Comparative Study on TCP SYN Flood DDoS Attack Detection: A Machine Learning Algorithm Based Approach

Abstract

A most common attack on the internet network is a Distributed Denial of Service (DDoS) attack, which involves occupying computational resources and bandwidth to suppress services to potential clients. The attack scenario is to massively flood the packets. The attack is called a denial of service (DoS) if the attack originates from a single server, and a distributed denial of service (DDoS) if the attack originates from multiple servers. Control and mitigation of DDoS attacks have been a research goal for many scholars for over a decade, and they have achieved in delivering a few major DDoS detection and protection techniques. In the current state of internet use, how quickly and early a DDoS attack can be detected in broadcasting network transactions remains a key research goal. After the development of a machine learning algorithm, many potential methods of DDoS attack detection have been developed. The work presents the results of various experiments carried out using data mining and machine learning algorithms as well as a combination of these algorithms on the commonly available dataset named CAIDA for TCP SYN flood attack detection. Also, this work analysis the various performance metrics such as false positive rate, precision, recall, F-measure and receiver operating characteristic (ROC) using various machine learning algorithm. One-R(OR) with an ideal FPR value of 0.05 and recall value of 0.95,decision stump(DS) with an ideal precision value of o.93,PART with an excellent F-measure value of 0.91 are some of the performance metric values while performing TCP SYN flood attack detection.