Deep Learning Based Real-Time DNS DDoS Detection System
•
2 likes•1,489 views
[Poster] Deep Learning Based Real-Time DNS DDoS Detection System @ ACSAC 2016 (The 32nd Annual Computer Security Applications Conference 2016), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
![RESEARCH POSTER PRESENTATION DESIGN © 2015
www.PosterPresentations.com
DDoS(Distributed Denial of Service) exhausts the target server's resources using the
large number of zombie pc, As a result normal users don't access to server. DDoS
attacks steadily increase by many attacker, and almost target of the attack is critical
system such as IT Service Provider, Government Agency, Financial Institution. In this
paper, We will introduce the CNN(Convolutional Neural Network) of deep learning
based real-time detection system for DNS amplification Attack(DNS DDoS Attack). We
use the dataset which is mixed with collected data in the real environment in order to
overcome existing research limits that use only the data collected in the experiment
environment. Also, we build a deep learning model based on Convolutional Neural
Network(CNN) that is used in pattern recognition and Recurrent Neural Network(RNN)
that is used in natural language processing, voice recognition.
Abstract
Contents
Conclusion
References
[1] Santanna, José Jair, et al. "Booters—An analysis of DDoS-as-a-service attacks.“
2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).
IEEE, 2015.
[2] Wu, Jun, et al. "Detecting DDoS attack towards DNS server using a neural network
classifier." International Conference on Artificial Neural Networks. Springer Berlin
Heidelberg, 2010.
[3] Wei, Wei, et al. "A rank correlation based detection against distributed reflection
DoS attacks." IEEE Communications Letters 17.1 (2013): 173-175.
[4] Gao, Yuxuan, et al. "A Machine Learning Based Approach for Detecting DRDoS
Attacks and Its Performance Evaluation." Proc. of the 11th Asia Joint Conference on
Information Security. 2016.
Acknowledgement
[1] This research was supported by the MSIP(Ministry of Science, ICT and Future
Planning), Korea, under the ITRC(Information Technology Research Center)
support program (IITP-2016-R0992-16-1006) supervised by the IITP (Institute for
Information & communications Technology Promotion)
[2] This work was supported by Institute for Information & communications
Technology Promotion(IITP) grant funded by the Korea government(MSIP)
(R0101-16-0195, Development of EAL 4 level military fusion security solution for
protecting against unauthorized accesses and ensuring a trusted execution
environment in mobile devices)
1. Deep Learning Based Real-Time DNS DDoS Detection System
Packet Reshape Agent extracts the useful feature from raw packet data(.pcap) and
transform the data for use in deep learning. It was written in Go language with gopacket
library. It is composed of ① DNS Packet Collection, ② Useful Feature Selection,
③ Restore Packets into Dataset file and ④ Send to Deep Learning Agent.
① DNS Packet Collection : Collects the incoming DNS packets
② Useful Feature Selection : Extracts a useful features from the collected packets
③ Restore Packets into Dataset file : transforms collected packets into the specific
form of datasets
④ Send to Deep Learning Agent : transfer the dataset to Deep Learning Agent
Deep Learning Agent generates model to detect the attack traffic based the received
dataset from Packet Reshape Agent. It was written in Tensorflow of Python It is
composed of ⑤ Receive the Dataset & Data Normalization and ⑥ Training / Validation.
⑤ Receive the Dataset & Data Normalization : Receives the datasets from Packet
Reshape Agent and Standardizes the range of features of datasets
⑥ Training / Validation : trains and validates the deep learning model
2. Datasets
To overcome the limitations of existing related research, we add the real world attack
and normal packet data from the national telecommunication company (Attack.pcap /
Normal.pcap). Also, we compressed the network traffic packets for a period of time to
make datasets because we can not detect an attack with only one packet.
Korea University, CIST(Center for Information Security Technologies)
In Hyuk Seo, Jinhyun Yu, Ki-Taek Lee, Seungjoo Kim
Deep Learning Based Real-Time DNS DDoS Detection System
3. Deep Learning Model for Detection System
(1) CNN(Convolutional Neural Network) Model
(2) RNN(Recurrent Neural Network)-LSTM Model
# of Packet Query Rate/s Type
Booter1.pcap 8,682,985 21,108 Attack
Booter2.pcap 6,759,917 24,571 Attack
Booter3.pcap 4,338,367 15,168 Attack
Booter4.pcap 65,478 2,226 Attack
Booter5.pcap 1,944,062 6,934 Attack
Booter6.pcap 421,904 3,553 Attack
Booter7.pcap[1] 659,191 1,421 Attack
Attack.pcap 3,559,600 1,407 Attack
Normal.pcap 29,116,704 1,560 Normal
In CNN model based detection
system, we used 21x21 form of
Datasets as input layer. We extract
remarkable features through
3 Convolutional Pooling Layer.
We convert datasets into 3x3x128
form and we classified the label
using by Fully Connected Layer.
In RNN model based
detection system, We used
LSTM(Long Short Term Memory)
to reflect the previous results.
We used 21x21 form of datasets
as input layer. Also, We used
21 hidden layer and each layer
has 22 LSTM Memory cell.
Attack Normal
Recall Precision
Detection
AccuracyTP FN TN FP
[2] 45 10 377 0 81.81% 100% 97.68%
[3] NA NA NA NA 97.51% 59.35% 78.43%
[4] NA NA NA NA 95.86% 99.65% 97.76%
Ours (CNN) 11,968 415 17,130 11 96.64% 99.90% 98.55%
Ours (RNN) 11,660 723 17,141 0 94.16% 100.0% 97.55%](https://image.slidesharecdn.com/acsac2016poster30x40-161213162930/85/Deep-Learning-Based-Real-Time-DNS-DDoS-Detection-System-1-320.jpg)
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (12)
Similar to Deep Learning Based Real-Time DNS DDoS Detection System
Similar to Deep Learning Based Real-Time DNS DDoS Detection System (20)
More from Seungjoo Kim
More from Seungjoo Kim (20)
Recently uploaded
Recently uploaded (20)
Deep Learning Based Real-Time DNS DDoS Detection System
- 1. RESEARCH POSTER PRESENTATION DESIGN © 2015 www.PosterPresentations.com DDoS(Distributed Denial of Service) exhausts the target server's resources using the large number of zombie pc, As a result normal users don't access to server. DDoS attacks steadily increase by many attacker, and almost target of the attack is critical system such as IT Service Provider, Government Agency, Financial Institution. In this paper, We will introduce the CNN(Convolutional Neural Network) of deep learning based real-time detection system for DNS amplification Attack(DNS DDoS Attack). We use the dataset which is mixed with collected data in the real environment in order to overcome existing research limits that use only the data collected in the experiment environment. Also, we build a deep learning model based on Convolutional Neural Network(CNN) that is used in pattern recognition and Recurrent Neural Network(RNN) that is used in natural language processing, voice recognition. Abstract Contents Conclusion References [1] Santanna, José Jair, et al. "Booters—An analysis of DDoS-as-a-service attacks.“ 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM). IEEE, 2015. [2] Wu, Jun, et al. "Detecting DDoS attack towards DNS server using a neural network classifier." International Conference on Artificial Neural Networks. Springer Berlin Heidelberg, 2010. [3] Wei, Wei, et al. "A rank correlation based detection against distributed reflection DoS attacks." IEEE Communications Letters 17.1 (2013): 173-175. [4] Gao, Yuxuan, et al. "A Machine Learning Based Approach for Detecting DRDoS Attacks and Its Performance Evaluation." Proc. of the 11th Asia Joint Conference on Information Security. 2016. Acknowledgement [1] This research was supported by the MSIP(Ministry of Science, ICT and Future Planning), Korea, under the ITRC(Information Technology Research Center) support program (IITP-2016-R0992-16-1006) supervised by the IITP (Institute for Information & communications Technology Promotion) [2] This work was supported by Institute for Information & communications Technology Promotion(IITP) grant funded by the Korea government(MSIP) (R0101-16-0195, Development of EAL 4 level military fusion security solution for protecting against unauthorized accesses and ensuring a trusted execution environment in mobile devices) 1. Deep Learning Based Real-Time DNS DDoS Detection System Packet Reshape Agent extracts the useful feature from raw packet data(.pcap) and transform the data for use in deep learning. It was written in Go language with gopacket library. It is composed of ① DNS Packet Collection, ② Useful Feature Selection, ③ Restore Packets into Dataset file and ④ Send to Deep Learning Agent. ① DNS Packet Collection : Collects the incoming DNS packets ② Useful Feature Selection : Extracts a useful features from the collected packets ③ Restore Packets into Dataset file : transforms collected packets into the specific form of datasets ④ Send to Deep Learning Agent : transfer the dataset to Deep Learning Agent Deep Learning Agent generates model to detect the attack traffic based the received dataset from Packet Reshape Agent. It was written in Tensorflow of Python It is composed of ⑤ Receive the Dataset & Data Normalization and ⑥ Training / Validation. ⑤ Receive the Dataset & Data Normalization : Receives the datasets from Packet Reshape Agent and Standardizes the range of features of datasets ⑥ Training / Validation : trains and validates the deep learning model 2. Datasets To overcome the limitations of existing related research, we add the real world attack and normal packet data from the national telecommunication company (Attack.pcap / Normal.pcap). Also, we compressed the network traffic packets for a period of time to make datasets because we can not detect an attack with only one packet. Korea University, CIST(Center for Information Security Technologies) In Hyuk Seo, Jinhyun Yu, Ki-Taek Lee, Seungjoo Kim Deep Learning Based Real-Time DNS DDoS Detection System 3. Deep Learning Model for Detection System (1) CNN(Convolutional Neural Network) Model (2) RNN(Recurrent Neural Network)-LSTM Model # of Packet Query Rate/s Type Booter1.pcap 8,682,985 21,108 Attack Booter2.pcap 6,759,917 24,571 Attack Booter3.pcap 4,338,367 15,168 Attack Booter4.pcap 65,478 2,226 Attack Booter5.pcap 1,944,062 6,934 Attack Booter6.pcap 421,904 3,553 Attack Booter7.pcap[1] 659,191 1,421 Attack Attack.pcap 3,559,600 1,407 Attack Normal.pcap 29,116,704 1,560 Normal In CNN model based detection system, we used 21x21 form of Datasets as input layer. We extract remarkable features through 3 Convolutional Pooling Layer. We convert datasets into 3x3x128 form and we classified the label using by Fully Connected Layer. In RNN model based detection system, We used LSTM(Long Short Term Memory) to reflect the previous results. We used 21x21 form of datasets as input layer. Also, We used 21 hidden layer and each layer has 22 LSTM Memory cell. Attack Normal Recall Precision Detection AccuracyTP FN TN FP [2] 45 10 377 0 81.81% 100% 97.68% [3] NA NA NA NA 97.51% 59.35% 78.43% [4] NA NA NA NA 95.86% 99.65% 97.76% Ours (CNN) 11,968 415 17,130 11 96.64% 99.90% 98.55% Ours (RNN) 11,660 723 17,141 0 94.16% 100.0% 97.55%