As the occurrence of Denial of Service and Distributed Denial of Service (DoS/DDoS) attacks increases, the demand for effective defense mechanisms increases. Recognition of such anomalies in the computer network is commonly performed through network-based intrusion detection and prevention systems (NIDPSs). Although NIDPSs allow the interception of all known attacks, they are not robust to the continuing variation over time of DoS/DDoS anomalies. The machine learning (ML) paradigm provides algorithms that can effectively reduce concept drift due to the evolution of cyber threat data patterns. These methodologies can be exploited for creating effective rules suitable for popular NIDPS engines such as Suricata. This paper proposes a new algorithm called Anomaly2Sign, which automatically produces rules for Suricata through an automatic Decision Tree (DT)-based generation process. The DT is trained on both anomalous and legitimate traffic, allowing the generation process to select anomaly features that can be mapped within the generated rule structure. Additionally, the DT hyperparameters are tuned at execution time to generate a minimal ruleset capable of detecting the largest number of anomalous packets. The proposed algorithm achieves classification metrics in the range of 99.7%–99.9% using the BOUN-DoS and BUET-DDoS datasets, outperforming the compared ML classifiers, i.e., Logistic Regression, Support Vector Machine, and Multi-Layer Perceptron. Furthermore, the leveraged DT model requires a shorter training and prediction time than the previously cited benchmark classifiers. To enforce the selection of the DT model, an analysis of model complexity is undertaken, including the evaluation of the Akaike Information Criterion (AIC) score. As a result of such an evaluation, the DT model achieved the lowest AIC score among the compared approaches denoting its low complexity. Finally, Anomaly2Sign has been compared with Syrius, i.e., an alternative state-of-the-art automatic NIDPS rules generator, obtaining better performance for detection rate and execution time.
Automatic decision tree-based NIDPS ruleset generation for DoS/DDoS attacks
Dentamaro V.;Galantucci S.
;Pirlo G.
2024-01-01
Abstract
As the occurrence of Denial of Service and Distributed Denial of Service (DoS/DDoS) attacks increases, the demand for effective defense mechanisms increases. Recognition of such anomalies in the computer network is commonly performed through network-based intrusion detection and prevention systems (NIDPSs). Although NIDPSs allow the interception of all known attacks, they are not robust to the continuing variation over time of DoS/DDoS anomalies. The machine learning (ML) paradigm provides algorithms that can effectively reduce concept drift due to the evolution of cyber threat data patterns. These methodologies can be exploited for creating effective rules suitable for popular NIDPS engines such as Suricata. This paper proposes a new algorithm called Anomaly2Sign, which automatically produces rules for Suricata through an automatic Decision Tree (DT)-based generation process. The DT is trained on both anomalous and legitimate traffic, allowing the generation process to select anomaly features that can be mapped within the generated rule structure. Additionally, the DT hyperparameters are tuned at execution time to generate a minimal ruleset capable of detecting the largest number of anomalous packets. The proposed algorithm achieves classification metrics in the range of 99.7%–99.9% using the BOUN-DoS and BUET-DDoS datasets, outperforming the compared ML classifiers, i.e., Logistic Regression, Support Vector Machine, and Multi-Layer Perceptron. Furthermore, the leveraged DT model requires a shorter training and prediction time than the previously cited benchmark classifiers. To enforce the selection of the DT model, an analysis of model complexity is undertaken, including the evaluation of the Akaike Information Criterion (AIC) score. As a result of such an evaluation, the DT model achieved the lowest AIC score among the compared approaches denoting its low complexity. Finally, Anomaly2Sign has been compared with Syrius, i.e., an alternative state-of-the-art automatic NIDPS rules generator, obtaining better performance for detection rate and execution time.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.