Developing an intrusion detection model for distributed denial of service attacks in cloud computing

Abstract

Distributed Denial of Service (DDoS) attacks are one of the most significant threats to the availability of resources offered using the cloud computing model. One way to counter such attacks is by employing Intrusion Detection Systems which seek to identify attacks so that countermeasures can be deployed. However, owing to changes in the characteristics of the attacks, Intrusion Detection Systems can sometimes fail to accurately detect DDoS attacks. In seeking to improve Intrusion Detection Systems, the scarcity of publicly-available cloud intrusion detection datasets hinders the development of more precise detection models. Moreover, existing public cloud intrusion datasets have several notable issues, including differences in their formats, limited traffic features, and not including all types of DDoS attack. Additionally, research in this area often has a lack of transparency in terms of the structure and processing of the datasets and the resulting models, making it difficult to undertake comparative work. To address the identified issues, the initial stage of this research developed a detection model using a well-established non-cloud dataset, applying a transfer learning approach to assess the performance of the model using one of the limited number of public cloud datasets by remapping the DDoS attack types between the two datasets. The accuracy of the model was high on the non-cloud dataset; but, when it was applied to the cloud dataset, its accuracy fell significantly owing to the different structures of the two datasets and the limited common feature set. To address the identified issues, the obtained result of the first stage motivated this research to develop an emulated cloud intrusion detection dataset, with a broad range of features and the same structure as the existing cloud dataset. Using different classifiers, two detection models were created, and the generated cloud dataset was used to analyse their performance in a novel way by using different time intervals, or ’slices’. The results showed a general increase in the accuracy of the detection models as the time interval increased. To further explore the relationships between features over time, cross-correlation analysis was used to identify when the most significant correlations occurred between feature pairs at different time lags. The analysis showed that the highest frequencies of the ‘most significant correlation values’ occurred at the 0-1 and 7-9 second time periods, but it did not show a correlation between these frequencies and the accuracy of the models across the time. The research reported in this thesis has led to four contributions to the field. The first contribution lies in the novel application of transfer learning to build a detection model. The second contribution is a practical contribution to the creation of a new cloud-based dataset. The third contribution centres on the use of a novel approach to the analysis of the generated dataset using different time intervals as the unit of analysis and comparisons of the accuracy of the model when applied to them. The fourth contribution is in the provision of a clear and transparent process for generating an emulated cloud-based dataset and undertaking systematic analysis of it.