Project Proposal

Solution for SYN Flood DDoS Attacks using Machin Learning

Team members

Name Registration Number Index Number

S. D. N Inuri ICT/17/18/022 4156

H. Vidura Ishan Lakmal ICT/17/18/034 4162

Gaurangi Samaraweera ICT/17/18/056 4180

J. M. A. W. U Jayakodi ICT/17/18/026 4157

Supervise by
Mr. N. M. A. P. B Nilwakka

Faculty of Applied Sciences

Rajarata University of Sri Lanka
2017/2018 Batch

0
1. Introduction

Because of the development of science and technology, privacy and security of many
organizations are very important aspects. So nowadays network security is Very important
aspect in the technological world. We can protect our networks using firewalls. Firewall is a
network security system that monitors and controls incoming and outgoing traffic based
on predetermined security rules. The main threat in the networking environment is DDoS
(Distributed Denial of service attack). Distributed denial of service attacks are sub-class of
denial service attacks. A DDoS attack deploys the collection of compromised hosts and results
in unavailability of network resources for the intended users.

In our project we mostly focus on SYN flood DDoS attacks. It is a common form of DDoS
attack. SYN flood DDoS attack can target any system connected to the internet and provide
TCP services. E.g. Web server, Email server, File transfer. SYN flood DDoS attack can down
high capacity devices capable of maintaining millions of connections. In our research, we
present a solution for SYN flood DDoS attack by combined between SNORT and firewall. It
contributes to the agent SYN flood DDoS attack.

2. Background

Distributed denial of service attacks are a subclass of denial service attack Currently, there are
many different methods for carrying out a DDoS attack. The most common method for attack
offers when an attacker floods a network server with traffic. In this type of DDoS attacks, the
attacker sends several requests to the target server, overloading it with traffic. These service
requests are illegitimate and have fabricated return addresses, which mislead the server when
it tries to authenticate the server. There had been different kind of DDoS attacks in the past few
years. Many researches had done research on firewalls to prevent from DDoS attacks.
Mohomed Najafimehr, Sajjad Zarifzadeh, Seyadakbar Mostafavi [1] have done research on
Hybrid Intrusion detection system for DDoS attacks. They used both Anomaly based and
signature based detection techniques. It designed by using multi-dimensional Gaussian mixture
models from a training dataset.
DDoS Attacks Impact on Network Traffic and its Detection Approach [2] in 2012 by Anup
Bhange, Amber Syad, Satyendra Singh Thakur has done a research on flooding a network
server with fake traffic, making it difficult or impossible for the server to receive and process
legitimate traffic. This approach has a number of advantages. It is capable of sense low intensity
slow pace attacks. Another major advantage of this method is that, it is potentially easier to
sustain than a rule based approach because no need to uphold and update any record of
signature. A denial of service attack is distinguished by an explicit attempt by attackers to
prevent legitimate users of a service from using that service. A DDoS attack organizes many
machines to attain this goal. Method to recognize anomalies in network traffic, based on a non-
restricted α-stable model and statistical hypothesis testing.
V.Priyadharshini and Dr.K.Kuppusamy proposed Prevention of DDoS Attacks using New
Cracking Algorithm [3] for DDoS attacks to prevent files, the concept of file watcher, IP
watcher and firewall are used. File watcher is responsible to monitor the file stored in the home

1
directory and analyse the modifications made in the file. In addition, the IP address that
modifies the file can be detected by IP watchers. When the client sends a request to modify the
file, the file watcher deny the service provided to the user and thus prevents the file from attack.
The experimental results of this paper are carried out by several attackers and the website. The
browser updates each time the history of the user and at the same time the information of the
history are provided with the information such as Mac address, Time, and IP Address. Based
on the IP Address, each time the user arrives at the website is analysed. When the new user
enters into the site continuously, the new cracking algorithm to determine whether the user is
a DDoS attacker.
The Hybrid Technique for DDoS Detection with Supervised Learning Algorithms [4] by
Soodeh Hosseini, Mehrdad Azizi.hybrid framework based on data stream approach for
detecting DDoS attack with incremental learning. In the first step of implementation, the pre-
processing on the datasets is exerted. Before common processes, for NSL-KDD the DDoS
attack records is selected. Then for both of presented datasets, the string type attributes in data
is changed to the integer type and normalized data with the min-max algorithm. In the next
step, the different type of DDoS attack is renamed, which are defined in the dataset to two main
classes, "DDoS" and "Normal". The proposed approach framework is a hybrid machine
learning mechanism for detecting and defencing against DDoS attack. The given framework is
based on two sides, client side and proxy side. Because of the limited resource on both sides,
the process between them is divided. Some of the basic definitions of presented work are
explained. Random forest in both datasets analysing reappearance gives better results but in a
special situation any of other algorithms may work better. objective is the main aim of each
work, which is mostly the attack detection except one of works. Each algorithm included its
weaknesses and strengths thus is used the combination of algorithms to take a better system
detection. Another Property of this paper is store profile in a database of the attack to prevent
over-process on divergence test. Stream data, and is able to compare data features to the
provided profile database with the divergence test.

[5] Memcached: An Experimental Study of DDoS Attacks for the Wellbeing of IoT
Applications by Nivedita Mishra, Sharnil Pandya, Chirag Patel , Nagaraj Cholli , Kirit Modi ,
Pooja Shah ,Madhuri Chopade , Sudha Patel and Ketan Kotecha.The Internet of Things (IoT)
has achieved a broad reach in terms of its applications in almost every sector of life. In the past,
the electronic devices that facilitated various needs were independent, and other isolated
systems functioned to meet the required objectives. Since systems such as smart homes are
now required to provide the user’s needs remotely, they are prone to cyber-attacks, namely,
phishing attacks , man-in-the-middle attacks, and DDoS attacks. The non-standardized growth
of the IoT industry has been a major contributor to DDoS attacks. With the introduction of IoT
devices, there has been a contest to turn everything into a smart format, be it a city or healthcare,
agriculture or industry; the IoT is in almost every sector. These devices generate and keep on
storing data on scales from small to large, according to the demands of the applications. The
Memcached mechanism was designed to work internally, but it became exposed to
unauthenticated servers, enabling exploitation via DDoS attacks. A case in which IoT botnets
can be deployed is shown in, where vulnerable Memcached servers are used for launching
attacks. Although patches released after the attack ensured that no attack could occur again
using this vulnerability alone if best practices were followed, it could very well be used as an
attack vector for botnets. In these conditions, Memcached servers behave as originally designed
and do not communicate with each other. The proposed architecture consists of a threshold for

2
the number of requests beyond which the servers communicate, so that in typical scenarios, the
working of Memcached remains as planned. The Memcached servers communicate, as
depicted in Figure 7b, upon the suspicion of an attack. The suspected victim, i.e., the
Memcached server for which the individual threshold value is crossed, sends SYN requests to
the remaining Memcached servers to figure out whether or not an attack has occurred.
Memcached is a useful model for managing large amounts of data, and it runs on several nodes
with multiple cores. Its simplicity makes it a popular choice when working with IoT devices.
Memcached does not support encryption; thereby, it does not suffer from added overhead and
time delays.

[6] The types of cyber-attacks are increasing and used for malicious purposes. With the
increasing number of cyber-attacks, cyber-attack simulation and modeling techniques are used
to develop security techniques against such attacks. For cyber security simulations, it is
necessary to design various simulation models. For this purpose, modeling methods that
include different types of interaction between entities, as well as models representing cyber-
attacks and target assets, should be developed. In order to model cyber-attacks, it is necessary
to examine the actions of the attacker in relation to a particular attack. Research has found that
the development of appropriate cyber-attack models has the potential to significantly reduce
cost and time. Some researchers have developed attack models by looking at the warnings of
the intrusion detection system according to the attack stages
A network simulation tool prepared using the DEVS approach was used to perform cyber-
attacks. In the parallel and distributed simulation algorithm developed using the DEVS
modelling approach, parallelism is provided by using the parallel DEVS atomic and coupled
model definition, while the distributed approach is provided with client server-
based architecture and this algorithm is used in the development of a DEVS-based
network simulation tool. Objects are used to represent devices
that attackers are trying to exploit in the simulation environment. These devices used
in the network can have many features according to their tasks. Not all of these features need
to be modelled. New tools and methods are constantly being developed against increasing
cyber threats. Scientific research is needed to test existing cyber security tool and developed
methods. In order to increase the authenticity of test result in virtual test environment, the
capabilities of simulation tool should be examined in detail.

[7] in 2013 2nd National Conference on Information Assurance (NCIA) is done by effort has
been made to gauge Snort in terms of performance (packet handling) and detection accuracy
against TCP Flooding Distributed Denial of Service attack. The evaluation has been done using
a sophisticated test-bench under different hardware configurations. This paper has analyzed the
major factors affecting the performance and detection capability of Snort and has
recommended techniques to make Snort a better intrusion detection system (IDS).

Evaluation of Snort using rules for DARPA 1999 dataset by Ayushi Chahal, Dr. Ritu nagpal[8].
They have created some Snort rules that are used to detect these signature based attacks. These
rules also classify attacks according to their characteristics into different classtypes. DARPA
dataset is considered as dataset of interest for intrusion detection researchers. So, we used
DARPA training dataset to create Snort rules for different attacks. These rules are used in
generalized form so that it can maximize the alert detection. This generalization is necessary
so that rules can detect novel attacks. This generalization is achieved by relaxing some of the
conditions on the rule. These rules are then tested on DARPA testing dataset which provide
good results when compared to Detection Scoring Truth of DARPA comparison of created
rules with Detection Scoring Truth. Notifications that we get in alert database are compared

3
with actual attack in Detection Scoring Truth. Here are the results shown in the form of graph.
Graph is between the number of alerts we get through the SNORT rules.

LASSP: A Logic Analyzer for Tweaking Snort Security and Performance by [9] Khalid
Hafeez, Muddassar Masood, Owais Malik, Zahid Anwar Department of Computing NUST
School of Electrical Engineering and Computer Science In this research we have proposed a
logic analyzer for Snort security and performance which takes snort rules and snort
configuration option parameters as inputs to the system and returns the security and
performance knob level of snort by performing a predicate logic rule based analysis. In future
work we will take the security and performance knob level desired by the user and suggest the
snort configuration options and will also enable the appropriate rules that snort should match
for the desired security and performance knob level. There are many other parameters related
to particular services running in the network (named HSFD i.e. server flow Depth parameter
values for HTTP Inspection) that we have omitted in the analysis for the sake of simplicity and
to avoid unmanageable rule numbers. In order to alleviate this problem, we can use dynamic
programming technique in future to maximize the security and performance knob level. While
improving performance of a system, one important thing to consider is the provision of the
level of security to an acceptable level. We have developed a system which analyzes the snort
configuration and rules against the services running in the network (on some server ports) and
set the level of snort security performance knobs. We define five different levels for security
and performance knobs (slide bar) i.e. very low, low, normal, high and very high.

[10] Aaliya Tasneem, Abhishek Kumar, Shabnam Sharma propose Intrusion Detection
Prevention System using SNORT. In the paper, the authors provide a critical review of the
IDS technology, the issues that occurs during its and the challenges and limitation in the
Intrusion Detection System. It proposed future work while exploring all the topics of IDS, the
in-depth discussion and the contribution of each research in the respective
field. It provides effective solutions for the challenges faced in Intrusion detection
through various techniques like machine learning, AI, Data mining, alert processing technique
etc. Through this review they outlined many upcoming researches instead LINPAC. They
showed the design structure and work
process of the packet capture technology used in Snort system, and given the respective
test results.So, in future IDPS lands us with the increased level of automation in
attack tools driving the expertise required to breach security into nothing. The
proportionality increases the complexity of the security which is tough on security
professionals. These systems still have a hard time detecting other non-instant or zero-day
attacks like the Stuxnet attack. The major offerings of this paper are technologies and
methodologies associated with IDPs and how SNORT can be
useful in the whole process. The performance of IDPs depend on the detection rate and false
positive rates. Nonetheless, IDPs looks an ever evolving to continue to protect against the
newest and modern security threats available.

3.Problem Statement

Distributed Denial of Service (DDoS) attack involves malicious techniques to diminish the
availability of services in computer networks, for which the most prevalent way is sending
massive traffic toward the target to exhaust either the bandwidth or the target’s resources.
Attackers usually use many computers, which are called bots or zombies, to transfer malicious

4
traffic. The bots are often the computers compromised by attackers, while their legitimate
controllers are unaware. Moreover, a Distributed Denial of Service (DDoS) attack occurs when
multiple machines are operating together to attack one target. DDoS attackers often leverage
the use of a botnet-a group of hijacked internet-connected devices to carry out large scale
attacks. Attackers take advantage of security vulnerabilities or device weaknesses to control
numerous devices using command and control software. Once in control, an attacker can
command their botnet to conduct DDoS on a target. In this case, the infected devices are also
victims of the attack.
While there is no way to completely avoid becoming a target of a DDoS or DDoS attack, there
are proactive steps administrators can take to reduce the effects of an attack on their network.
enroll in a DDoS protection service that detects abnormal traffic flows and redirects traffic
away from your network. The DDoS traffic is filtered out, and clean traffic is passed on to your
network. Create a disaster recovery plan to ensure successful and efficient communication,
mitigation and recovery in the event of an attack. It is also important to take steps to strengthen
the security posture of all of your internet connected devices in order to prevent them from
being compromised. Additionally, this type of attack is increasing year by year. DDoS attacks
have been about 4.3 times as much magnitude as before the pandemic. Thus the above
maintained problems could be minimized gradually.

4. Aim and objectives

4.1 Project Aim

Traditionally, firewalls are designed to monitor states of network traffic, using state full packet
inspection (SPI) to make decisions about the risk from incoming traffic and resource requests.
But the state full nature of firewalls makes them susceptible to state-exhaustion attacks such as
TCP flood attacks. Moreover, they don’t provide visibility into DDoS attack traffic or
communicate well with cloud-based solutions to mitigate such attacks. Our target is to
overcome the situation. Make. firewall & SNORT for a server protect network from DDoS
attacks include SYN flood, create a firewall to protect network from block malicious traffic
from reaching the network Protect network from DDoS attacks include SYN flood, create a
firewall to protect network from block malicious traffic from reaching the network.

4.2 Project Objectives

 To create a second layer firewall

 To connect firewall and SNORT together

 To create algorithm for detecting and defending against DDoS attack

5
5.Methodology

In our project, we especially consider the traffic coming to a server. There we use a number of
strategies to detect a DDoS attack. Meanwhile, we are creating a special algorithm to study
traffic patterns Distributed Denial of Service (DDoS) in SDN is one such attack that is
becoming a hurdle to its growth. Before the mitigation of DDoS attacks, the primary step is to
detect them. In this paper, an early DDoS detection tool is created by using SNORT. This tool
is integrated with popularly used SDN controllers (Open daylight and Open Networking
Operating System) Distributed Denial of Service (DDoS) in SDN is one such attack that is
becoming a hurdle to its growth. Before the mitigation of DDoS attacks, the primary step is to
detect them. We hope to use datasets to test the compatibility of our algorithm. We also hope
to use machine learning technology specifically designed to protect a server from DDoS attack.
The algorithm we hope to create will be able to accurately identify the relevant DDoS attack
using packet filtering technology for requests coming from to the server. We hope to create a
Transparent Bridge Firewall with SNORT (an early DDoS detection tool).

6. Data Collection and pre –process

We hope to use datasets to test and implement our firewall. We expect to use DARPA 2000
dataset for our project.

6
 7. Project Time Plan

Figure 1 – Project time plan Gantt Chart

7
8. Recourse requirement and budget

Computer with 512 GB hard disk, 8 GB RAM, Linux OS

9. References

[1] Mohammad Najafmehr, Sajjad Zarifzadeh, Seyedakbar Mostafavi - “A hybrid machine

learning approach for detecting unprecedented DDoS attacks” - 2021
[2] Anup Bhange, Amber Syad,Satyendra Singh Thakur – “DDoS Attacks Impact on
NetworkTrafficand its Detection Approach” – 2012
[3] V.Priyadharshini, Dr.K.Kuppusamy – “Prevention of DDoS Attacks using New Cracking
Algorithm” – 2012
[4] Soodeh Hosseini, Mehrdad Azizi – “The Hybrid Technique for DDoS Detection with
Supervised Learning Algorithms” – 2019
[5] Nivedita Mishra, Sharnil Pandya, Chirag Patel , Nagaraj Cholli , Kirit Modi , Pooja Shah
,Madhuri Chopade , Sudha Patel and Ketan Kotecha – “Memcached: An Experimental
Study of DDoS Attacks for the Wellbeing of IoT Applications” – 2019
[6] Kara, S.Hizal, S.Zengin – “A network simulation tool prepared using the DEVS
approach” – 2020
[7] 2nd National Conference on Information Assurance (NCIA) – 2013
[8] Ayushi Chahal, Dr. Ritu nagpal “Evaluation of Snort using rules for DARPA 1999
dataset”
[9] Khalid Hafeez, Muddassar Masood, Owais Malik, Zahid Anwar – “LASSP: A Logic
Analyzer for Tweaking Snort Security and Performance”
[10] Aaliya Tasneem, Abhishek Kumar, Shabnam Sharma – “Intrusion Detection Prevention
System using SNORT”
[11] Xiang Yu ,Wenchao Yu ,Shudong Li,Xianfei Yang ,Ying Chen and Hui Lu – “WEB
DDoS Attack Detection Method Based on Semisupervised Learning” – 2021
[12] Daniyal Alghazzawi, Omaimah Bamasag, Hayat Ullah and Muhammad Zubair Asghar –
“Efficient Detection of DDoS Attacks Using a Hybrid Deep Learning Model with
Improved Feature Selection” – 2021
[13] Manipi Manoj, Keerthi M, Kiran Kumar M, Dakaraju ViswaTeja, Mrs.Sougandhika
Narayan – “DETECTION OF DDOS ATTACKS USING HYBRID MACHINE
LEARNING ALGORITHMS” – 2020
[14] SH Kok, Azween Abdullah, Mahadevan Supramaniam, Thulasyammal Ramiah Pillai,
Ibrahim Abaker Targio Hashem – “A Comparison of Various Machine Learning
Algorithms in a Distributed Denial of Service Intrusion” – 2019
8
[15] Özge Cepheli, Saliha Büyükçorak and GüneG Karabulut Kurt – “Hybrid Intrusion
Detection System for DDoS Attacks” – 2016
[17] Muhammad Aqil Haqeemi Azmi, Cik Feresa Mohd Foozy, Khairul Amin Mohamad
Sukri, Nurul Azma Abdullah, Isredza Rahmi A. Hamid, Hidra Amnur – “Feature
Selection Approach to Detect DDoS Attack Using Machine Learning Algorithms”
[18] Manas Gogoi Sourav Mishra – “DETECTING DDoS ATTACK USING Snort”

[19] Bhulok Aryal, Robert Abbas Iain, B. Collings – “SDN enabled DDoS Attack Detection
and Mitigation for 5G Networks”

[20] Mohamed Amine, Youness Idrissi Khamlichi, El mostapha Chakir – “A survey and
taxonomy of techniques used to handlealerts of Intrusion Detection Systems” - 2019

10. Signature of team members

Name Registration number Index number Signature

S. D. N Inuri ICT/17/18/022 4154

H. Vidura Ishan
ICT/17/18/034 4162
Lakmal

Gaurangi
ICT/17/18/056 4180
Samaraweera

J. M. A. W. U
ICT/17/18/026 4157
Jayakodi

Date: 21/07/2022

11. Recommendation of supervisor(s)

Name: Mr. N. M. A. P. B Nilwakka

Department/ Organization: Department of computing
Signature: