif
ic
an
t
thr
ea
t
in
SD
N
en
vironm
ent
s
.
The
se
attac
ks
in
volve
ov
erwhe
l
mi
ng
a
ta
rg
et
sys
te
m
wi
th
a
la
rg
e
volu
me
o
f
pac
ke
ts,
ai
mi
ng
to
disrupt
it
s
fun
ct
ion
al
it
y
.
In
this
pape
r,
we
prop
os
e
a
n
ew
appr
oac
h
for
de
t
ec
t
ing
DD
oS
at
t
ac
ks
base
d
on
m
ult
iple
k
-
m
ea
n
s
mode
ls
and
the
n
a
i
ve
B
ayes
al
gorit
h
m.
Ou
r
me
thodo
logy
invol
ves
tr
ai
nin
g
mul
t
ipl
e
k
-
mean
s
mod
el
s
to
cl
ust
er
e
ach
dat
a
po
int
wi
thi
n
ev
ery
co
lu
mn
of
the
dat
ase
t,
wher
e
e
ac
h
col
umn
r
epr
ese
n
ts
a
f
eature
.
Thi
s
proc
ess
re
sults
in
a
new
dat
ase
t
wi
th
the
sa
me
sh
ape
,
containi
ng
only
cl
ust
ers,
exc
ep
t
the
col
umn
con
ta
in
i
ng
th
e
ta
rge
t
var
ia
bl
e
(
l
abels).
T
hese
cl
usters
ar
e
th
en
used
as
input
by
n
a
ïv
e
Bay
es
to
p
erf
orm
bin
ary
class
ifi
cation.
W
e
a
ss
essed
our
appr
oac
h
using
the
InSD
N
a
nd
CIC
-
DD
oS2
017
dataset
s.
The
r
esult
s
under
score
the
i
mpre
ss
ive
accur
ac
y
of
our
mod
el
,
a
chi
ev
ing
99
.
9839%
on
the
InSD
N
da
t
ase
t
and
99
.
70
30%
on
the
CI
C
-
DD
oS2017
dat
ase
t.
Thi
s
per
forma
n
ce wa
s a
chieve
d
by
op
ti
mizing
the de
si
red
numb
er
of
c
l
usters.
Ke
yw
or
d
s
:
Floodin
g
distri
bu
te
d den
ia
l
of
serv
ic
e
a
tt
ac
ks
K
-
means
Naïve Ba
yes
SDN
dataset
s
So
ft
war
e
-
d
efin
ed
n
et
w
orkin
g
This
is an
open
acc
ess arti
cl
e
un
der
the
CC
BY
-
SA
l
ic
ense
.
Corres
pond
in
g
Aut
h
or
:
Hicham
Y
zz
og
h
In
te
ll
igent
Pro
cessi
ng
an
d
Se
cur
it
y o
f
S
ys
te
ms
, Fac
ulty
of
Scie
nces,
Mo
ha
mmed V
Uni
ver
sit
y i
n
Ra
ba
t
Av
e
nue
Ibn
Ba
tt
ou
ta
B.P
. 101
4
RP,
Rabat,
M
or
occo
Emai
l:
Hicham
_
yzz
ogh@
um5
.ac.ma
1.
INTROD
U
CTION
S
o
f
t
w
a
r
e
-
d
e
f
i
n
e
d
n
e
t
w
o
r
k
i
n
g
(
S
D
N
)
o
f
f
e
r
s
s
i
g
n
i
f
i
c
a
n
t
a
d
v
a
n
t
a
g
e
s
f
o
r
m
o
d
e
r
n
n
e
t
w
o
r
k
i
n
f
r
a
s
t
r
u
c
t
u
r
e
,
i
n
c
l
u
d
i
n
g
c
e
n
t
r
a
l
i
z
e
d
c
o
n
t
r
o
l
a
n
d
p
r
o
g
r
a
m
m
a
b
i
l
i
t
y
t
h
a
t
e
n
h
a
n
c
e
r
e
s
o
u
r
c
e
m
a
n
a
g
e
m
e
n
t
a
n
d
o
p
t
i
m
i
z
a
t
i
on
.
T
his
centrali
zed
a
ppro
ac
h
e
nab
le
s
dynamic
netw
ork
co
nfi
gurati
on,
simpli
f
ying
ma
nag
e
ment
,
boos
ti
ng
scal
abili
ty,
and
inc
reasin
g
agili
ty.
Additi
on
al
ly,
S
DN
facil
it
at
es
auto
mati
on
a
nd
orchestrati
on,
re
du
ci
ng
ma
nu
al
ta
sk
s
su
c
h
as
pro
vi
sion
i
ng
an
d
t
r
oubles
hootin
g,
w
hich
le
a
ds
to
imp
r
ov
e
d
dep
l
oyment
ti
mes
a
nd
ope
r
at
ion
al
eff
ic
ie
nc
y.
Its
pro
gr
a
mma
bl
e
nat
ur
e
f
os
te
rs
in
nova
ti
on,
sup
portin
g
t
he
de
velo
pm
e
nt
of
novel
ne
twork
serv
ic
es
a
nd
app
li
cat
io
ns
.
Con
se
quently
,
S
DN
’
s
ca
pa
bili
ti
es
in
ce
ntrali
zed
c
on
t
ro
l,
pro
gr
am
mabili
ty,
a
u
t
o
m
a
t
i
o
n
,
a
n
d
i
n
n
o
v
a
t
i
o
n
e
s
t
a
b
l
i
s
h
i
t
a
s
a
po
w
e
r
f
u
l
p
a
r
a
d
i
g
m
t
h
a
t
s
u
r
p
a
s
s
e
s
t
r
a
di
t
i
o
n
a
l
n
e
t
w
o
r
k
a
r
c
h
i
t
e
c
t
u
r
e
s
i
n
m
a
n
y
a
s
p
e
c
t
s
.
Howe
ver,
S
D
N
is
not
imm
une
to
c
yb
e
rsec
ur
it
y
th
reats,
with
flo
od
i
ng
distrib
uted
de
ni
al
of
ser
vice
(
D
DoS
)
at
ta
ck
s
bei
ng
am
ong
the
m
os
t
c
riti
cal
chall
en
ges
[
1]
.
In
S
DN
e
nvir
onments,
th
e
net
work
a
rchi
t
ect
ur
e
typ
ic
al
ly
reli
es
on
O
penFlo
w
s
witc
hes
f
or
pack
et
f
orw
ard
i
ng
an
d
m
anag
e
ment
[
2]
.
Atta
ck
ers
e
xp
l
oit
vu
l
ner
a
bili
ti
es
in
this
arc
hi
te
ct
ur
e
t
o
la
unch
flo
od
i
ng
DDoS
at
ta
cks
,
o
ve
rwhelmi
ng
t
he
sy
ste
m
with
il
le
giti
mate
traff
ic
[
3]
.
T
hese
at
ta
cks
ta
r
get
t
he
netw
ork
’
s
r
el
ia
nce
on
O
pe
nF
lo
w
switc
he
s
an
d
co
ntr
ollers
by
sen
ding
a
high
volu
me
of
pac
kets
t
hat
do
not
matc
h
e
xisti
ng
flo
w
ta
ble
e
nt
ries.
As
a
res
ul
t,
these
pac
ket
s
are
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
8708
In
t J
Elec
&
C
omp E
ng,
V
ol.
15
, No
.
1
,
Febr
uary
20
25
:
817
-
826
818
encapsulat
ed
i
nto
pac
ket
-
i
n
message
s
a
nd
forw
a
r
ded
to
the
c
ontrolle
r
.
This
e
xcessi
ve
traf
fic
ca
n
ov
erwhelm
the
co
ntr
oller
’
s
ba
ndwidt
h,
memor
y,
a
nd
central
pr
oces
sing
unit
(
CP
U
)
res
ources,
causin
g
it
to
become
unr
es
pons
i
ve
a
nd
disruptin
g
netw
ork
operat
ion
s
f
or
le
giti
mate
use
rs
.
A
dd
it
io
nally,
s
w
it
ches
ca
n
e
xp
erience
memor
y
e
xh
a
ust
ion
from
the
mali
ci
ou
s t
raffic
, imp
ai
rin
g
th
ei
r
abili
ty to
pr
ocess
le
giti
mate
traf
fic ef
fecti
vely.
M
ac
hin
e
le
arn
i
ng
(
M
L
)
te
ch
ni
qu
es
offer
a
pr
om
isi
ng
so
l
ution
f
or
e
nhanci
ng
DDoS
def
e
ns
es
in
S
DN
env
i
ronme
nts.
Super
vised
le
a
rn
i
ng
meth
ods,
su
c
h
as
s
uppo
rt
vecto
r
mac
hi
nes
(
SVM
),
n
a
ïve
Ba
yes
(N
B
),
a
nd
neural
netw
ork
s
(
N
Ns),
le
ver
a
ge
la
beled
dataset
s
to
disti
ng
ui
sh
betwee
n
no
rmal
netw
ork
beh
a
vior
an
d
DDoS
patte
rn
s
.
T
hes
e
meth
ods
a
na
lyze
feat
ur
es
li
ke
pack
et
hea
der
s
an
d
t
raffic
volume
to
de
te
ct
dev
ia
ti
on
s
fro
m
exp
ect
e
d
no
rm
s.
U
nsup
e
rv
ise
d
le
ar
ning
ap
proac
hes,
su
c
h
as
cl
us
te
rin
g
a
lgorit
hm
s,
ca
n
identif
y
an
oma
li
es
without
pre
-
la
beled
data
by
anal
yzin
g
de
viati
on
s
in
data
str
uctu
res,
there
by
a
da
ptin
g
t
o
e
volvin
g
at
ta
ck
strat
egies.
E
nse
mb
le
le
ar
ning
[4]
f
urt
her
impro
ves
detect
ion
acc
ur
ac
y
by
c
ombinin
g
m
ulti
ple
m
od
el
s
,
enh
a
ncin
g
t
he e
ff
ect
ive
ness o
f ML
-
base
d D
DoS
detect
ion
sy
ste
ms
.
In
this
pa
per
,
we
intr
oduce
a
novel
ap
proac
h
that
integ
rat
es
k
-
mean
s
cl
us
te
rin
g
with
n
aï
ve
Ba
yes
cl
assifi
cat
ion
f
or
D
DoS
at
ta
c
k
detect
ion
in
SDN
e
nv
i
ron
ments.
By
a
pp
lying
cl
us
te
rin
g
at
eac
h
featu
re
le
vel
pr
i
or
t
o
cl
assif
ic
at
ion
,
our
m
et
hod
e
nh
a
nce
s
detect
io
n
acc
ur
ac
y.
We
first
util
iz
e
mu
lt
ipl
e
k
-
mea
n
s
m
odel
s
to
cl
us
te
r
net
wor
k
t
raffic
,
f
oll
owed
by
cl
assi
f
ic
at
ion
us
in
g
n
aï
ve
Ba
yes.
E
xp
e
rime
ntal
re
su
lt
s
with
the
In
S
D
N
dataset
[
5]
de
monstrate
that
our
a
ppr
oach
ou
t
perf
or
m
s
bo
t
h
the
n
aï
ve
Ba
yes
m
odel
and
e
xisti
ng
methods
.
Fu
rt
her
e
valua
ti
on
us
i
ng
t
he
CICID
S20
17
da
ta
set
[6]
,
[
7]
confirm
s
it
s
robu
st
ness
a
nd
pote
ntial
app
li
c
abili
ty
beyo
nd S
DN e
nv
i
ronme
nts.
Wh
il
e
var
i
ou
s
methods
ha
ve
been
pr
opos
e
d
for
D
DoS
detect
ion
in
S
DN
env
i
ronme
nts,
n
one
util
iz
e
cl
us
te
rin
g
at
ea
ch
feat
ur
e
le
ve
l
befor
e
cl
assif
ic
at
ion
.
F
or
ins
ta
nce,
the
net
w
ork
detect
ion
a
nd
preve
ntio
n
agen
t
(NDP
A)
al
gori
thm
[8]
dynam
ic
al
ly
regulat
es
traf
fic
flo
w
t
o
mit
igate
D
D
oS
at
ta
cks
w
hile
mainta
ini
ng
qual
it
y
of
ser
vice
(
QoS)
sta
ndar
ds
.
Ar
i
vudaina
mb
i
et
a
l.
[9]
co
m
bin
e
co
nvol
ution
al
ne
ural
n
et
works
(CN
Ns) w
it
h
t
he
li
on
opti
miza
tio
n
al
gorith
m
(LOA),
ac
hiev
ing
98.
2%
ac
cur
ac
y
on
t
he
NSL
-
KDD
da
ta
set
[10]
.
A
no
t
her
method
i
n
[11]
intr
oduces
a
two
-
ti
er
secu
ri
ty
f
rame
work
with
a
C
4.5
de
ci
sion
tree
to
en
ha
nce
early
DDoS
at
ta
ck
detect
io
n.
Additi
on
al
l
y,
the
pro
pose
d
meth
od
in
[
12]
ac
hieve
d
95.24%
acc
uracy
us
i
ng
SVM
by
extracti
ng
six
-
tup
le
cha
racter
ist
ic
values
from
s
witc
h
flo
w
ta
bles.
T
he
one
pro
po
se
d
in
[
13]
e
xplo
res
an
automate
d
D
D
oS
at
ta
ck
detect
ion
syst
em
integ
rati
ng
P4
pro
gr
am
mable
capab
il
it
ie
s
with
var
i
ou
s
ma
chin
e
le
arn
in
g
al
gori
thms,
incl
ud
i
ng
k
-
nea
rest
nei
ghbors
(K
-
N
N
),
ra
ndom
f
or
e
st
(RF
),
S
V
M
,
a
nd
a
rtific
ia
l
neural
netw
orks
(
A
N
Ns).
The
st
udy
[
14]
in
vestiga
te
s
the
ef
fecti
ve
ne
ss
of
di
ff
e
r
ent
machi
ne
le
arn
i
ng
cl
assifi
ers
f
or
transmissi
on
c
on
t
ro
l
protoc
ol
-
sync
hro
nized
(
TCP
S
YN
)
flo
od
D
DoS
at
ta
cks
on
SDN
c
ontr
ollers,
fin
din
g
al
l
cl
assifi
ers
to
be
highly
e
ff
ect
ive.
Simi
la
rly
,
the
stu
dy
[15]
evaluates
J
48,
RF,
SVM
,
an
d
K
-
NN
f
or
int
ern
et
con
t
ro
l
mes
sa
ge
pr
oto
c
ol
(
I
CMP
)
an
d
TC
P
flo
od
detect
ion,
with
J48
outpe
rformi
ng
the
ot
her
al
gori
thms.
M
ore
ov
e
r,
Ka
sim
[
16]
intr
oduce
s
a
hybr
i
d
dee
p
le
a
rn
i
ng
m
odel
c
ombini
ng
C
NN
an
d
lo
ng
s
hort
-
te
rm
memor
y
(L
ST
M
)
cel
ls
f
or
DNS
flo
od
at
ta
cks,
ac
hievi
ng
99.
87%
acc
ur
ac
y
on
th
e
CICID
S20
17
dataset
.
Finall
y,
the
st
udy
[
17]
pro
poses
a
pr
eem
pt
ive
secu
rity
model
us
in
g
l
og
ist
ic
re
gressi
on,
decisi
on
tr
ee
(
DT),
and
K
-
NN
al
gorith
ms
to
detect
DDoS
at
ta
cks
befo
re
the
y
occur,
en
ha
ncin
g
detect
io
n
performa
nce
.
Our
appr
oach
inc
orporates
featur
e
-
le
vel
cl
us
te
rin
g,
e
na
bling
a
more
detai
le
d
and
accu
rate
a
nalysis
of
net
work
traff
ic
. Th
is
m
et
hod
pr
ov
i
des
a
more
ef
fecti
ve
s
olu
ti
on
f
or
man
a
ging
D
D
oS
th
reats
in S
DN
e
nvir
onme
nts
an
d
enh
a
nces
d
et
ec
ti
on
acc
ur
ac
y.
The pape
r
is st
ru
ct
ur
e
d
as
fo
ll
ow
s
. In
sect
i
on
2,
we pres
ent
our
a
ppr
oach
t
o
de
te
ct
ing
flo
od
i
ng DDoS
at
ta
cks
an
d
de
scribe
t
he
ex
pe
rimen
ta
l
da
ta
set
s.
The
res
ults
of
t
he
pr
opos
e
d
m
od
el
a
nd
their
disc
us
s
ion
a
re
pr
ese
nted
in
se
ct
ion
3.
Finall
y, we
conclu
de
t
he pape
r
a
nd
discuss
f
utu
r
e
w
ork
i
n
sect
io
n
4.
2.
EXPERI
MEN
TS A
ND ME
THOD
In
this
sect
io
n,
we
prese
nt
a
detai
le
d
over
view
of
our
ex
pe
riment
al
set
up,
w
hich
i
nclu
des
descr
i
ptions
of
the
dataset
s
use
d,
the
feat
ures
sel
ect
ed,
a
nd
our
pr
opos
e
d
ap
proac
h.
F
urt
her
m
or
e
,
we
ou
tl
in
e
the
evaluati
on
process
a
nd
m
et
rics
us
e
d
to
a
ssess
the
m
ode
l
’
s
perf
or
m
anc
e.
The
e
xp
e
rim
ents
we
re
co
nd
ucted
on
a
mac
hin
e
equ
i
pp
e
d
with
an
I
ntel®
Co
r
e™
i7
-
68
20H
Q
CP
U
r
unning
at
2.7
0
GH
z
and
32
GB
of
RAM,
us
in
g
t
he Win
dows
10 o
per
at
i
ng syst
em
.
2.1.
Ex
peri
ment
d
atase
ts
We
util
iz
ed
th
e
I
nSDN
datas
et
,
sp
eci
fical
ly
ta
il
or
ed
f
or
S
DN
at
ta
ck
a
nal
ys
is,
t
o
e
valuat
e
our
m
odel
.
This
datas
et
st
ands
out
as
on
e
of
the
ea
rlie
st
and
m
os
t
co
mprehe
ns
ive
c
ollec
ti
on
s
of
at
ta
ck
scena
rios
dev
ise
d
for
S
D
N
e
nvir
onments
.
E
mpl
oy
in
g
an
S
D
N
-
s
pecific
dat
aset
is
crit
ic
al
for
acc
ur
at
el
y
assessi
ng
S
D
N
at
ta
ck
detect
ion
meth
od
s
,
as
gen
e
ri
c
dataset
s
ma
y
no
t
f
ully
ca
pture
the
disti
nct
arc
hitec
tur
e
an
d
at
ta
ck
ve
ct
or
s
inh
e
ren
t
t
o
S
DN
net
w
orks.
The
I
nSD
N
dataset
en
co
m
passes
va
rio
us
flo
odin
g
D
D
oS
at
ta
cks,
suc
h
as
TCP
-
S
YN
f
lo
od,
use
r
data
gr
a
m
protoc
ol
(
U
DP
)
f
lo
od,
a
nd
inter
net
c
ontr
ol
me
ssage
protoc
ol
(
ICMP
)
f
l
ood
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
omp E
ng
IS
S
N:
20
88
-
8708
Floodin
g
d
ist
ribu
te
d
d
eni
al
of
s
ervi
ce
detect
ion
i
n
s
oftw
ar
e
-
d
ef
ine
d
n
et
wo
rki
ng
us
i
ng…
(
Hich
am Yzz
og
h
)
819
at
ta
cks,
exec
ut
ed
usi
ng
the
H
ping3
t
oo
l,
wi
dely
recog
nized
as
on
e
of
the
mo
st
pr
e
valen
t
too
ls
f
or
c
on
du
ct
in
g
DDoS
at
ta
cks.
To
f
orm
our
ex
per
ime
ntal
InSD
N
datas
et
,
we
c
ombi
ned
the
n
orm
al
and
ova
rian
vein
sy
nd
rome
(
OVS
)
da
ta
set
s
in
CSV
f
ormat
,
r
esulti
ng
i
n
a
c
ompre
he
ns
ive
colle
ct
ion
of
ne
twork
act
ivit
ie
s.
O
ur
exp
e
rime
ntal
I
nSDN
dataset
co
ntains
se
ve
n
cl
as
ses:
n
ormal
,
brute
f
orce
at
ta
cks
(B
FA
s
),
botnet
at
ta
cks
,
den
ia
l
-
of
-
se
rv
i
ce
(
DoS),
D
D
oS
,
p
r
ob
es
,
a
nd
web
at
ta
cks
.
O
ur
obje
ct
ive
is
to
cl
assi
fy
the
tra
ff
i
c
as
ei
ther
DDoS
at
ta
ck
or
not,
s
o
we
la
beled
al
l
cl
asses
oth
e
r
tha
n
DDoS
as
‘
Ot
he
rs
’
.
As
a
res
ul
t,
our
ex
per
i
mental
dataset
w
il
l
co
ntain
only
tw
o cl
asses:
o
t
her
s
an
d DDoS
w
it
h
t
he
distri
bu
ti
on o
f
in
sta
nces
de
picte
d
in
Fi
gure
1.
Fu
rt
hermo
re,
we
e
xclu
de
d
‘
S
rc
IP
’
,
‘
S
rc
P
or
t
’
,
‘
D
st
I
P
’
,
and
‘
Dst
Port
’
to
mit
igate
t
he
ris
k
of
ove
rf
it
ti
ng
t
he
model, c
onduc
ti
ng
our
e
xperi
mentat
io
n usin
g
the
d
at
aset
i
de
ntifie
d
as
InS
DN
_
DDoS
_
E
xp
[18]
.
To
f
ur
th
er
ev
al
uate
ou
r
model,
we
util
iz
ed
t
he
C
IC
-
D
DoS20
17
dataset
.
T
his
dataset
co
ntain
s
“
−
−
−
.
_
.
”,
a
C
SV
fi
le
that
incl
udes
at
ta
ck
s
carried
out
us
i
ng
th
e
l
ow
orb
it
ion
ca
nnon
(
LOI
C
)
t
oo
l
.
T
his
t
oo
l
e
nab
le
s
at
ta
cke
rs
to
f
lood
ta
rg
et
se
r
ver
s
or
netw
orks
with
high
volum
es
of
tra
ff
ic
,
re
nd
erin
g
t
hem
ina
ccessi
ble
t
o
le
giti
mate
us
e
rs.
T
he
file
“
−
−
−
.
_
.
”
co
ntains
a
sig
nificantl
y
hi
gh
e
r
num
ber
of
instances o
f
fl
oodi
ng
D
D
oS
at
ta
cks
co
mpa
re
d
to
BE
N
IGN
i
ns
ta
nces
.
I
n
re
al
-
w
or
ld
scen
a
rios,
this distribu
ti
on
may
not
accu
r
at
el
y
re
pr
ese
nt
the
pr
e
valenc
e
of
D
D
oS
at
t
acks.
The
refo
r
e,
we
re
move
d
infi
nite
value
s
from
this
CSV
file
,
and
c
reated
our
ex
per
ime
ntal
CIC
-
D
D
oS
20
17
dataset
,
de
note
d
as
_
2017
_
[19]
,
with the
d
ist
ri
buti
on d
e
picte
d
in Figu
re
1
.
Figure
1.
Cl
ass instance
d
ist
ri
bu
ti
on
2.2.
Fe
at
ure
s
empl
oyed in
our ex
peri
ment
s
This
sect
io
n
presents
t
he
fe
at
ur
es
util
iz
ed
in
our
ex
per
i
ments
a
nd
det
ai
ls
the
featu
r
e
sel
ect
ion
process
.
We
e
mp
lo
ye
d
t
he
S
el
ect
KBest
me
thod
from
the
sci
kit
-
le
ar
n
li
br
a
ry
to
ide
ntify
the
most
re
le
van
t
featur
e
s
f
rom our
d
at
aset
.
T
hi
s
meth
od
it
erates
over
a
ra
ng
e
of
‘
’
val
ues,
where
‘
’
re
pr
ese
nts
the num
ber
of
featur
e
s
t
o
be
s
el
ect
ed.
For
e
a
ch
‘
’
value
,
t
he
meth
od
co
mputes
t
he
c
hi
-
s
quare
d
(c
hi2)
sta
ti
sti
c
between
each
featur
e
an
d
the
ta
rg
et
var
ia
bl
e,
sel
ect
ing
t
he
top
‘
’
featu
res
with
the
hi
ghest
chi2
sc
ores
.
To
deter
mine
the
op
ti
mal
‘
’
valu
e,
we
us
e
d
a
c
ro
ss
-
validat
ion
strat
eg
y
with
a
RF
cl
assifi
e
r
.
T
he
featu
re
s
ub
s
et
that
ac
hi
eved
the
highest
me
an
c
r
os
s
-
valida
ti
on
sco
re
acr
oss
diff
e
re
nt
‘
’
values
was
sel
ect
ed
as
the
final
set
of
feat
ur
es
.
This
s
y
ste
mati
c
ap
proac
h
e
nsures
that
the
chosen
feat
ur
e
s
sig
nificantl
y
en
ha
nce
the
c
la
ssifie
r
’
s
pred
ic
ti
ve
performa
nce,
ther
e
by im
prov
i
ng ove
rall
mod
el
accur
ac
y.
Table
1
s
hows
the
sel
ect
ed
s
ub
s
et
of
feature
s
from
our
e
xp
e
rime
ntal
I
nSD
N
a
nd
CIC
-
D
DoS20
17
dataset
s.
T
he
featur
e
s
are
li
ste
d
acco
r
ding
to
their
im
porta
nce,
us
in
g
the
Sele
ct
K
Be
st
method,
wh
ic
h
identifie
s
the
t
op
featu
res
ba
s
ed
on
a
spe
ci
fied
sco
rin
g
f
un
ct
ion
.
T
his
al
lo
ws
us
t
o
f
ocus
on
t
he
m
os
t
relevan
t
featur
e
s.
N
otab
ly,
in
our
a
naly
sis
of
the
CIC
-
DDoS2
0
17
dat
aset
,
we
excl
uded
the
‘
destin
at
ion
port
’
feat
ur
e
to
avo
i
d ov
e
rf
it
ti
ng and t
o pr
i
ori
ti
ze featur
es
di
rectl
y
rele
van
t
to
ide
ntif
ying
DDoS at
ta
cks.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
8708
In
t J
Elec
&
C
omp E
ng,
V
ol.
15
, No
.
1
,
Febr
uary
20
25
:
817
-
826
820
Table
1.
E
xtrac
te
d
s
ub
set
feat
ur
es
from
our
e
xp
e
rime
ntal da
ta
set
s
No
Featu
re
No
.
Featu
re
InSDN
d
ataset
1
Proto
co
l
7
SYN
f
l
ag
Cn
t
2
Flo
w
d
u
ration
8
PSH
f
l
ag
Cn
t
3
Flo
w Pkts
/s
9
ACK
f
lag
Cn
t
4
Bwd
PSH
f
lag
s
10
Do
wn
/
u
p
t
atio
5
Bwd
Pkts
/s
11
Init Bwd
w
in
b
y
ts
6
FIN
f
lag
Cn
t
CIC
-
DDo
S2
0
1
7
d
ataset
1
Fwd
p
acket len
g
th
m
ax
15
Max
p
acket
len
g
th
2
Fwd
p
acket len
g
th
m
in
16
Pack
et
len
g
th
m
ea
n
3
Fwd
p
acket len
g
th
m
ean
17
Pack
et
len
g
th
std
4
Fwd
p
acket len
g
th
Std
18
Pack
et
len
g
th
varia
n
ce
5
Bwd
p
acket len
g
th
m
ax
19
SYN
fl
ag
cou
n
t
6
Bwd
p
acket len
g
th
m
in
20
PSH
fl
ag
cou
n
t
7
Bwd
p
acket len
g
th
m
ean
21
URG
flag
co
u
n
t
8
Bwd
p
acket len
g
th
std
22
Do
wn
/
u
p
r
atio
9
Bwd
I
AT
to
tal
23
Av
erage
p
acket si
z
e
10
Bwd
I
AT
m
ean
24
Av
g
Fwd
seg
m
en
t
size
11
Bwd
I
AT
Std
25
Av
g
Bwd
seg
m
en
t size
12
Bwd
I
AT
m
ax
26
Su
b
flow Fwd
b
y
tes
13
Fwd
PSH
flags
27
Init_
W
in
_
b
y
tes_
b
a
ck
ward
14
Min
p
acket len
g
th
2.3.
Pr
oposed
a
p
proach
A
s
s
ho
w
n
i
n
F
i
gu
r
e
2
,
t
hi
s
pa
pe
r
i
nt
r
o
du
c
e
s
a
D
D
oS
de
t
e
c
ti
on
t
e
c
hn
i
q
ue
t
ha
t
c
om
bi
ne
s
m
ul
t
i
pl
e
k
-
m
e
a
n
s
m
o
de
l
s
w
i
t
h
a
n
a
ï
ve
B
a
ye
s
m
od
e
l
.
T
he
pr
op
os
e
d
m
e
t
ho
d
ol
og
y
i
nv
ol
ve
s
t
he
f
ol
l
ow
i
n
g
ge
ne
r
a
l
ph
a
s
e
s
:
a.
Trainin
g
m
ulti
ple
k
-
mean
s
m
od
el
s
a
nd
a
na
ïve
Ba
yes
m
odel
:
We
it
erati
ve
ly
trai
n
k
-
me
an
s
m
od
el
s
us
ing
the
trai
ning
da
ta
set
,
va
ry
i
ng
t
he
desire
d
nu
mb
e
r
of
cl
us
te
rs
(k)
within
a
prede
fine
d
ra
ng
e
.
Eac
h
it
era
ti
on
corres
ponds
to
a
di
ff
e
ren
t
k
value,
al
lo
wing
e
xp
l
or
at
io
n
of
va
rio
us
cl
ust
ering
co
nf
i
gur
at
ion
s.
F
or
ea
c
h
value,
a
sepa
r
at
e
k
-
mea
n
s
model
is
trai
ne
d
for
eac
h
fe
at
ur
e
i
n
t
he
da
ta
set
,
ena
blin
g
featu
re
-
s
peci
fic
cl
us
te
rin
g.
Un
l
ike
cl
us
te
rin
g
t
he
entire
datas
et
colle
ct
ively,
this
appr
oach
op
e
rates
in
depend
e
ntly
on
ea
ch
column.
F
or
e
ach
feat
ur
e
,
th
e
k
-
m
ean
s
al
gorith
m
or
gan
iz
es
the
data
i
nt
o
a
ma
ximum
of
k
co
hesi
ve
cl
us
te
rs,
disce
rn
i
ng
patte
rns
and
gro
ups
within
eac
h
c
olu
m
n
se
par
at
el
y.
A
fter
trai
ning
the
k
-
me
an
s
models,
eac
h
model
is
em
plo
ye
d
t
o
assi
gn
a
cl
us
te
r
t
o
e
ve
ry
data
po
i
nt
within
it
s
respec
ti
ve
c
olumn
.
Th
e
assigne
d
cl
ust
ers
f
or
t
he
trai
ni
ng
set
a
re
util
iz
ed
as
in
put
to
trai
n
a
Ga
us
sia
n
naï
ve
Ba
yes
model
f
or
bin
a
ry
cl
assifi
cat
ion
.
Figure
2.
Flo
w
d
ia
gram
of t
he
prop
os
ed
met
hod
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
omp E
ng
IS
S
N:
20
88
-
8708
Floodin
g
d
ist
ribu
te
d
d
eni
al
of
s
ervi
ce
detect
ion
i
n
s
oftw
ar
e
-
d
ef
ine
d
n
et
wo
rki
ng
us
i
ng…
(
Hich
am Yzz
og
h
)
821
b.
S
e
l
e
c
t
t
h
e
b
e
s
t
m
o
d
e
l
:
D
u
r
i
n
g
t
h
e
i
t
e
r
a
t
i
o
n
p
r
o
c
e
s
s
,
t
h
e
v
a
l
i
da
t
i
o
n
s
e
t
i
s
u
t
i
l
i
z
e
d
t
o
e
v
a
l
u
a
t
e
t
h
e
p
e
r
f
o
r
m
a
n
c
e
o
f
e
a
c
h
m
o
d
e
l
.
E
a
c
h
m
o
d
e
l
c
o
n
s
i
s
t
s
o
f
m
u
l
t
i
p
l
e
t
r
a
i
n
e
d
k
-
m
e
a
n
s
m
o
d
e
l
s
a
n
d
a
t
r
a
i
n
e
d
n
a
ï
v
e
B
a
y
e
s
m
o
d
e
l
.
T
h
i
s
e
v
a
l
u
a
t
i
o
n
i
n
v
o
l
v
e
s
c
o
m
p
u
t
i
n
g
t
h
e
v
a
l
i
d
a
t
i
o
n
a
c
c
u
r
a
c
y
b
a
s
e
d
o
n
t
h
e
c
l
u
s
t
e
r
i
n
g
r
e
s
u
l
t
s
o
b
t
a
i
n
e
d
f
r
o
m
t
h
e
t
r
a
i
n
e
d
k
-
m
e
a
n
s
m
o
d
e
l
s
a
n
d
t
h
e
s
u
b
s
e
q
u
e
n
t
c
l
a
s
s
i
f
i
c
a
t
i
o
n
u
s
i
n
g
t
h
e
t
r
a
i
n
e
d
n
a
ï
v
e
B
a
y
e
s
m
o
d
e
l
.
T
h
e
m
od
e
l
w
i
t
h
t
h
e
hi
g
h
e
s
t
v
a
l
i
d
a
t
i
o
n
a
c
c
u
r
a
c
y
i
s
s
e
l
e
c
t
e
d
a
s
t
h
e
b
e
s
t
-
p
e
r
f
o
r
m
i
n
g
m
o
d
e
l
.
c.
M
odel
e
valua
ti
on
:
T
he
perfor
mance
of
t
he
be
st
sel
ect
ed
m
od
el
is
asses
se
d
usi
ng
the
te
s
ti
ng
set
.
In
it
ia
ll
y,
the
trai
ne
d
k
-
mean
s
models
cl
us
te
r
the
te
st
ing
set
.
Subse
qu
e
ntly,
the
as
sign
e
d
cl
ust
ers
are
use
d
a
s
in
put
for
the
traine
d
naïve
Ba
yes m
od
el
t
o per
for
m
bi
nary classi
ficat
ion
.
Algorith
m
1
outl
ines
the
ke
y
ste
ps
of
our
pro
posed
ap
pro
ach,
focusi
ng
on
ho
w
k
-
mea
n
s
cl
ust
erin
g
and
the
naïve
Ba
yes
m
odel
a
re
inte
gr
at
ed
in
to
the
meth
odol
ogy.
B
y
dem
onstrat
in
g
the
c
ollaborat
io
n
be
tween
k
-
mean
s
an
d
t
he
naïve
Ba
ye
s
cl
a
ssifie
r,
w
e
emp
hasize
t
heir
c
ru
ci
al
r
ol
es
in
imp
r
ov
i
ng
the
acc
ur
ac
y
a
nd
eff
ect
ive
ness
of
our
meth
od.
T
his
cl
ear
representat
io
n
ena
bles
rea
der
s
t
o
unde
r
sta
nd
the
si
gnific
ant
con
t
rib
ution
s
of
bo
t
h
k
-
mea
n
s
an
d
naïve
Ba
ye
s to
t
he ov
e
ral
l success
of
our
a
ppro
ac
h.
Algorith
m
1
.
P
rop
os
ed
DD
oS detect
io
n
a
ppr
oach
Input: Training dataset, validation dataset and testing dataset
Output: Best
-
performing DDoS detection model
Initialize best_KMeans_models;
Initialize best_NB_model;
Initialize best_accuracy=0;
Define X as
the matrix of feature values and y as the vector of target values;
Step 1: Train
k
-
means
models KMeans_models
k
and
naïve
Bayes model NB_model
k
for each k in a predefined range do
for each column in X
train
do
Train
k
-
means
model
KMeans_model
k,column
on X
train
[column];
Append KMeans_model
k,column
to KMeans_models
k
;
end
Assign clusters to X
train
using KMeans_models
k
;
Train
naïve
Bayes model NB_model
k
using cluster assignments;
Step 2: Evaluate on validat
ion set;
Evaluate NB_model
k
on X
val
;
Compute validation accuracy accuracy
k
;
if accuracy
k
>best_accuracy then
Update best accuracy to accuracy
k
;
Update best_KMeans_models to KMeans_models
k
;
Update best_NB model to
NB_model
k
;
end
end
Step 3: Evaluate the best model on testing set;
Apply best_KMeans_models to X
test
for clustering;
Apply best_NB model for classification on clustered data;
2.4.
Ev
alu
at
io
n
p
r
ocess an
d
m
etrics
The
ev
al
uatio
n
of
our
ap
proa
ch
in
vo
l
ves
fi
ne
-
tu
ning
the
num
ber
of
cl
us
te
rs
to
ide
ntify
the
opti
mal
model.
We
sta
rt
by
co
mpa
rin
g
ou
r
m
od
el
’
s
performa
nce
t
o
that
of
a
naï
ve
Ba
ye
s
m
odel
us
in
g
the
InSD
N
dataset
,
a
nd
s
ub
s
eq
ue
ntly,
we
asse
ss
it
s
pe
rformance
on
t
he
CIC
-
DDoS2
017
da
ta
set
.
We
em
ployed
recog
nized
pe
r
forma
nce
metr
ic
s
su
c
h
as
acc
ur
ac
y,
preci
sio
n,
recall
,
a
nd
F1
-
sco
re
t
o
ass
ess
the
ef
fecti
ve
ness
of our m
od
el
.
These
metri
cs
are c
ompu
te
d
a
s
(
1)
-
(
4)
:
=
+
+
+
+
(1)
=
+
(2)
=
+
(3)
1
−
=
2
×
Pr
ecis
i
on
× R
ec
al
P
r
eci
sion +
R
ecal
l
(
4
)
T
rue
posit
ives
(TP)
a
nd
true
neg
at
ives
(T
N)
r
ep
rese
nt
instances
t
hat
the
m
od
el
has
correct
ly
cl
ass
ifie
d.
I
n
con
t
rast,
false
posit
ives
(F
P
)
a
nd
false
ne
gatives
(
FN)
r
efer
to
in
sta
nc
es
that
the
m
od
el
has
inc
orrectl
y
cl
assifi
ed.
The
se
metri
cs
a
re
cr
ucial
f
or
e
valuati
ng
t
he
eff
ect
ive
ness
of
cl
assi
ficat
io
n
m
odel
s,
pro
vid
in
g
insig
hts into t
he
ir accu
rac
y
a
nd
reli
abili
ty.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
8708
In
t J
Elec
&
C
omp E
ng,
V
ol.
15
, No
.
1
,
Febr
uary
20
25
:
817
-
826
822
3.
RESU
LT
S
AND DI
SCUS
S
ION
In
this
sect
ion,
we
prese
nt
th
e
res
ults
ob
ta
i
ned
f
r
om
the
e
xp
e
rime
nts
c
onduct
ed
us
in
g
our
pro
posed
appr
oach.
First
,
we
co
mp
a
re
t
he
accu
rac
y
achieve
d
by
the
NB
model
an
d
our
m
od
el
wit
h
dif
fer
e
nt
values.
Nex
t,
we
ass
ess
the
pe
rformance
of
our
model
t
hat
a
tt
ai
ned
the
hi
gh
e
st
accu
rac
y
by
exa
mini
ng
the
cl
assifi
cat
ion
r
eport in
d
et
ai
l.
The res
ults o
f our e
xperime
nt
s ar
e il
lustrate
d i
n
Fi
gures 3 t
o 6.
3.1.
Res
ult
on InS
DN
d
atas
et
As
de
picte
d
i
n
Figure
3,
bo
t
h
models
dem
onstrat
e
excell
ent
accu
racy.
O
ur
m
od
el
a
li
gns
c
losely
wit
h
naïve
Ba
yes,
achievin
g
a
n
i
mpressi
ve
99.
9742%
acc
ur
a
cy
acr
os
s
va
riou
s
val
ues
of
.
N
otabl
y,
wi
th
3
2
cl
us
te
rs,
our
m
od
el
reac
hes
a
sli
ghtl
y
highe
r
acc
ur
ac
y
of
99.98
39%,
re
presenti
ng
a
m
odest
im
pro
vem
ent
of
0.009
7%
ov
e
r
naïve
Ba
yes.
T
his
imp
r
ov
e
me
nt,
th
ough
sma
ll
,
highli
gh
ts
t
hat
our
model
performs
mar
gi
nally
bette
r
w
hile
m
ai
ntainin
g
hi
gh
accurac
y.
A
ddit
ion
al
ly
,
Fig
ur
e
4
s
hows
th
at
with
=
32,
our
model
achiev
es
rob
us
t
preci
sion,
recall
,
a
nd
F
1
sc
or
e
va
lues
of
a
ppr
ox
imat
el
y
99.
9455%,
99.
9863%,
a
nd
99.
9659%,
resp
ect
ivel
y,
unde
rsc
or
i
ng
it
s
ef
fecti
ven
e
ss
in
acc
urat
el
y
ide
ntify
in
g
posit
ive
in
sta
nc
es
an
d
minim
iz
ing
miscl
assifi
cat
ion
s
.
Figure
3. Acc
uracy
acr
os
s
des
ired n
umber o
f
clusters
w
it
hi
n o
ur
exp
e
rime
ntal I
nSDN datase
t
Figure
4. Co
nfusion
matri
x
w
it
hin
ou
r
exp
e
rime
ntal I
nSDN
dataset
3.2.
Res
ult
on CI
C
-
D
DoS20
17
d
ataset
As
s
how
n
in
Fi
gure
5,
the
pro
po
s
ed
m
od
el
init
ia
ll
y
has
lo
wer
accu
rac
y
c
ompare
d
t
o
t
he
naï
ve
Ba
yes
model.
Howe
ve
r,
as
t
he
num
ber
of
cl
us
te
rs
increases
,
the
accur
acy
of
our
model
gr
a
dual
ly
im
pro
ves
.
By
arou
nd
=
24
,
our
m
od
el
s
ur
passes
the
n
a
ïve
Ba
yes
m
od
el
a
nd
c
onti
nu
es
to
dem
on
st
rate
s
up
e
r
ior
performa
nce.
At
=
86,
our
m
od
el
achie
ves
an
acc
uracy
of
99.
7030%,
wh
ic
h
sig
nific
antly
e
xcee
ds
th
e
naïve
Ba
ye
s
model
’
s
acc
uracy
of
96.
3774%,
represe
nting
a
n
inc
reas
e
of
3.325
6%.
This
highli
gh
ts
the
enh
a
nce
d
pr
e
di
ct
ive
capab
il
it
y
of
our
m
od
el
.
Additi
onal
ly,
Fi
gure
6
s
hows
that
wit
h
=
86,
our
m
odel
achieves
a
pr
e
ci
sion
of
99.
2487%
,
in
dicat
ing
that
99.24
87%
of
pre
dicte
d
po
sit
ives
are
co
rr
ect
ly
cl
assifi
ed
,
and
a
recall
of
99.
5693%,
re
flect
ing
it
s
a
bi
li
ty
to
ide
ntify
99.
5693%
of
act
ual
posit
ive
s.
Co
ns
e
quentl
y,
t
he
F1
-
sco
re,
whic
h balances
pre
ci
sion
a
nd r
ec
a
ll
, r
eaches
99.4
088%
.
Figure
5. Acc
uracy
acr
os
s
des
ired n
umber o
f
clusters
w
it
hi
n o
ur
exp
e
rime
ntal C
IC
-
D
D
oS201
7 datase
t
Figure
6. Co
nfusion
m
at
rix w
it
hin
ou
r
exp
e
rime
ntal C
IC
-
D
D
oS201
7 datase
t
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
omp E
ng
IS
S
N:
20
88
-
8708
Floodin
g
d
ist
ribu
te
d
d
eni
al
of
s
ervi
ce
detect
ion
i
n
s
oftw
ar
e
-
d
ef
ine
d
n
et
wo
rki
ng
us
i
ng…
(
Hich
am Yzz
og
h
)
823
3.3.
C
omput
ati
onal
o
ver
head
Fo
r
each
k
value,
we
co
ns
tr
uc
t
a
mo
de
l
that
com
bin
es
mu
l
ti
ple
k
-
mea
ns
mode
ls
an
d
a
n
aï
ve
Ba
ye
s
cl
assifi
er
to
id
entify
t
he
one
with
the
highe
st
accurac
y.
T
his
ap
proac
h
s
ign
ific
a
ntly
im
pacts
CPU
us
a
ge
an
d
memor
y
requir
ements,
le
adi
ng
t
o
lo
nger
tra
ining
ti
me,
w
hi
ch
incl
ud
e
s
th
e
co
mb
i
ned
durati
ons
re
qu
i
r
ed
t
o
trai
n
the
m
ulti
ple
k
-
mea
ns
m
od
el
s
a
nd
the
n
aï
ve
Ba
yes
cl
a
ssifie
r.
T
rainin
g
m
ulti
ple
k
-
m
eans
m
odel
s
in
vo
l
ves
it
erati
ve
cl
us
te
rin
g
op
e
rati
on
s
f
or
each
feat
ur
e
in
t
he
data
set
,
w
hich
de
man
ds
s
ubsta
nt
ia
l
CPU
po
w
er
a
nd
memor
y.
Eac
h
model
update
s
cl
us
te
r
ce
ntr
oid
s
a
nd
a
ssig
ns
data
po
i
nts
to
cl
us
te
rs
,
le
adin
g
to
inc
reas
ed
CPU
util
iz
at
ion
with
m
or
e
k
valu
es
an
d
feat
ur
e
s.
A
ddit
ion
al
ly
,
mem
ory
de
man
ds
rise
as
each
k
-
means
mode
l
needs
to
st
or
e
data
points,
cl
us
te
r
ce
ntr
oid
s
,
an
d
inte
rme
di
at
e
resu
lt
s.
As
show
n
in
Fig
ur
es
7
a
nd
8,
t
rainin
g
ti
me
increases
wi
th
the
num
ber
of
desire
d
cl
us
te
rs
f
or
bo
th
dataset
s.
F
or
the
I
nSDN
da
ta
set
,
this
dur
at
ion
ranges
f
rom
3.28
sec
onds
f
or
5
cl
us
te
r
s
to
29.
59
sec
onds
f
or
40
cl
us
te
rs
.
The
C
IC
-
DDo
S2017
dataset
sh
ows
an
inc
rease
i
n
trai
ning
ti
me
f
rom
5.2
0
sec
onds
f
or
3
cl
us
t
ers
to
124.0
6
s
econds
f
or
93
cl
us
te
rs.
To
mi
ti
gate
this
com
puta
ti
on
al
ov
e
r
head,
us
in
g
mi
ni
-
ba
tc
h
k
-
mea
ns
c
an
hel
p
re
duce
trai
ning
ti
me,
especial
ly
with
la
rg
e
dataset
s.
A
dd
it
ion
al
ly,
par
al
le
l
proces
sin
g
a
nd
util
iz
ing
graph
ic
s
process
ing
unit
s
(GP
Us)
ca
n
si
gn
i
f
ic
antly
enh
a
nce
pe
rformance a
nd e
ff
i
ci
ency
.
Figure
7. Trai
ni
ng
t
ime
acr
os
s
d
esi
re
d n
umbe
r of
cl
us
te
rs
w
i
thin
our
e
xperi
mental
InS
D
N data
set
Figure
8. Trai
ni
ng
ti
me
acr
os
s
d
esi
re
d n
umbe
r of
cl
us
te
rs
w
i
thin
our
e
xperi
mental
CIC
-
D
DoS20
17
datas
et
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
8708
In
t J
Elec
&
C
omp E
ng,
V
ol.
15
, No
.
1
,
Febr
uary
20
25
:
817
-
826
824
3.4.
C
ompari
so
n
Table
2
c
om
par
es
our
pro
po
s
ed
ap
proa
ch
with
exist
ing
resea
rc
h,
hi
gh
li
ghti
ng
the
supe
rior
performa
nce
of
our
h
yb
rid
m
odel
. F
or
i
ns
ta
nc
e,
Wang
et
a
l.
[
20]
achie
ves
9
9.6
4%
acc
ur
a
cy
with
ba
ggin
g
t
ree
(
BT
)
,
w
hile
our
model
reac
he
s
99.98%
on
t
he
I
nSDN
data
set
.
Simi
la
rly,
Wang
a
nd
Li
u
[21]
repo
rts
98
.98%
accurac
y
with
CNN,
wh
e
reas
our
met
hod
a
tt
ai
ns
99.
70%
on
the
CIC
-
D
DoS20
17
data
set
.
Stu
dies
suc
h
as
study
[
22]
a
nd
[23]
repo
rt
maximum
accu
r
aci
es
of
98.7
%
and
98.
3%
wi
th
CART
an
d
K
-
NN,
res
pect
ively
,
wh
ic
h
our
model
excee
ds.
Additi
on
al
l
y,
Kh
a
maise
h
et
al.
[24]
re
port
s
96%
pr
e
ci
sion
an
d
98%
r
ecal
l
fo
r
known
at
ta
cks
with
K
-
NN,
w
hile
our
meth
od
ac
hieves
higher
preci
sion
a
nd
recall
of
99.95%
a
nd
99.
99%
on
the InS
DN
dataset
.
Fu
rt
hermo
re,
Sahoo
et
al.
[
25]
ac
hieves
a
n
acc
ur
ac
y
of
98.90
7%
us
in
g
a
c
ombinati
on
of
kernel
pr
i
ncipal
co
m
pone
nt
anal
ysi
s
(
K
PCA
)
,
S
VM,
an
d
genet
ic
al
go
rithm
(
GA
)
on
t
he
NS
L
-
K
DD
a
nd
sel
f
-
gen
e
rated
data
set
s.
In
c
ompa
rison,
our
m
odel
sign
ific
antly
su
r
passes
t
his
with
an
acc
ur
a
cy
of
99.
98%
on
t
he
In
S
D
N
dataset
an
d
99.
70%
on
the
CIC
-
D
DoS20
17
dataset
.
A
ddit
ion
al
ly,
M
et
i
et
al.
[
26]
re
ports
80
%
accurac
y,
pr
e
c
isi
on
,
a
nd
rec
a
ll
us
in
g
S
VM
on
real
-
ti
me
T
CP
tra
ff
ic
data
.
Our
m
od
el
de
monstrate
s
superi
or
performa
nce
with
99.
98%
a
ccur
ac
y,
99.
95%
pr
eci
sio
n,
a
nd
99.
99
%
rec
al
l
on
the
I
nSDN
dataset
.
Fi
nally,
Tua
n
et
al.
[27]
s
hows
that
K
-
NN
ac
hieve
s
a
n
acc
uracy
rate
e
xceed
i
ng
99%
,
w
hile
our
m
odel
ac
hieves
a
higher
acc
urac
y.
Des
pite
the
promi
si
ng
re
su
lt
s
of
our
a
ppr
oach,
ad
dr
essing
the
c
omp
utati
on
al
over
hea
d
introd
uced
by
mu
lt
iple
k
-
me
ans
m
od
el
s
is
esse
ntial
,
as
t
his
ca
n
po
se
c
halle
ng
e
s
i
n
la
rg
e
-
scal
e
scen
arios.
Howe
ver,
impl
ementi
ng
ef
fici
ent
pa
rall
el
iz
ation
strat
e
gies
a
nd
le
ver
a
ging
distrib
u
te
d
c
omp
uting
fr
a
me
works
can m
it
igate
t
he
se chall
en
ges
,
mak
i
ng ou
r
m
od
el
su
it
able
f
or large
-
scal
e
dep
l
oyment
.
Table
2.
C
omp
ariso
n of
v
a
rio
us
DDoS
d
et
ec
ti
on
m
odel
s
Ref
.
Dataset
ML
t
echn
iq
u
es
Perf
o
r
m
an
ce
[
20]
DARPA,
I
n
SDN
,
a
n
d
self
-
g
en
erate
d
data
set
u
sin
g
sim
u
latio
n
Su
p
p
o
rt
v
ecto
r
m
a
ch
in
es (SVM
)
,
g
en
eralize
d
linear
m
o
d
el
(G
LM
),
n
aï
v
e
Bay
es (NB)
,
d
iscri
m
in
an
t ana
ly
sis
(D
A),
feedforwa
rd n
eu
ral
netwo
rk
(FN
N),
d
ecisio
n
tr
ee (
D
T)
,
k
-
n
eare
st n
eig
h
b
o
rs
(K
-
N
N)
,
and
b
ag
g
in
g
tr
ee
(B
T)
BT achiev
es th
e hi
g
h
est accuracy
of
9
9
.64
%
[
21]
CICIDS2
0
1
7
and
self
-
g
en
erate
d
datas
et
CNN, S
VM,
d
eep
n
eu
ral
n
etwo
rk
(DNN
),
and
D
T
CNN: 9
8
.98
% (4.2
5
% to
8.2
0
% b
etter)
[22
]
Self
-
g
en
erat
ed
dat
ase
t
q
u
ad
ratic
d
iscrim
i
n
an
t analy
sis
(QD
A),
g
au
ss
ian
n
aïv
e
b
ay
es
(GNB
),
K
-
N
N,
an
d
class
ification
and
r
eg
ressio
n
tr
ees
(CART)
CAR
T
achi
ev
ed
th
e hig
h
est accuracy
o
f
9
8
.7%
,
with
all
m
eth
o
d
s ex
ceedin
g
95
%
[23
]
Self
-
g
en
erat
ed
dat
aset
u
sin
g
hp
i
n
g
3
SVM,
K
-
NN,
n
eu
ral
n
etwo
rk
,
an
d
N
B
K
-
NN
achiev
ed
the h
ig
h
est accuracy
rate
o
f
9
8
.3%
[24
]
Self
-
g
en
erat
ed
dat
aset b
y
simulatin
g
differen
t typ
es
o
f
DDo
S att
acks
in an
SDN testb
ed
K
-
NN
and
ANN
K
-
NN:
96
% p
recis
io
n
,
9
8
% rec
all; A
NN: 90
%
p
recisio
n
,
8
6
% rec
all
[25
]
NSL
-
KDD
an
d
self
-
g
en
erate
d
datas
et u
sin
g
n
etwo
rk simulato
r
NS2
Co
m
b
in
atio
n
of KPCA,
SV
M
an
d
G
A
The accura
cy
of th
e KPCA+
SVM
+G
A m
o
d
el
is 9
8
.90
7
%
[26
]
Dataset collect
ed
i
n
r
eal
-
tim
e
fr
o
m
T
CP
tr
a
ff
ic
NB, SV
M,
and
N
N
SVM
sh
o
ws 8
0
%
accuracy
,
p
r
ecisio
n
,
an
d
reca
ll.
SV
M
is co
n
sid
ered the b
etter
c
h
o
ice
[27
]
CAIDA
20
0
7
and
self
-
g
en
erate
d
datas
et
K
-
NN
,
D
T
an
d
N
N
The accura
cy
is ab
o
v
e 98
% for a
l
l 3
ML
tech
n
iq
u
es. T
h
e K
-
NN ac
h
iev
ed
an a
c
cu
racy
rate
o
f
ov
er
9
9
% w
ith
K
set to
9
The
p
rop
o
sed
m
o
d
el
InSDN an
d
CIC
-
DDo
S2
0
1
7
Hy
b
rid
k
-
m
ean
s
an
d
n
aïv
e
Bay
es
m
o
d
el
In th
e I
n
SDN
data
set: 9
9
.98
% accura
cy
,
9
9
.95
% p
recisio
n
,
9
9
.99
% rec
all,
an
d
99
.97
%
F1
sco
re.
In th
e CI
C
-
DDo
S2
0
1
7
datas
et:
9
9
.70
% accuracy
,
9
9
.25
% p
recisio
n
,
9
9
.57
%
reca
ll,
and
99
.41
% F1
sco
re
4.
CONCL
US
I
O
N AND F
UT
U
RE W
ORK
T
h
i
s
p
a
p
e
r
e
x
p
l
o
r
e
s
t
h
e
l
a
n
d
s
c
a
p
e
o
f
f
l
o
o
d
i
n
g
D
D
o
S
a
t
t
a
c
k
s
i
n
S
D
N
e
n
v
i
r
o
n
m
e
n
t
s
a
n
d
t
h
e
r
o
l
e
o
f
m
a
c
h
i
n
e
l
e
a
r
n
i
n
g
i
n
d
e
t
e
c
t
i
ng
t
h
e
s
e
t
h
r
e
a
t
s
.
F
l
o
o
d
i
n
g
D
D
o
S
a
t
t
a
c
k
s
,
c
h
a
r
a
c
t
e
r
i
z
e
d
by
h
i
g
h
-
v
o
l
u
m
e
t
r
a
f
f
i
c
f
l
o
o
d
s
,
p
o
s
e
s
i
g
n
i
f
i
c
a
n
t
r
i
s
k
s
a
n
d
r
e
q
u
i
r
e
r
o
b
u
s
t
s
e
c
u
r
i
t
y
m
e
a
s
u
r
e
s
f
o
r
e
f
f
e
c
t
i
v
e
d
e
t
e
c
t
i
o
n
a
n
d
m
i
t
i
g
a
t
i
o
n
.
M
a
c
h
i
n
e
l
e
a
r
n
i
n
g
t
e
c
h
n
i
q
u
e
s
,
i
n
c
l
u
d
i
n
g
b
o
t
h
s
u
p
e
r
v
i
s
e
d
a
n
d
u
n
s
u
p
e
r
v
i
s
e
d
m
e
t
h
o
d
s
a
n
d
e
n
s
e
m
b
l
e
a
p
p
r
o
a
c
h
e
s
,
h
a
v
e
p
r
o
v
e
n
p
r
o
m
i
s
i
n
g
i
n
a
d
d
r
e
s
s
i
n
g
t
h
e
s
e
c
h
a
l
l
e
n
g
e
s
b
y
o
f
f
e
r
i
n
g
a
d
a
p
t
i
v
e
a
n
d
p
r
o
a
c
t
i
v
e
d
e
f
e
n
s
e
s
.
O
u
r
p
r
o
p
o
s
e
d
m
o
d
e
l
i
nt
e
g
r
a
t
e
s
k
-
m
e
a
n
s
c
l
u
s
t
e
r
i
n
g
w
i
t
h
g
a
u
s
s
i
a
n
n
a
ï
v
e
B
a
y
e
s
c
l
a
s
s
i
f
i
c
a
t
i
o
n
t
o
e
n
h
a
n
c
e
t
h
e
a
c
c
u
r
a
c
y
o
f
f
l
o
o
d
i
n
g
D
D
o
S
a
t
t
a
c
k
d
e
t
e
c
t
i
o
n
.
T
h
r
o
u
g
h
e
x
p
e
r
i
m
e
n
t
a
t
i
o
n
w
i
t
h
r
e
a
l
-
w
o
r
l
d
d
a
t
a
s
e
t
s
s
u
c
h
a
s
I
n
S
D
N
a
n
d
Evaluation Warning : The document was created with Spire.PDF for Python.
In
t J
Elec
&
C
omp E
ng
IS
S
N:
20
88
-
8708
Floodin
g
d
ist
ribu
te
d
d
eni
al
of
s
ervi
ce
detect
ion
i
n
s
oftw
ar
e
-
d
ef
ine
d
n
et
wo
rki
ng
us
i
ng…
(
Hich
am Yzz
og
h
)
825
C
I
C
-
D
D
o
S
2
0
1
7
,
w
e
h
a
v
e
s
h
o
w
n
t
h
a
t
o
u
r
m
o
d
e
l
a
c
h
i
e
v
e
s
e
x
c
e
p
t
i
o
n
a
l
a
c
c
u
r
a
c
y
b
y
o
p
t
i
m
i
z
i
n
g
t
h
e
d
e
s
i
r
e
d
n
u
m
b
e
r
o
f
c
l
u
s
t
e
r
s
.
H
o
w
e
v
e
r
,
t
h
i
s
a
p
p
r
o
a
c
h
i
n
t
r
o
d
u
c
e
s
s
u
b
s
t
a
n
t
i
a
l
c
o
m
p
u
t
a
t
i
o
n
a
l
o
v
e
r
h
e
a
d
d
u
e
t
o
t
h
e
n
e
e
d
t
o
r
u
n
m
u
l
t
i
p
l
e
k
-
m
e
a
n
s
m
o
d
e
l
s
.
T
o
a
d
d
r
e
s
s
t
h
i
s
,
f
u
t
u
r
e
r
e
s
e
a
r
c
h
w
i
l
l
f
o
c
u
s
o
n
o
p
t
i
m
i
z
i
n
g
t
h
e
c
o
m
p
u
t
a
t
i
o
n
a
l
e
f
f
i
c
i
e
n
c
y
o
f
ou
r
a
p
p
r
o
a
c
h
b
y
e
x
p
l
o
r
i
n
g
a
d
v
a
n
c
e
d
p
a
r
a
l
l
e
l
i
z
a
t
i
o
n
t
e
c
h
n
i
q
u
e
s
,
d
i
s
t
r
i
b
u
t
e
d
c
o
m
p
u
t
i
n
g
f
r
a
m
e
w
o
r
k
s
,
a
n
d
h
a
r
d
w
a
r
e
a
c
c
e
l
e
r
a
t
i
o
n
.
T
h
i
s
w
i
l
l
a
i
m
t
o
m
i
t
i
g
a
t
e
t
h
e
c
o
m
p
u
t
a
t
i
o
n
a
l
c
h
a
l
l
e
n
g
e
s
a
nd
e
n
h
a
n
c
e
s
c
a
l
a
b
i
l
i
t
y
,
m
a
k
i
n
g
o
u
r
m
o
d
e
l
m
o
r
e
p
r
a
c
t
i
c
a
l
f
o
r
d
e
p
l
o
y
m
e
n
t
i
n
l
a
r
g
e
-
s
c
a
l
e
n
e
t
w
o
r
k
e
n
v
i
r
o
n
m
e
n
t
s
.
REFERE
NCE
S
[1]
I.
Su
m
an
tra
an
d
S.
Ind
ira
Gan
d
h
i,
“DDoS
attac
k
d
etectio
n
an
d
m
itig
atio
n
in
s
o
ftwar
e
d
efined
n
etwo
rks
,”
in
2
0
2
0
Inter
n
a
tio
n
a
l
Confer
en
ce
o
n
S
ystem,
Co
mp
u
ta
tio
n
,
Auto
ma
tio
n
a
n
d
Netw
o
rkin
g
(I
CS
CAN)
,
Ju
l.
2
0
2
0
,
p
p
.
1
–
5
,
d
o
i: 10
.1109
/ICSCAN4
9
4
2
6
.2020
.9262
4
0
8
.
[2]
B. Pf
a
ff
et al.
,
“Op
en
flow switch
sp
ec
ification
,
v
ersio
n
1.3
.
1
(
wi
re
p
roto
co
l 0
×
0
4
),
”
Op
en
Net
wo
rkin
g
F
o
u
n
d
a
ti
o
n
,
v
o
l.
3
,
2
0
1
2
.
[3]
J.
Cu
i,
J.
Zhan
g
,
J.
He,
H
.
Zho
n
g
,
an
d
Y.
Lu,
“DDoS
d
etectio
n
an
d
d
efe
n
se
m
echan
ism
fo
r
SDN
co
n
trollers
with
k
-
m
eans
,”
in
2
0
2
0
IE
EE
/ACM
1
3
th
Inter
n
a
tio
n
a
l
Co
n
feren
ce
o
n
Utility
a
n
d
Clo
u
d
Co
mp
u
tin
g
(UCC)
,
Dec
.
2
0
2
0
,
p
p
.
3
9
4
–
4
0
1
,
d
o
i: 10
.1109
/UCC
4
8
9
8
0
.20
2
0
.
0
0
0
6
2
.
[4]
V.
De
ep
a,
K
.
M
.
S
u
d
ar,
an
d
P.
De
ep
alak
sh
m
i,
“D
esig
n
o
f
en
semble
l
earn
in
g
m
eth
o
d
s
for
D
Do
S
d
etectio
n
in
SDN
en
v
iron
m
en
t,”
in
2
0
1
9
Inter
n
a
ti
o
n
a
l
Co
n
feren
ce
o
n
Visio
n
To
wa
rd
s
Emerg
in
g
Tre
n
d
s
in
Co
mmu
n
ica
tio
n
a
n
d
Netw
o
rkin
g
(V
iTECo
N
)
,
Mar
.
20
1
9
,
p
p
. 1
–
6
,
d
o
i: 10
.11
0
9
/ViTE
Co
N.20
1
9
.88
9
9
6
8
2
.
[5]
M.
S.
Elsay
ed
,
N.
-
A
.
Le
-
Kh
ac,
an
d
A.
D.
Ju
rcut,
“InSDN:
a
n
o
v
el
SDN
in
trus
io
n
d
ataset,”
IE
E
E
Acce
ss
,
v
o
l.
8
,
p
p
.
1
6
5
2
6
3
–
1
6
5
2
8
4
,
2
0
2
0
,
d
o
i: 10
.1
1
0
9
/ACC
ESS.
2
0
2
0
.30
2
2
6
3
3
.
[6]
I.
Sh
arafald
in
,
A
.
H.
Lash
k
ari,
and
A
.
A
.
Gh
o
rban
i,
“
Intru
sio
n
detectio
n
evalu
atio
n
datas
et
(CIC
-
ID
S2
0
1
7
),
”
in
Pro
ceedin
g
s o
f the
o
f Ca
n
a
d
i
a
n
I
n
stit
u
te for
Cyb
ers
ecur
ity
,
2
0
1
8
.
[7]
I.
Sh
ar
afaldin
,
A.
Hab
ib
i
Lash
k
ari,
a
n
d
A.
A.
Gh
o
rban
i,
“Towa
rd
g
en
erati
n
g
a
n
ew
in
trus
io
n
d
etectio
n
d
ataset
a
n
d
in
trus
io
n
traf
fic
ch
arac
teri
zatio
n
,”
in
Pro
ceedin
g
s
o
f
th
e
4
th
Inter
n
a
tio
n
a
l
Co
n
feren
ce
o
n
Info
rma
tio
n
S
ystems
S
ecur
ity
a
n
d
Priva
cy
,
2
0
1
8
,
p
p
.
1
0
8
–
1
1
6
,
d
o
i:
1
0
.52
2
0
/0
0
0
6
6
3
9
8
0
1
0
8
0
1
1
6
.
[8]
R.
Ab
d
elh
ad
i,
M.
H.
Alsafas
feh,
an
d
B.
I.
A
lq
u
d
ah
,
“E
n
co
u
n
tering
d
i
strib
u
ted
d
en
ial
o
f
serv
ice
att
ack
u
tilizin
g
fede
rated
so
ft
war
e
d
efined
n
etwo
rk,”
Inter
n
a
tio
n
a
l
J
o
u
rn
a
l
o
f
Electrica
l
a
n
d
Co
mp
u
t
er
Eng
in
eerin
g
,
v
o
l.
1
4
,
n
o
.
1
,
Feb
.
2
0
2
4
,
d
o
i
:
1
0
.11
5
9
1
/ijece.v1
4
i1
.pp
5
7
4
-
588.
[9]
D.
Ar
iv
u
d
ain
am
b
i,
V.
K
.
K.
A,
an
d
S.
Sib
i
Ch
a
k
k
aravarthy
,
“Lion
IDS:
a
m
eta
-
h
eu
ristics
ap
p
roach
to
d
etect
D
Do
S
attacks
ag
ain
st
so
ftwar
e
-
d
e
fined
n
etwo
rks
,”
Neu
ra
l
Co
mp
u
tin
g
a
n
d
Ap
p
lica
tio
n
s
,
v
o
l.
3
1
,
n
o
.
5
,
p
p
.
1
4
9
1
–
1
5
0
1
,
May
2
0
1
9
,
d
o
i:
1
0
.10
0
7
/s0
0
5
2
1
-
018
-
3
3
8
3
-
7.
[10
]
M.
H
.
Zaib, “
NSL
-
KDD dataset
,”
Ka
g
g
le
,
2
0
1
8
.
h
ttp
s://
www.kag
g
le.com
/
d
atasets
/h
ass
an
0
6
/
n
slk
d
d
(
accessed
Nov
.
1
0
,
2
0
2
3
).
[11
]
K.
Muth
a
m
il
Su
d
a
r
an
d
P.
D
eepalak
sh
m
i,
“A
two
lev
el
secu
rity
m
echan
is
m
to
d
etect
a
DDo
S
floo
d
in
g
attack
in
so
ftwar
e
-
d
e
fined
n
etwo
rks
u
sin
g
en
trop
y
-
b
ased
an
d
C
4
.5
tec
h
n
iq
u
e,”
Jo
u
rn
a
l
o
f
Hig
h
S
p
e
ed
Netw
o
rks
,
v
o
l.
2
6
,
n
o
.
1
,
p
p
.
5
5
–
7
6
,
Mar
.
2
0
2
0
,
d
o
i: 10
.3233
/JHS
-
2
0
0
6
3
0
.
[12
]
J.
Ye,
X.
Ch
en
g
,
J
.
Zhu
,
L
.
Fen
g
,
an
d
L.
So
n
g
,
“A
DD
o
S
attack
d
etectio
n
m
eth
o
d
b
ased
o
n
SVM
in
so
ftwa
r
e
d
efined
n
etwo
rk,
”
S
ecur
ity an
d
Co
m
mu
n
ica
ti
o
n
Networks
,
v
o
l.
2
0
1
8
,
p
p
.
1
–
8
,
2
0
1
8
,
d
o
i: 10
.
1
1
5
5
/
2
0
1
8
/9
8
0
4
0
6
1
.
[13
]
F.
Mus
u
m
eci,
A.
C.
Fid
an
ci,
F
.
Pao
l
u
cci,
F.
Cu
g
in
i,
an
d
M.
Torn
ato
re,
“
Machin
e
-
lea
rnin
g
-
en
ab
led
DDo
S
atta
ck
s
d
etectio
n
in
P4
p
rog
ram
m
ab
le
n
et
wo
rks
,”
Jo
u
rn
a
l
o
f
Netw
o
rk
a
n
d
S
ystems
Ma
n
a
g
ement
,
v
o
l.
3
0
,
n
o
.
1
,
J
an
.
2
0
2
2
,
d
o
i:
1
0
.10
0
7
/s
1
0
9
2
2
-
0
2
1
-
0
9
6
3
3
-
5.
[14
]
R.
Swa
m
i,
M.
Dav
e,
an
d
V.
Ran
g
a,
“
Detection
an
d
an
aly
sis
o
f
TCP
-
SYN
DDo
S
attack
in
so
ftwar
e
-
d
e
fined
n
etwo
rkin
g
,”
Wir
eless
Perso
n
a
l Co
mmu
n
ica
tio
n
s
,
v
o
l.
1
1
8
,
n
o
.
4
,
p
p
.
2295
–
2
3
1
7
,
Ju
n
.
2
0
2
1
,
d
o
i:
10
.10
0
7
/s
1
1
2
7
7
-
0
2
1
-
0
8
1
2
7
-
6.
[15
]
O.
Rah
m
an
,
M
.
A.
G.
Qu
raish
i,
a
n
d
C.
-
H.
Lun
g
,
“
DDo
S
att
acks
d
et
ectio
n
an
d
m
itig
atio
n
in
SDN
u
sin
g
m
achi
n
e
lea
rnin
g
,”
in
2
0
1
9
I
EE
E
Wo
r
ld
Co
n
g
res
s o
n
Ser
vices (
S
E
RV
ICES)
,
Ju
l.
2
0
1
9
,
p
p
.
1
8
4
–
1
8
9
,
d
o
i: 1
0
.11
0
9
/SERVIC
ES.
2
0
1
9
.00
0
5
1
.
[16
]
Ö.
K
asi
m
,
“A
rob
u
st
DNS
floo
d
attack
d
etectio
n
with
a
h
y
b
rid
d
eeper
l
earnin
g
m
o
d
el,”
Co
mp
u
ters
a
n
d
Electrica
l
Eng
in
eerin
g
,
v
o
l.
1
0
0
,
May 2
0
2
2
,
d
o
i: 10
.10
1
6
/j.compelecen
g
.20
2
2
.
1
0
7
8
8
3
.
[17
]
N.
M.
an
d
Y.
B.
N
.,
“
Pree
m
p
tiv
e
m
o
d
ellin
g
to
wards
cla
ss
ifyin
g
v
u
ln
erabil
ity
o
f
D
Do
S
atta
ck
in
SD
N
en
v
iron
m
en
t,”
Inter
n
a
tio
n
a
l
Jo
u
rn
a
l of Electrica
l an
d
Co
mp
u
ter E
n
g
in
eerin
g
,
v
o
l.
1
0
,
n
o
.
2
,
Ap
r
.
2
0
2
0
,
d
o
i: 10
.1159
1
/ijec
e.v1
0
i2
.pp
1
5
9
9
-
1
6
1
1
.
[18
]
H.
Yz
zo
g
h
,
“InSD
N_
DDo
S_
Exp
.r
ar,
”
GitHu
b
, 2
0
2
4
.
h
ttp
s://g
ith
u
b
.com/Y
zzog
h
/DDo
S/tree/
m
ain
(
a
ccessed
No
v
.
1
0
,
2
0
2
3
).
[19
]
H.
Yz
zo
g
h
,
“CIC_
DDo
S2
0
1
7
_
Ex
p
.r
ar,
”
GitHu
b
,
2
0
2
4
.
h
ttp
s://g
ith
u
b
.com/Yzzog
h
/DDo
S/tree
/m
ain
(
accessed
N
o
v
.
1
0
,
2
0
2
3
).
[20
]
S.
W
an
g
et
a
l.
,
“Detecting
floo
d
in
g
DDo
S
attacks
in
so
ftwa
re
d
e
fi
n
ed
n
etwo
rks
u
sin
g
su
p
ervis
ed
learnin
g
tech
n
iq
u
es,”
Eng
in
eerin
g
Science
an
d
Techn
o
lo
g
y
,
a
n
I
n
tern
a
tio
n
a
l
Jo
u
rn
a
l
,
v
o
l.
3
5
,
No
v
.
2
0
2
2
,
d
o
i: 1
0
.1
0
1
6
/j.jestch
.20
2
2
.1
0
1
1
7
6
.
[21
]
L.
W
an
g
an
d
Y.
L
iu
,
“A
DDo
S
a
ttac
k
d
etectio
n
m
eth
o
d
b
ased
o
n
in
form
atio
n
en
trop
y
an
d
d
eep
learnin
g
in
SDN,”
in
2
0
2
0
IE
E
E
4
th
Info
rma
tio
n
Te
ch
n
o
lo
g
y,
Netw
o
r
kin
g
,
Electro
n
ic
a
n
d
Auto
ma
tio
n
Contr
o
l
Co
n
feren
ce
(
ITNEC)
,
Ju
n
.
2
0
2
0
,
p
p
.
1
0
8
4
–
1
0
8
8
,
d
o
i: 10
.1109
/IT
NE
C4
8
6
2
3
.20
2
0
.90
8
5
0
0
7
.
[22
]
A.
O
.
S
an
g
o
d
o
y
i
n
,
M.
O.
Ak
in
so
lu
,
P.
Pillai
,
an
d
V.
G
rou
t,
“Dete
ctio
n
a
n
d
class
ification
o
f
DDo
S
floo
d
in
g
attacks
o
n
so
ftwar
e
-
d
efined
n
etwo
rks
:
a
case
stu
d
y
for
th
e
ap
p
licatio
n
o
f
m
a
ch
in
e
learnin
g
,”
IE
EE
Acce
ss
,
v
o
l.
9
,
p
p
.
1
2
2
4
9
5
–
1
2
2
5
0
8
,
2
0
2
1
,
d
o
i: 10
.1109
/ACC
ESS.
2
0
2
1
.31
0
9
4
9
0
.
[23
]
H.
Po
lat,
O.
Po
lat
,
an
d
A.
Cetin
,
“D
etectin
g
DDo
S
att
acks
in
so
ftwar
e
-
d
efined
n
etwo
rks
th
rou
g
h
feature
sele
ctio
n
m
eth
o
d
s
an
d
m
achi
n
e lea
rnin
g
m
o
d
els,”
S
u
sta
in
a
b
ility
,
v
o
l.
1
2
,
n
o
.
3
,
Feb
.
2
0
2
0
,
d
o
i: 10
.33
9
0
/su
1
2
0
3
1
0
3
5
.
[24
]
S.
Y.
Kh
am
aiseh
,
A.
Al
-
Alaj
,
an
d
A.
W
arne
r,
“F
lo
o
d
d
etector:
d
etectin
g
u
n
k
n
o
wn
Do
S
floo
d
in
g
attacks
in
SDN,”
in
2
0
2
0
Inter
n
a
tio
n
a
l
Confer
en
ce
o
n
Inter
n
et
o
f
Th
in
g
s
a
n
d
Intellig
en
t
App
lica
tio
n
s
(I
T
IA
)
,
No
v
.
2
0
2
0
,
p
p
.
1
–
5
,
d
o
i: 10
.1109
/IT
IA
5
0
1
5
2
.20
2
0
.93
1
2
3
1
0
.
[25
]
K.
S.
Sah
o
o
et
a
l.
,
“An
ev
o
lu
tio
n
ary
SVM
m
o
d
el
for
D
DOS
attack
d
etecti
o
n
in
so
ftware
d
e
fi
n
ed
n
etwo
rks
,”
IE
EE
Acc
ess
,
v
o
l.
8
,
p
p
.
1
3
2
5
0
2
–
1
3
2
5
1
3
,
2
0
2
0
,
d
o
i: 10
.1
1
0
9
/ACC
ESS.
2
0
2
0
.30
0
9
7
3
3
.
[26
]
N.
Me
ti,
D
.
G.
Na
rayan
,
an
d
V.
P.
B
alig
ar,
“D
etectio
n
o
f
d
istrib
u
ted
d
en
i
al
o
f
serv
ice
at
tac
k
s
u
sin
g
m
achi
n
e
l
earnin
g
alg
o
rithms
in
so
ftwar
e
d
efine
d
n
etwo
rks
,”
in
2
0
1
7
Inter
n
a
tio
n
a
l
C
o
n
feren
ce
o
n
Adv
a
n
ces
in
Co
mp
u
ti
n
g
,
Co
mmu
n
ica
tio
n
s
a
n
d
Info
rma
tic
s
(I
CACC
I
)
,
Sep
.
2
0
1
7
,
p
p
.
1
3
6
6
–
1
3
7
1
,
d
o
i: 10
.11
0
9
/ICA
CC
I.
2
0
1
7
.81
2
6
0
3
1
.
[27
]
N.
N.
Tuan
,
P.
H.
Hu
n
g
,
N.
D.
Ng
h
ia,
N.
V
an
Tho
,
T
.
Van
Ph
an
,
an
d
N.
H.
Than
h
,
“A
D
Do
S
attack
m
itig
at
io
n
sch
em
e
in
ISP
n
etwo
rks
us
in
g
m
achi
n
e lear
n
in
g
bas
ed
on
SDN,
”
Elect
ro
n
ics
,
v
o
l.
9
,
n
o
.
3
,
Feb
.
2
0
2
0
,
d
o
i: 10
.33
9
0
/electron
ics9
0
3
0
4
1
3
.
Evaluation Warning : The document was created with Spire.PDF for Python.
IS
S
N
:
2088
-
8708
In
t J
Elec
&
C
omp E
ng,
V
ol.
15
, No
.
1
,
Febr
uary
20
25
:
817
-
826
826
BIOGR
AP
HI
ES OF
A
UTH
ORS
Hi
cham
Yzz
og
h
rec
ei
v
ed
t
he
engi
n
ee
ring
degr
ee
in
tele
co
mm
unicati
o
ns
fr
o
m
INP
T,
Morocc
o,
in
2005.
Wi
th
over
18
ye
ars
of
expe
ri
ence
a
t
Nokia,
h
e
has
w
orke
d
a
cro
s
s
dive
rse
cor
e
ne
t
work
envi
ronm
e
nts
and
poss
esse
s
strong
skill
s
in
codi
ng
and
m
achine
le
a
rning
al
gorit
h
ms.
He
i
s
certi
f
ie
d
as
an
a
zur
e
solu
ti
ons
ar
chitect
exp
ert
and
is
cur
ren
tl
y
pursuing
a
Ph
.
D
.
a
t
Moha
m
me
d
V
Univer
sit
y
in
R
abat,
Morocc
o.
His
r
ese
ar
ch
in
te
r
ests
incl
ude
ne
twork
sec
urit
y
,
SD
N,
nat
ura
l
l
angua
ge
proc
essing
,
and
im
ag
e
proc
essing
.
He
ca
n
b
e
cont
a
ct
ed
at
hic
ha
m
yz
zogh
@um5.
a
c.
m
a.
Hafssa
Benab
oud
re
ceive
d
her
Ph.D.
de
gre
e
in
co
mputer
sc
ie
nc
es
fr
om
Burgundy
Univers
it
y
Dijo
n
-
Fran
ce
in
2004.
In
2
005,
she
jo
ine
d
as
an
assistan
t
p
rofe
ss
or
at
Applie
d
Scie
n
ces
Nati
on
al
Scho
ol
(
ENSA
)
of
T
angi
er
,
Morocc
o
,
and
has
b
ee
n
working
as
a
full
profe
ss
or
si
nce
2011
in
th
e
depa
rt
me
nt
of
c
omput
er
sc
ie
n
ces
at
Moha
m
me
d
V
Univer
sity
in
R
aba
t
,
Moroc
co.
She
has
aut
h
ore
d
more
th
an
20
ar
ti
c
le
s
publis
hed
in
in
te
rn
at
i
onal
journals
and
int
ern
ationa
l
conf
er
enc
e
pro
ce
ed
ings.
Her
r
ese
arc
h
int
er
ests
in
cl
ude
n
et
wor
k
proto
col
s,
net
work
se
cur
i
t
y,
int
ern
et
of
t
hings,
tra
ff
ic
a
nal
ys
is
and
qu
a
li
ty
of
servi
ce
s
.
She
c
an
b
e
cont
a
ct
ed
a
t
h
afssa.
bena
boud@fs
r.
um5.ac.ma.
Evaluation Warning : The document was created with Spire.PDF for Python.