Neurocomputing ∎ (∎∎∎∎) ∎∎∎–∎∎∎

Contents lists available at ScienceDirect

Neurocomputing
journal homepage: www.elsevier.com/locate/neucom

Detection of known and unknown DDoS attacks using Artificial

Neural Networks
Alan Saied, Richard E. Overill, Tomasz Radzik
Department of Informatics, King's College London, Strand, WC2R 2LS, UK

art ic l e i nf o a b s t r a c t

Article history: The key objective of a Distributed Denial of Service (DDoS) attack is to compile multiple systems across
Received 13 September 2014 the Internet with infected zombies/agents and form botnets of networks. Such zombies are designed to
Received in revised form attack a particular target or network with different types of packets. The infected systems are remotely
2 April 2015
controlled either by an attacker or by self-installed Trojans (e.g. roj/Flood-IM) that are programmed to
Accepted 11 April 2015
launch packet floods. Within this context, the purpose of this paper is to detect and mitigate known and
unknown DDoS attacks in real time environments. We have chosen an Artificial Neural Network (ANN)
Keywords: algorithm to detect DDoS attacks based on specific characteristic features (patterns) that separate DDoS
DDoS attacks attack traffic from genuine traffic.
DDoS detectors
& 2015 Elsevier B.V. All rights reserved.
Genuine and DDoS patterns

1. Introduction and background genuine traffic. We have intensively trained the algorithm with
real life cases and DDoS attacking scenarios (patterns) that are
The key objective of a Distributed Denial of Service Attack produced using the existing popular DDoS tools. We observed that
(DDoS) attack is to compile multiple systems across the Internet the more we trained the algorithm with up-to-date patterns (latest
with infected zombies/agents [1] and form networks of botnets. known DDoS attacks), the further we increased the chances of
Such zombies are designed to attack a particular target or network detecting known and unknown DDoS attacks, while considering
with different types of packets. The infected systems are remotely that over training and repetitive patterns are avoided. This is
controlled either by an attacker or by self-installed Trojans (e.g. because the ANN algorithm learns from scenarios and detects
roj/Flood-IM) [2] that are programmed to launch packet floods. zero-day patterns that are similar to what it was trained with. In
The authors of [3] have explained different DDoS architectural its yearly reports (2010–2014), Prolexic, the world´s largest DDoS
structures used by DDoS engineers (i.e. hackers) to launch success- mitigation service, has stated that TCP, UDP and ICMP are the most
ful attacks. DDoS attacks are serious security issues that cost used protocols to launch DDoS attacks [5].
organisations and individuals a great deal of time, money and Our primary aim is to combine detection of known and
reputation, yet they do not usually result in the compromise of unknown DDoS attacks followed by a defence mechanism that
either credentials or data loss. They can damage one or a group of prevents forged packets from reaching the victim, but allows
devices and their resources. A DDoS attack slows or halts com- genuine packets to pass through. Furthermore, we aim to observe
munications between devices as well as the victim machine itself. ANN's behaviour towards unknown DDoS detection when trained
It introduces loss of Internet services like email, online applica- with old and up-to-date datasets1. The objectives of our work can
tions or programme performance. be summarised by the following points:
Within this context, the purpose of this study is to detect and
mitigate known and unknown DDoS attacks in real time environ-
Detect known and unknown DDoS attacks (high and low rates)
ments. In our context, DDoS attacks that are not detected by in real time as opposed to only detect known attacks.
existing available detection solutions are called unknown (zero-
Identify high volume of genuine traffic as genuine without
day) attacks. We have chosen an Artificial Neural Network (ANN) being dropped.
algorithm [4] to detect DDoS attacks based on specific character-
Prevent DDoS attacking (forged) packets from reaching the
istic features (patterns) that separate DDoS attack traffic from target while allowing genuine packets to get through.

1
E-mail addresses: alan.saied@kcl.ac.uk (A. Saied), Old datasets are datasets with old known DDoS attack patterns while up-to-
richard.overill@kcl.ac.uk (R.E. Overill), tomasz.radzik@kcl.ac.uk (T. Radzik). date datasets are datasets with latest known DDoS attack patterns.

http://dx.doi.org/10.1016/j.neucom.2015.04.101
0925-2312/& 2015 Elsevier B.V. All rights reserved.

Please cite this article as: A. Saied, et al., Detection of known and unknown DDoS attacks using Artificial Neural Networks,
Neurocomputing (2015), http://dx.doi.org/10.1016/j.neucom.2015.04.101i
2 A. Saied et al. / Neurocomputing ∎ (∎∎∎∎) ∎∎∎–∎∎∎

Train, deploy and test the solution in a physical environment as Some of these approaches use ANN or infrastructure to detect
opposed to simulators. known DDoS attacks while others focus on the source of the attack

Reduce the strength of the attack before it reaches the victim as (traceability). However, these researchers have not covered
opposed to nearby detection systems. unknown (zero-day) high and/or low rate DDoS attack detection

Evaluate our approach using both old and up-to-date datasets in their approaches. Detecting unknown DDoS attacks is one of the
with related work, based on accuracy, sensitivity, specificity vital objectives that distinguish our work from theirs.
and precision.

This paper is organised as follows: Section 2 critically reviews 3. Theoretical framework and architectural design
approaches related to this work. Section 3 explains the theoretical
framework and architectural design of our approach. Section 4 The strength of the attack can be minimised if multiple
explains the testing process. Section 5 evaluates our solution in effective DDoS detectors are deployed across the network. These
comparison with other related work. Section 6, we identify the detectors analyse the network for abnormalities and prevent them
limitations and further research questions related to our approach from reaching the victim when detected. It is important to allow
and the final Section 7, we present our summary and conclusions. genuine traffic flows to pass through the detectors and reach their
destinations. Thus, it is vital for the detection process to be
accurate and tested against all possible existing use-cases and
2. Related work patterns. Due to ease of implementation, practicality and online
documentations of TCP, UDP and ICMP protocols [16], most DDoS
Various methodologies and techniques for reducing the effects designers manipulate such protocols to launch their attacks as
of DDoS attacks in different network environments have been explained in the Prolexic yearly reports [5]. Our detection mechan-
proposed and evaluated. Jie-Hao and Ming [27] have used ANN to ism is based on a supervised ANN (Feed-forward, Error Back-
detect DDoS attacks where they compared the detection outcome Propagation with a Sigmoid activation function [4]) where its
with decision tree, ANN, entropy and Bayesian. The authors accuracy primarily relies on how well the algorithm is trained with
identified users' requests or demands to a specific resource and relevant datasets.
their communicative data. Then samples of such requests are sent The patterns used for training purposes are instances of packet
to the detection systems to be judged for abnormalities. Also, Liu headers, which include source addresses, ID and sequence num-
and Gu have used Learning Vector Quantisation (LVQ) neural bers coupled with source destination port numbers. Based on our
networks to detect attacks [6]. This is a supervised version of experiments and analysis, most installed zombies use their built-
quantisation, which can be used for pattern recognition, multi- in libraries as opposed to operating system libraries to generate
class classification and data compression tasks. The datasets used packets. This is to assist the attacker manipulate and forge the
in the experiments were converted into numerical form and given packets during the attack and introduce effectiveness. Therefore,
as inputs to the neural network. Akilandeswari and Shalinie [7] one can study the characteristic features of genuine packets that
have introduced a Probabilistic Neural Network Based Attack are generated by genuine applications and compare them with
Traffic Classification to detect different DDoS attacks. However, forged packets that are generated by the DDoS attacking tools and
the authors focus on separating Flash Crowd Event from Denial of present them as input variables to train the ANN. Selecting the
Service Attacks. As part of their research, they have used Bayes patterns to be our inputs began by building new network infra-
decision rule for Bayes inferences coupled with Radial Basis structures in corporate and isolated environments with different
Function Neural Network (RBFNN) for classifying DDoS attack types of DDoS attacks launched at different levels (high and low
traffic and normal traffic. Siaterlis and Maglaris [8] have experi- rates). The results were carefully studied, compared and cross-
mented with single sets of network characteristics to detect matched with genuine traffic to verify the characteristic patterns
attacks. They use Multi-Layer Perceptron (MLP) as a data fusion that separate genuine from attack traffic. This part of the process
algorithm where the inputs are metrics coming from different required intensive understanding of how different protocols
passive measurements that are available in a network and then exchange and communicate with each other. The datasets are
coupled this with traffic that was generated by the researchers organised and structured to accommodate genuine and attack
themselves. Gupta, Joshi and Misra [9] have used a neural network patterns in a qualified format that Java Neural Network Simulator
to detect the number of zombies that have been involved in DDoS (JNNS) [17] accepts. A total of 80% of each dataset is used to train
attacks. The objective of their work is to identify the relationship the algorithm and 20% to validate the learning process. In our
between the zombies and in sample entropy. The process work- work we did not use other online datasets in order to train our
load is based on prediction using a feed-forward neural network. approach as we wanted to learn about the behaviour of the DDoS
Another line of research is to use infrastructure for detecting and the genuine traffic. Furthermore, offline datasets cannot
and mitigating DDoS attacks. Badishi, Keidar and Yachin [10] have provide such real time of DDoS behaviour. However, one can train
used authentication and cryptographic approaches to protect net- our approach using other available online datasets and compare
work services from DDoS attacks. A similar approach has been the outcome with our outcome to identify strengths and weak-
introduced by Shi, Stoica and Anderson [11], but a puzzling nesses. Before training the algorithm using JNNS, the input values
mechanism is used instead to detect DDoS attacks before reaching are normalised to maximise the performance in sensitive applica-
the target. Hwang and Ku [12] have developed a distributed tions like ours where accurate detection is vital. If the input values
mechanism to combat DDoS. Their architecture, called Distributed are not normalised and applied directly, then large values may
Change-point Detection (DCD), is designed to reduce DDoS attacks. lead to suppressing the influence of smaller values [18]. Jaya-
They adopt the non-parametric CUSUM (Cumulative Sum) algo- lakshmi, Santhakumaran, Zhang and Sun have also explained the
rithm to describe any changes in the network traffic. positive effect of normalisation on ANN performance and training
Some previous research has focused on the source of the attack process [19,20].
for the purpose of detection. The authors of [13–15] have used A typical ANN consists of input, hidden and output layers
packet-marking mechanisms and entropy to identify the source of where the patterns are fed to the learning algorithm via the input
the packet considering that each packet is marked on each router nodes. The input values represent the characteristic patterns
that it passes through. (variables) that separate attacks from genuine traffic. We selected

Please cite this article as: A. Saied, et al., Detection of known and unknown DDoS attacks using Artificial Neural Networks,
Neurocomputing (2015), http://dx.doi.org/10.1016/j.neucom.2015.04.101i
 A. Saied et al. / Neurocomputing ∎ (∎∎∎∎) ∎∎∎–∎∎∎ 3

Fig. 1. ANN TCP topological structure.

Fig. 2. ANN ICMP topological structure.

three topological ANN structures, each with three layers (input, functions. The detection accuracy is calculated as
hidden and output layers). The number of nodes in each topolo- Accuracy ¼ ðTruepositives þ True NegativesÞ=ðTrue positives þ True Negatives
gical structure is different – for example, the ANN ICMP topolo-
þ False Positives þ False NegativesÞ  100
gical structure consists of three inputs and four hidden nodes, the
ANN TCP topological structure consists of five input and four In Fig. 1, the input layer of TCP topological structure consists of five
hidden nodes, and the ANN UDP topological structure consists of nodes that accommodate TCP sequence, TCP flags, TCP source and
four input and three hidden nodes. Hidden nodes deal with the destination port numbers and source IP addresses. Fig. 2 represents
computation process with respect to input and output nodes. an ICMP topological design where the input nodes are source IP
The output layer consists of one node to represent 1 (attack) or 0 addresses, ICMP sequence number and ICMP-ID. While Fig. 3 shows
(genuine traffic). Figs. 1, 2 and 3 respectively represent TCP, ICMP and the UDP topological structure where the input values are source IP
UDP ANN topological structures. Choosing a relevant learning algorithm addresses, packet length, and UDP source and destination port.
or the number of hidden nodes and activation function was based on The numbers between the nodes represent the weight that is
initial experiments where Sigmoid activation function and Back- used by Back-Propagation to adjust and learn by example (pat-
Propagation learning provided most accurate results. The comparison terns). The more new examples are provided, the better it would
was made between QuickProp, Back-Propagation, Backprop Weight be in identifying unknown attacks considering that repetitive
Decay, Backprop through Time, while Sigmoid, Elliott, SoftMax, BAM patterns are avoided as they produce biased or inaccurate results.
were used as activation functions [4,18,19]. Our experiments showed The algorithm does this by changing the network weights between
that Back-Propagation learning coupled with a Sigmoid activation the layers until the closest desired output is obtained (0 or 1). The
function and the chosen topological structures in Figs. 1–3 can produce nodes between the layers are connected via Feed-Forward links.
a 98% detection accuracy. This is by far, the highest detection accuracy in When forged packets are detected by our solution, its defence
comparison with other related learning algorithms and activation mechanism is activated to drop the forged packets while allowing

Please cite this article as: A. Saied, et al., Detection of known and unknown DDoS attacks using Artificial Neural Networks,
Neurocomputing (2015), http://dx.doi.org/10.1016/j.neucom.2015.04.101i
4 A. Saied et al. / Neurocomputing ∎ (∎∎∎∎) ∎∎∎–∎∎∎

Fig. 3. ANN UDP topological structure.

genuine packets to pass through. Blocked packets are unblocked as e. Before activating the defence system, the steps under point
soon as the system flags the traffic as normal. However, genuine 5 above are repeated twice more, producing a total of 3
traffic flowing to the target machine will not be disturbed as it outputs.
flagged to be genuine by our proposed solution. Furthermore, the 6. The defence system receives the outputs from the detection
detectors communicate with each other via encrypted messages to component and:
provide assistance when required. Such exchange of information a. If the outputs are (0,0,0), then no action is required by the
between the detectors helps security officers identify abnormal defence system, as the traffic is clean.
behaviour and further deploy countermeasures if required. b. If the outputs are (1,1,1), (1,1,0), (1,0,1) or (0,1,1), it activates
Our solution is designed to continuously monitor the network defence and stops the attack while allowing genuine traffic
for abnormal behaviour by retrieving packets from the network to pass through.
and analysing their header information using the trained ANN. c. If the outputs are (1,0,0), (0,1,0) or (0,0,1), the solution
However, retrieving a large number of packets in a busy network repeats point 5. If the outputs of the new retrieved traffic
requires high processing rates and is expensive. Therefore, we are:
have introduced individual packet thresholds for each protocol. If I. (1,1,1), (1,1,0), (1,0,1) or (0,1,1), activate the defence
the number of packets in a given network is greater than a specific system.
threshold per protocol, the retrieved packets are subjected to II. (1,0,0), (0,1,0) or (0,0,1), deploy mitigation as this is
investigation. Choosing the right threshold per protocol was based considered to be a low rate attack.
on real time experiments by calculating the number of packets per III. (0,0,0), no actions are required.
unit time (using IPTraf [21]) in different network environments, d. However, if the output is none of the above, then the system
where the threshold values are configurable. Once the packets are generates value 2. This means the traffic is unidentified (not
separated and prepared for examination, our proposed solution used in training) by the ANN. At this point, the solution
pipes the patterns (variables) into ANN codes to decide upon the checks its local record to learn if the same traffic is received
legitimacy of the retrieved traffic (packets). Our design is illu- and detected by neighbouring DDoS detectors. If the
strated in Fig. 4, where each network is installed with one DDoS received traffic from the neighbouring detectors is 1 or 0
detector that communicates with others via encrypted messages. then the algorithm is out-dated since its detection was 2
Fig. 4 can be summarised as follows while other detectors identified the traffic as 1 or 0. This
means the algorithm on the local DDoS detector needs to be
1. DDoS detectors are installed on different networks. retrained (off-line) with both existing and new patterns.
2. Each detector registers the IP address of all neighbouring DDoS Otherwise no action is taken.
detectors to inform and send encrypted message when DDoS 7. The knowledge sharing component sends encrypted messages
attacks are detected. containing the type of the attack; destination IP address and
3. Detectors continuously monitor their networks for protocol involved to all registered neighbouring DDoS detec-
abnormalities. tors. Such information is also composed by the email element
4. Abnormalities are flagged when the number of passing packets and sent to the security offices to take countermeasures if
is greater than a predefined threshold for each protocol. required or for the purpose of logistics or forensics.
5. If the number of packets is greater than the threshold, then:
a. The organiser sorts the packets accordingly. The output of the detection process is 2 when the algorithm is
b. The IP identifier identifies the victim's IP addresses. trained only with old datasets and thus lacks new patterns. The ANN
c. The ANN calculator calculates retrieved patterns and pre- has the ability to detect unknown patterns if the attack is similar to
pares them for the ANN engine what the algorithm was trained with. However, our experiments show
d. The trained ANN engine takes the patterns as inputs and that the algorithm fails to detect unknown patterns if trained with old
produces one output (1=attack or 0=normal). datasets only. We identified that the ANN trained with up-to-date

Please cite this article as: A. Saied, et al., Detection of known and unknown DDoS attacks using Artificial Neural Networks,
Neurocomputing (2015), http://dx.doi.org/10.1016/j.neucom.2015.04.101i
 A. Saied et al. / Neurocomputing ∎ (∎∎∎∎) ∎∎∎–∎∎∎ 5

Fig. 4. Detection, defence and cooperative mechanism.

patterns can detect all known and most unknown attacks while the 5. We learned about the existing approaches and analysed them
ANN trained with old patterns fails to do so. At this point the ANN of according to environments, algorithms, methodologies, and
the DDoS detector that was previously trained with old datasets and detection accuracy.
fails to detect some known DDoS attacks must be retrained. The 6. We built physical environments to test and analyse forged
training process must be done offline as this is a supervised process packets generated by the DDoS methodologies and genuine
and new patterns must be introduced in addition to the existing ones. packets that are generated from genuine applications.
Therefore, sharing knowledge between the detectors can provide 7. From point 6, we learned that DDoS designers use their own
extra assistance to make further decisions when the ANN is not up- custom code as opposed to operating system resources to
to-date. generate packets. This allows DDoS attackers to have better
Meanwhile, each detector sends a composed email to the security control over the packet type, which makes it more effective.
officer with a complete report of all detected DDoS attacks. One may 8. To extend our knowledge, we began by learning and investi-
compare this approach with having one common central server to collect gating background information and fundamental concepts of
all the attacks and sending all as one email. However, if the central point all related technologies that are involved in DDoS attacks.
is down, then information cannot be sent to the security officer. 9. From points 7 and 8, we identified that DDoS attackers change
Consequently no extra countermeasures are deployed when required. specific protocol header patterns to confuse the detection system
Each DDoS detector is designed to function as a standalone component or indeed the destination. Such an approach assists DDoS attacks
or distributed detector that sends encrypted messages to many registered to look genuine and, hence, bypass detection systems. Therefore,
detectors located in different networks. The solution is not restricted to a we focused on protocol headers to detect DDoS attacks.
limited number of detectors to send or receive encrypted messages. 10. From points 6 to 9, we selected specific patterns that separate
Therefore, if one DDoS detector is not functional, other detectors still genuine traffic from DDoS attacks.
receive and send messages making the overall solution resilient and 11. We employed an ANN to detect known and unknown DDoS
immune to individual DDoS detector or system failure. attacks based on patterns identified from point 10. ANN was
The aims, design and implementation processes of our work selected due to its ability to detect known and unknown
can be summarised as follows: patterns that are similar to those it was trained with.
12. Most traditional approaches use volume limitation and signa-
1. The purpose of this study is to detect and mitigate known and ture based detection systems to control their traffic. In signature
unknown DDoS attacks before they reach the victim. based detection systems, an administrator is required to include
2. We selected DDoS attacks due to the deficiencies in existing rules and signatures (database) to detect old and known attacks.
approaches in comparison with other security domains, to Our approach uses the ANN algorithm to detect known and
detect known and unknown DDoS attacks and the ability of unknown DDoS attacks. Therefore, no administration is required
DDoS attackers to crash or overload a destination. and any unknown (zero-day) attacks that are similar to the
3. We only selected TCP, UDP and ICMP DDoS attacks due to their DDoS attacks and used to train ANN are detected. A volume
popularity among DDoS attackers, but other types of DDoS limitation approach is used when the volume is higher than a
attacks also warrant research. certain threshold. This normally results in both genuine and
4. To define an approach that detects known and unknown DDoS DDoS traffic volumes being dropped. Our approach, drops DDoS
attacks we: attacks based on the detection components output.
a. Studied and learned how DDoS attackers built their 13. The ANN needs to be trained with different datasets that
approaches through testing available DDoS attack represent patterns mentioned in point 10.
methodologies. 14. To train the ANN, one can either use existing old datasets or
b. Reviewed related academic and industrial DDoS detection generate an up-to-date database that contains the most recent
mechanisms where applicable. patterns. We selected up-to-date datasets that cover old and

Please cite this article as: A. Saied, et al., Detection of known and unknown DDoS attacks using Artificial Neural Networks,
Neurocomputing (2015), http://dx.doi.org/10.1016/j.neucom.2015.04.101i
6 A. Saied et al. / Neurocomputing ∎ (∎∎∎∎) ∎∎∎–∎∎∎

Fig. 5. Representations of three DDoS detector instances.

new patterns. However, we trained ANN with old patterns just 19. To implement our solution mechanism, we developed our
to identify the ANN´s response when detecting known and detection system as plugins and integrated it with Snort-AI
unknown DDoS attacks. [22]. Snort-AI is based on the Snort signature Intrusion
15. To generate datasets, we built realistic corporate safe environ- Detection System project [23] – one of the present authors
ments where we launched different TCP, UDP and ICMP DDoS (AS) is an active contributor to Snort-AI – by providing plugins
attacks coupled with genuine traffic that was generated by and other integration processes. The output of the detection
genuine applications. system is coupled with the destination IP address to instruct
16. The datasets were prepared in the format that JNNS accepts to iptables [24] to mitigate forged packets while allowing genu-
train our ANN algorithm (off-line). We selected 80% of the ine traffic to pass through. We also used the RSA public key
datasets to train the learning algorithm and 20% to verify the encryption mechanism to encrypt the messages over the TCP
training process. connections between the detectors where each detector acts
17. The process of design and implementation of our solution can as both a sender and a receiver.
be summarised in the following points:
a. Retrieve packets from the network based on thresholds. The solution needs to be functional when parts of its code are
b. Organise and calculate the packets for the ANN engine to subject to technical issues or maintenance. For example, if the TCP
verify the legitimacy of the retrieved packets. detection code requires an update, ICMP and UDP detection codes
c. The output is either 1=attack, 0=normal or 2=unidentified should be able to function without any downtime. In addition, our
traffic. solution must be organised in terms of logging traffic for the purpose
d. If the output is 1, the defence component activates and drops of debugging if required. One can either embed all three TCP, UDP and
the forged packets, but if the output is 0, then no action is ICMP detection, mitigation and knowledge sharing codes in one
required. However, if the output is 2, the defence component application or separate them as instances. Programming has shown
relies on the output that it receives from other DDoS detectors. that embedding all three source codes into one requires more time to
e. Destination and type of the attack are distributed to all implement and more testing, while separating and creating instances
other DDoS detectors for the purpose of awareness. of TCP, UDP and ICMP yield the following benefits:
f. The proposed system loops back and retrieves packets from
the network for further monitoring. The defence compo-
Turn off any instance when needed without affecting other
nent removes restrictions if the traffic to the same destina- instances.
tion is verified as genuine by the ANN engine. In all cases,
Separate the detection mechanisms according to protocols
genuine traffic is untouched and unobstructed. (better control).
18. To rigorously and realistically test our solution, we used
A crashed instance due to technical issues will not affect the
physical corporate environments to evaluate our approach other instances.
against known and unknown DDoS attacks. We used detection
Easily debug to identify technical issues/problems.
accuracy, sensitivity and specificity to evaluate our approach
Avoid a single point of failure (protocol based).
vis-à-vis other approaches.
Separate crashes according to protocols (if applicable).

Please cite this article as: A. Saied, et al., Detection of known and unknown DDoS attacks using Artificial Neural Networks,
Neurocomputing (2015), http://dx.doi.org/10.1016/j.neucom.2015.04.101i
 A. Saied et al. / Neurocomputing ∎ (∎∎∎∎) ∎∎∎–∎∎∎ 7

Table 1
Test results that reflects the requirements and the objectives.

Requirements Testing Expected results Results Comments

approach

Unknown (zero-day) and known detection when high Integration All modules of detection component are Passed The integrated modules such as
and low rate DDoS attacks are launched. integrated together. All modules are organiser, victim IP-identifier,
integrated to calculator and ANN engine.
detect DDoS
attacks.
Functional Detect normal traffic and known/ Passed Attacks are launched at low and
unknown DDoS attacks. 0 – Normal high rates.
1 – Attack
2 – Unidentified
System Our DDoS detector is capable of Failed Not ALL DDoS attacks are
detecting ALL DDoS attacks. detected. See conclusion.
Detect and separate genuine traffic that is look-a-like Functional Detect genuine traffic that looks like a Passed N/A
attack traffic (e.g. a high load of genuine traffic DDoS attacks. 0 – Normal
towards a particular website).
System Our DDoS detector is capable of Passed N/A
detecting ALL genuine traffic. 0 – Normal
Load Detects high and low load genuine Passed N/A
traffic. 0 – Normal
Ability to detect, cope with and defend against DDoS Load/system Detect DDoS attacks while our DDoS Passed Detect attack while both our
attacks if the DDoS detectors themselves are under detector itself is under attack. 1 – Attack DDoS detector system and other
DDoS attack (avoid crashing). 0 – Normal destinations are under DDoS
2 – Unidentified attacks.
Mitigate against DDoS attacks when detected and allow Integration All modules of defence component are Passed Detection and defence
genuine traffic to pass through. integrated together with detection component are integrated
component. together.
Functional- Regardless of type or strength of the Passed N/A
1 attack. Victim must be defended from
DDoS attacks.
Funcational- Output of detection component Passed 0 – No action is required by the
2 determines the activation of the defence defence.
component against any type of DDoS 1. Take action.
attack. 2. Use the information from
other DDoS detectors to take
action.

System A DDoS detector detects and mitigates Passed N/A

DDoS attacks.
Communication between the DDoS detectors on Integration All components and elements are Passed N/A
different networks via encrypted connections. Also integrated.
send an email to the Security Officer for extra
countermeasures if required.
Functional- Send encrypted messages to other DDoS Passed N/A
1 detectors.
Functional- Send an email to Security Officer. Passed N/A
2
System Each DDoS detector, detects and Passed All modules & components of a
mitigates DDoS attacks and shares the DDoS detector are involved in
information with other DDoS detectors. this test.
Minimise the strength of DDoS attacks before they reach System Strength of the attack is minimised after Passed N/A
their destination mitigation.
Detect high and low rate DDoS attacks. Functioinal- Detect high rate DDoS attacks. Passed NA
1
Functional- Detect low rate DDoS attacks. Passed NA
2

Based on the above points, our approach provides scalability, requirements of this work. For this purpose, we have used Integration,
resilience and avoids single points of failure (see Fig. 5). Functional, System and Load tests, as shown in Table 1:
Although the approach shown in Fig. 5 is scalable, controllable and
avoids a single point of failure, it requires more physical resources to
operate. We, prioritise avoiding a single point of failure over physical 5. Quantitative evaluation and contribution
resources as this can be resolved by upgrading the hardware
specifications of the machine (CPU and RAM). We have evaluated our solution based on accuracy, precision,
sensitivity (ability to identify positive results) and specificity (ability
4. Testing process to identify negative results). The tests were conducted in a con-
trolled, isolated network environment where genuine and DDoS
In order to verify whether the implemented solution meets the attack flows (high and low rates) are deployed. During the experi-
functional, performance, design and implementation requirements ments, known and unknown DDoS attacks were launched each with
we have conducted different tests which reflect the objectives and the 20–120 zombies forming a total of 1160 known and unknown DDoS

Please cite this article as: A. Saied, et al., Detection of known and unknown DDoS attacks using Artificial Neural Networks,
Neurocomputing (2015), http://dx.doi.org/10.1016/j.neucom.2015.04.101i
8 A. Saied et al. / Neurocomputing ∎ (∎∎∎∎) ∎∎∎–∎∎∎

Table 2 Table 3
Comparison between our approach and other work. Our approach with respect to old and new datasets.

Approach Accuracy (%) Sensitivity Specificity Precision Our approach Accuracy (%) Sensitivity (%) Specificity (%) Precision (%)
(%) (%) (%)
Old datasets 92 88 96 96
Our approach 98 96 100 100 New datasets 98 96 100 100
Snort 93 90 97 96
PNN [7] 92 (P1); 97 NA NA NA
(P2)
BP [6] 90 (BP) NA NA NA encrypted packets. However, an encrypted DDoS attack is not a common
Chi-square [25] 94 92 NA NA approach since the attack is slow and introduces high latency.
K-PCA-PSO-SVM NA 96 NA NA Updating the datasets and re-training: The DDoS attack tools used
[26]
to generate old datasets date back to the early years between 2000
and 2003, and they are no longer effective. However, the DDoS tools
used to generate up-to-date datasets span the period between 2000
attacks. The zombies were installed and attacked from virtual and early 2013. With old datasets (attacks that go back to 2000–
platforms on VMware boxes where the boxes were connected to 2003), the detection accuracy was 92%, while with up-to-date
physical devices (victim) via virtual routers. Then, the DDoS detec- datasets (attacks between 2000 and 2013), the detection accuracy
tors/Snorts were deployed between the virtual routers and the was 98%. This means the ANN algorithm requires retraining every 5–6
victim where they analysed the traffic for abnormalities. The results years. The solution here may be the introduction of an online
are presented in Table 2 and compared with a signature-based interactive engine that continuously searches the Internet for new
solution (Snort) and four other approaches [6,7,25,26] for which DDoS attacks information. The engine would retrieve the patterns
quantitative evaluations are reported. from the Internet and prepare them as datasets to continuously and
Afterwards, we trained our solution with old and up-to-date automatically retrain the ANN whenever required.
datasets and deployed different DDoS attacks (known/unknown). Our approach using other datasets: One can train our approach
The results of the experiment are recorded in Table 3. using other available online datasets and compare the outcome
As a result, the following can be identified as our main with our outcome to identify its strengths and weaknesses.
contributions: Our approach in simulated environment: Our approach has not
been tried or tested in a simulated environment. One could

Based on our test experiments, on average our approach provides a reproduce our work in such an environment to verify and compare
significantly higher rate of detection, accuracy, sensitivity and the detection accuracy of our DDoS detectors in real and simulated
specificity compared to the alternative approaches, as shown in environments. The above three points serve as suggestions for
Table 2. future research, to further improve our detection solution, to

As shown in Table 3, our approach responded less well when detect encrypted DDoS attacks using online trainable datasets.
trained with old datasets (92% detection accuracy), but when
trained with up-to-date datasets, the solution produced a 98%
detection accuracy. This means that the more up-to-date attack 7. Summary and conclusions
patterns we use to train the ANN, the better the solution
responds in detecting DDoS attacks. We have used a trained Artificial Neural Network algorithm to

To further analyse our contribution, we launched 580 known detect TCP; UDP and ICMP DDoS attacks based on characteristic
and 580 unknown DDoS attacks. On average our approach patterns that separate genuine traffic from DDoS attacks. The ANN
detected 95% of unknown DDoS attacks (552 attacks detected) learning process was started by reproducing a network environ-
and 100% of known DDoS attacks. This means that our solution ment that is a mirror image of a real life environment. Different
failed to detect approximately 5% of unknown DDoS attacks. DDoS attacks were then launched while normal traffic was flowing
This is to be expected because, as explained earlier, the ANN through the network. The datasets were collected, pre-processed
only detects attacks that are similar to those it was trained and prepared to train the algorithm using JNNS. The detection
with, and 5% of the attacks were completely different. mechanism was then integrated with Snort-AI where it was tested
against known and unknown DDoS attacks. We evaluated our
We extended our testing and evaluation process by mixing genuine solution with signature based and other related academic
and forged patterns when we launched the DDoS attacks. We then research, and our approach produced higher detection accuracy
added extra patterns that the trained ANN was not trained with. At (98%) in comparison with other approaches shown in Table 2.
this point, our solution detected the DDoS attacks, because our We further evaluated our approach by training the algorithm
solution is based on existing trained patterns and additional new with old and up-to-date datasets (patterns), and it managed to
patterns do not change the nature of the detection process as long as detect known (100%) and unknown (95%) DDoS attacks that are
the DDoS attack contains one or more patterns that ANN was trained similar to what it was trained with (up-to-date patterns). How-
with. Furthermore, in our experiments we did not experience our ever, when trained with old data patterns only, our solution did
solution to flag genuine traffic as DDoS attack and therefore we have a not detect some unknown DDoS attacks. This means that improper
zero measure for the False Positive Rate. training or old patterns can result in poor detection while a variety
of DDoS cases can lead to better DDoS detection. This is due to the
fact that the algorithm detects on the basis of scenarios; so more
6. Limitations and suggestions for further research scenarios assist the ANN to understand the nature of DDoS attacks.
As shown in Table 1 we have also tested our solution based on
Regarding our approach, the following points provide sugges- different requirements that reflects the objectives shown in
tions for further research. Section 1. Our solution yielded such results because
Unexpected DDoS attack: Our solution has problems detecting DDoS
attacks when the protocol headers are encrypted with any encryption
We identified the patterns that are most popular among DDoS
algorithms. This is because our solution is not designed to analyse attackers to launch an attack.

Please cite this article as: A. Saied, et al., Detection of known and unknown DDoS attacks using Artificial Neural Networks,
Neurocomputing (2015), http://dx.doi.org/10.1016/j.neucom.2015.04.101i
 A. Saied et al. / Neurocomputing ∎ (∎∎∎∎) ∎∎∎–∎∎∎ 9

We focused on up-to-date dataset that provides higher detec- [21] J., Wallen, IPTraf (Version 3.0) “Open Source project”, 2005. Available form:
tion accuracy than old datasets. 〈http://iptraf.seul.org〉.
[22] C. Bedón; A. Saied, Snort-AI (Version 2.4.3) “Open Source project”, 2009.

We avoided simulation and used real physical environments in Available from: 〈http://snort-ai.sourceforge.net/index.php〉.
learning about DDoS architectural structure. [23] M. Roesch, Snort (Version 2.9) “Open Source Project”, 1998. Available from:
〈http://www.snort.org〉.
[24] R. Russell, Iptables (Version 1.4.21) “Open Source project”, 1998. Available
A limitation of our solution is that it cannot handle DDoS from: 〈http://ipset.netfilter.org/iptables.man.html〉.
attacks that use encrypted packet headers. Detecting encrypted [25] F. Leu; C. Pai, Detecting DoS and DDoS attacks using chi-square, in: Proceed-
DDoS attacks is an interesting and challenging topic for future ings of the Fifth International Conference on Information Assurance and
Security (IAS-09), Xian, 2009, PP. 225–258.
research. [26] X. Xu;D. Wei; Y. Zhang, Improved detection approach for distributed denial of
service attack based on SVM, in: Proceedings of the Third Pacific-Asia
References Conference on Circuits, Communications and Systems (PACCS), Wuhan,17–18
July 2011, pp. 1–3.
[27] C. Jie-Hao; C. Feng-Jiao, Zhang, DDoS defense system with test and neural
[1] M. Reed Denial of Service attacks and mitigation techniques: Real time network, in: Proceedings of the IEEE International Conference on Granular
implementation with detailed analysis. [Online] SANS Institute InfoSec Read- Computing (GrC), Hangzhou, China, 11–13 Aug. 2012, pp. 38–43.
ing Room 2011. Available from: 〈http://www.sans.org/reading-room/whitepa
pers/detection〉.
[2] Troj/Flood-IM. Backdoor DDoS Trojan. Detected by Sophas. Available from:
〈https://secure2.sophos.com〉.
[3] E. Alomari, B.B. Gupta, S. Karuppayah, Botnet-based distributed denial of Dr. Alan Saied received his first degree in Computer
service (DDoS) attacks on web servers: classification and art, Int. J. Comput. Networks from Middlesex University in London and his
Appl. 49 (7) (2012) 24–32. M.Sc. in Computing and Internet Systems from King's
[4] T.M. Mitchell, Machine Learning 81–117, 128–145, 157–198, 1st ed., McGraw- College London University. Alan finished his Ph.D. in
Hill Science/Engineering/Math, New York (1997) 52–78, Chapters 3,4,6,7. 2015 at King's College London University of London.
[5] Prolexic. Global Leader in DDoS Protection and Mitigation 2003–2014. [Online] Alan's technical skills have been many and varied. His
Available from: 〈http://www.prolexic.com〉. expertise covers open source & enterprise technologies,
[6] J. Li; Y. Liu; L. Gu, DDoS attack detection based on neural network, in: security coupled with penetration testing. Alan worked
Proceedings of the 2nd International Symposium on Aware Computing (ISAC), with different enterprise solutions as well as contribut-
Tainan, 1–4 Nov. 2010, pp. 196–199. ing to open source community.
[7] V. Akilandeswari;S.M. Shalinie, Probabilistic neural network based attack
traffic classification, in: Proceedings of the Fourth International Conference
on Advanced Computing (ICoAC), Chennai, 13–15 Dec. 2012, pp.1–8.
[8] C., Siaterlis; V., Maglaris, Detecting incoming and outgoing DDoS attacks at the
edge using a single set of network characteristics, in: Proceedings of the 10th
IEEE Symposium on Computers and Communications, (ISCC), 27–30 June
Dr. Richard E Overill is a Senior Lecturer in Computer
2005, pp. 469–475.
Science at King's College London, a multi-faculty School
[9] B.B. Gupta, C. Joshi, M. Misra, ANN based scheme to predict number of
of the University of London. He has authored or co-
zombies in a DDoS attack, Int. J. Netw. Secur. 13 (3) (2011) 216–225.
authored some 110 publications in academic journals,
[10] G. Badishi; I. Keidar; O. RomanovA. Yachin, Denial of Service? Leave it to
international conference proceedings and invited book
Beaver, project supported by Israeli Ministry of Science, 2006, pp. 3–14.
chapters, specializing in computational science, parallel
[11] E. Shi; I. Stoica; D. Andersen; D. Perrig, OverDoSe: A Generic DDoS Protection
algorithm design and performance measurement, and,
Service Using an Overlay Network, Technical report CMU-CS-06-114, 2006,
since 1996, cyber security and digital forensics.
pp. 2–12. [Online] Available from: 〈www.cs.umd.edu/  elaine/docs/overdose.
ps〉.
[12] Y. Chen, K. Hwang, W. Ku, Collaborative detection of DDoS attacks over
multiple network domains, IEEE Trans. Parallel Distrib. Syst. 18 (12) (2007)
1649–1662.
[13] B. Al-Duwairi; G. Manimaran, A novel packet marking scheme for IP traceback,
in: Proceedings of the Tenth International Conference on Parallel and
Distributed Systems, ICPADS, 7–9 July 2004, pp. 195–202.
[14] C. Gong, K. Sarac, A more practical approach for single-packet IP traceback Prof. Tomasz Radzik received an M.Sc. in Computer
using packet logging and marking, IEEE Trans. Parallel Distrib. Syst. 19 (10) Science from Warsaw University in 1985 (M.Sc. thesis:
(2008) 1310–1324. “Communication and Routing in Synchronous Parallel
[15] S. Yu, W. Zhou, R. Doss, W. Jia, Traceback of DDoS attacks using entropy Machines”) and a Ph.D. in Computer Science from
variations, IEEE Trans. Parallel Distrib. Syst. 22 (3) (2011) 412–425. Stanford University in 1992 (Ph.D. thesis: “Algorithms
[16] J. Novak, S. Northcutt, Network Intrusion Detection, 3rd ed., SAMS (2002) for Some Linear and Fractional Combinatorial Optimi-
8–30. zation Problems”). He was a postdoctoral research
[17] Stuttgart Neural Network Simulator, University of Stuttgart (Version 4.1), 1995. associate at Cornell University from September 1992
Available from: http://www.nada.kth.se/  orre/snns-manual/. to July 1993 and at King's College London from August
[18] M. Pino, A theoretical & practical introduction to self organization using JNNS, to December 1993. He has been Lecturer (1994–2001),
University of Applied Sciences, Brandenburg, 2005. Senior Lecturer (2002–2006) and Reader (since 2007)
[19] T. Jayalakshmi, A. Santhakumaran, Statistical normalization and back propaga- in the Department of Informatics (formerly Department
tion for classification, Int. J. Comput. Theory Eng. 3 (1) (2011) 89–93. of Computer Science) at King's College London. He is a
[20] Q. Zhang; S. Sun, Weighted data normalization based on Eigenvalues for member of the Algorithms and Bioinformatics research group.
artificial neural network classification, in: Proceedings of the 16th Interna-
tional Conference on Neural Information Processing, ICONIP, 2009, pp. 349–
356.

Please cite this article as: A. Saied, et al., Detection of known and unknown DDoS attacks using Artificial Neural Networks,
Neurocomputing (2015), http://dx.doi.org/10.1016/j.neucom.2015.04.101i