The document discusses using machine learning techniques like artificial neural networks to detect DDoS attacks. Specifically, it proposes building separate ANN models for TCP, ICMP, and UDP to classify requests as normal traffic or attacks based on protocol header attributes. The models would be trained on labeled historical data and tested on a separate dataset. If an incoming request is classified as suspicious by one of the ANN detectors, neighboring detection systems would be queried to share information before taking action. The proposed approach aims to detect both known and unknown DDoS attacks in real-time but has limitations around handling encrypted traffic.

1. DDOS Detection
Using Machine Learning techniques

2. DDoS attack
Attacker
Fake Requests
Block
DoS Attack
Weak web service
Victim

3. DDoS attack
Attacker Victim
Which one ??
Attack
DDoS Attack
Botnets Army
Request 1
Request 2
Request 3
Request 4
Request 5
….
User
!

4. Discussion
• Detection known and unknown DDoS attacks using Artificial Neural
Network (Alan Saied, Richard E. Overill, Tomasz Radzik) 2016

5. Objective (Paper 1)
Use Artificial Neural Network(ANN) algorithm to detect DDoS
attacks based on specific characteristic features(patterns) that
separate DDoS attack traffic from genuine traffic.
ANN
Pattern + Previous Mixed Requests ( Normal + attack)
New Request
Normal
Attack

6. Background (Paper 1)
• Using online dataset (Live) to detect known and unknown DDoS
Which means detection for up-to-date patterns
• A defence mechanism that prevents forged packets from reaching the
victim, but allows genuine packets to pass through

7. Theoretical Framework & Arch. (Paper
1)
• Build ANN For TCP to detect DDoS Attack
Feed Forward
Feed Backward
Source Address
TCP flags
TCP Seq.
Source Port
Dist. Port
Based on our experiments and analysis, most installed zombies
use their built- in libraries as opposed to operating system libraries to
generate packets.
80 % of dataset is
a training set.
20 % of dataset is
a testing set.

8. Theoretical Framework & Arch. (Paper
1)
• Build ANN For ICMP to detect DDoS Attack
Feed Forward
Feed Backward
Source IP
ICMP - Id
ICMP - Seq
Based on our experiments and analysis, most installed zombies
use their built- in libraries as opposed to operating system libraries to
generate packets.
80 % of dataset is
a training set.
20 % of dataset is
a testing set.

9. Theoretical Framework & Arch. (Paper
1)
• Build ANN For UDP to detect DDoS Attack
Feed Forward
Feed Backward
Src. Port UDP
Dst. Port UDP
Pk. len
Src. Ip UDP
Based on our experiments and analysis, most installed zombies
use their built- in libraries as opposed to operating system libraries to
generate packets.
80 % of dataset is
a training set.
20 % of dataset is
a testing set.

10. A defence mechanism
Accepted to pass
Accepted to pass
Rejected (Suspect) Rejected (Suspect)
Rejected (Suspect)Rejected (Suspect)
Theoretical Framework & Arch. (Paper
1)

11. Theoretical Framework & Arch. (Paper
1)
• Sigmoid Activation Function
Normal
DDoS

12. Deep defence mechanism
• Sharing the detection information
• Real-time detection ANN
updating
Accepted to pass
Accepted to pass
Rejected (Suspect) Rejected (Suspect)
Rejected (Suspect)Rejected (Suspect)
Theoretical Framework & Arch. (Paper
1)
Sharing new Infos (Detections)
Sharing new Infos (Detections)
Warning:
This structure will
take a lot of time !!

13. Theoretical Framework & Arch. (Paper
1) – Deep Defence Mech.
Tcp
IP1
IP3
• Each detector hold neighboring
detectors IP to send Msg./data when
DDoS is detected.
IP1
IP3
Recoding the packets info
Recoding the packets info
• Set threshold for each protocol.
represent max no. of packets per protocol.
TCP
ICMP
UD
P
TCP
ICMP
UD
P
n
m
k
n
m
k
TcpTcp TcpTcp Tcp
• Packets no. is greater than m, prepare it to
ANN calculator.

14. Theoretical Framework & Arch. (Paper
1) – Deep Defence Mech.
• Packets no. is greater than m, prepare it to
ANN calculator.
• Calculate ANN
ANNTcp 0 or 1
0 or 1
0 or 1
Train for 3 times
Case 1: (0,0,0) no action require traffic is clean
Case 2: (1,1,1),(1,0,1),(1,1,0) or (0,1,1) active defence sys.
Case 3: (0,1,0),(1,0,0) or (0,0,1) repeat ANN calculation/
training
Case 1: (0,1,0),(1,0,0) or (0,0,1) ignore/ low rate attack
Case 2: (1,1,1),(1,0,1),(1,1,0) or (0,1,1) active defence sys.
Case 3: (0,0,0) no action require traffic is clean
Case 4: otherwise then Sys generates value 2 (unidentified traffic)

15. Theoretical Framework & Arch. (Paper
1) – Deep Defence Mech.
Case 4: otherwise then Sys generates value 2
(unidentified traffic not used in training)
Then check neighbouring detectors.
IP1 IP3
Do you know this
traffic ?
Yes: it’s 0 | it’s 1
|no, I don’t
(0, 1) Ohh, I need to
update my Algo.

16. Result
• The ANN algorithm requires retraining
every 5–6 years.
• Our approach has not been tried or
tested in a simulated environment.
• Our solution has problems detecting
DDoS attacks when the protocol
headers are encrypted with any
encryption algorithms.

17. Conclusion
• Our solution is assigned the higher detection accuracy based and other
related academic research.
• Our solution did not detect some unknown DDoS attacks. (Old dataset is
used)
• Limitation of our solution is that it cannot handle DDoS attacks that use
encrypted packet headers.

18. Thanks