1.

Introduction of cloud computing

Cloud computing is a model where the data center resources are distributed through
virtualization technology, that provide elasticity, on request network access and instant services
to its users and charges according to usage.Cloud models is a specific type of Cloud
environment, distinguished by its size, ownership and access method. Private cloud is solely for
an organization. General people can access the public cloud. Community cloud is used by an
organizations having similar kind of requirements that can share the cloud resources. Hybrid
cloud is the grouping of public cloud, private cloud and community cloud [1]. Infrastructure as a
Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS) are the delivery
model of cloud computing. Without installing software or application on our system SaaS
provide ability to use it. Virtualization technology is use to provide infrastructure is possible
through IaaS. Computing platform is delivered by PaaS. PaaS provide the facility of deployment
of apps without the cost of buying and managing [14].

Figure 1: Schematic Definition of Cloud Computing [1]

2. Security issues in Cloud computing

Some fundamental cloud security issues is security related to data storage, security related to
third-party resources, data transmission security and application security [2]. In the environment
of cloud computing, data is located at different places so data security becomes particularly
serious [13].

2.1 Data storage security: Data storage security depends on the type of cloud deployment
model or access scope. The cloud computing is unable to manage the stored data in the Data
Centers. Data stored in data center is controlled by the cloud service provider, they can do any
malicious work such as destroy, replica, modify, etc. Cloud computing gives assurance to a

1
certain degree of control over the VMs. Eventually, this lack of control over the data results as
security issues.

2.2 Data transmission security: Data transmission security depends on the cloud delivery
model or services. In cloud computing environment, data transmit from source to destination
through several number of third-party infrastructure resources.

2.3 Application security: Cloud based services are available through the internet to the users
for fulfill their requirements. Consequently, cloud application automatically inherits the
vulnerability from traditional web application model. Through enterprise-distributed cloud
applications, the users can access their information. The availability and security of these
applications are extremely depends on the quality and behavior of cloud services, therefore, this
process should address the availability and integrity of data and software. One solution is to
encrypt the out sourced data confidentiality and provide the security. Furthermore, the securities
related to these services rely upon Application programming interface (APIs). Such software
interfaces or APIs provide security and availability of the cloud offerings.

Figure 2: Cloud environment Security [2].

2
 Taxonomy of attack in cloud

Insider Service Hijacking Shared Technology Vulnerabilities Privacy DDoS

Outsider Attacks

Figure 3. Taxonomy of attack in cloud

Distibuted Denail of Service Attacks (DDoS)

Distributed Denial of Service (DDoS) attack is a type of Denial of Service (DoS) attack whereas
multiple machines that are infected/compromised by the malicious code initiate flooding attack
against the victim. The unintended massive flooding packets are targeted against the critical
service/server it eventually leads to shut down or access is rejected to legitimate users. The major
objective of this kind of attack is to disrupt the normal functioning of the cloud server. The
consequences of this attack are manifold such as data loss, service outage, loss of repudiation,
financial loss and so on. DDoS attacks are launched either by compromised distributed hosts acts
as botnets or by distributed attackers and the machine engaged in the attack can be either
network routers or smartphones or computers

Figure 4. Architecture of cloud computing

This Trojan virus which is a small application enables the attackers to get remote access of the
user systems without their knowledge for control and commands capabilities in an attempt to
attack the intended target servers. These are called Bots or Zombies. These infected bots or
systems in turn further infect and compromise others then working as a group acts as Botnets

3
[11]. These zombie hosts or slaves are recruited unwittingly from the millions of vulnerable
computers that accessing the Internet through high bandwidth connections. With enough
participation of zombie hosts in the attack, the volume and the effects of DDoS attack can be
astonishing. Thus, the higher the impact of DDoS attacks, the higher the chances of targeted
server being unavailable and the higher the resources being wasted.

3. DDoS Attack in cloud computing

After cloud inception in 2007, enterprises took few years to start adopting the cloud
infrastructure, and now many organizations are partly or entirely transformed their IT
infrastructure into cloud. In case of cloud computing system, DDOS attack consider to be much
more serious, more difficult and even more complicated because cloud computing uses
virtualization, distributed server, the use of sharing resources and multi tenancy are some of the
reasons that make DDoS attacks to be highly destructive in the environment of cloud computing
[11]. Cloud computing system has new vulnerabilities since it consists of new protocols,
components, and concepts that allow the attackers to take advantage of this kind of
vulnerabilities to perform new DDoS attacks. Moreover, the key difference between DDoS
attacks using the conventional networks and DDoS attacks that use the environment of federated
cloud computing. We can see clearly in Figure 3 that all zombie hosts participated in the attack
of DDoS might be a cloud. For instance, the victim and the botnet themselves might be a cloud,
or the Command and Control servers (C&C servers) also might be a cloud. Thus, even the
attacker might be a cloud due to their high CPU efficiency. In this case, the attackers will have
the ability to have more accessible resources to preceding their attacks [3]. Thus, by using clouds
the attackers will make DDoS attacks’ prevention, handling, and detection more difficult and
more complicated. Generally, when the target of the DDoS attacker is a cloud, flooding the
gateway of the Internet of the cloud infrastructure is the first aim of the attacker. Though, if the
attackers failed to saturate it, then they will try to flood the servers of the cloud [14]. DDoS
attack will cause extremely large effect on availability in Cloud computing services which can
lead to violation of the agreement between the client and the cloud service provider which is
called Service Level Agreement (SLA). Now using the innovative “DDoS as a Service” tools is
making it easier for attackers to launch these effective and developed attacks.

4
 Figure 5: DDOS attack using cloud computing

DDoS attacks

Bandwidth depletion Resource depletion

Flood Attack Amplification Attack Protocol Maliformed Slow DDoS

exploit attack Packet Attack

TCP UDP ICMP

Smurf Fraggle

TCP SYN PUSH+ACK

Research focus Attack Attack

Figure 6: Taxonomy of DDOS attack.

4. DDoS Attack Defence Mechanism in cloud computing

5
DDoS Attack Prevention: It is a proactive measure in cloud, where suspected hackers requests
are refine or rejected before these requests initiate to affect the servers. ‘Presence of attack’ state
is unavailable to the prevention method but available to the mitigation and detection technique.

DDoS Attack Detection: This method is applied in circumstances when attack signs are present
on the server. These attack signs explain such attack that has just initiated to take the form, or
there may be a condition, somewhere the attack has already degrade the performance.

DDoS Attack Mitigation: in the presence of an attack, this technique would allow victim server
to continue serve requests in attack state[5].

5. Related Work

P. Shamsolmoali et al. (2014) suggested in his research that cloud confidence DDoS filtering
method having 2 stages. Pre-processing stage takes network traffic as a input and provide output
in form of classified data. In detection stage system extract TTL value field from each incoming
packet TTL value is compare with IP2HC. If no matches are found then discard the packet. And
the remaining packets are forwarded to next level that is anomaly detection. It distinguishes the
legal and attack traffic by comparing with already learned traffic [4].

Osanaiye et al. (2016) shows that ensemble-based-multi-filter-feature selection method integrate

the result of 4 filter selection method (Gain ratio, IG, ReliefF and Chi-squared). After combining
the features from 4 filter selection method compare these combined features with pre determined
threshold. If feature is greater than threshold then drop the feature otherwise accept it.
Information gain method used to finding important and related attributes from a set of features.
Gain ratio is used to reduce the biasness of Information Gain towards attributes with large
diversity value. In feature selection, chi-squared measure the features independency with respect
to class. ReliefF feature filter selection method uses the continuous sampling and associate
weight to each feature based on its capability to differentiate the classes [7]. The performance of
the classifier can improve using combined feature selection method.

Salman Iqbal et al. (2016) determine the potential attacks on the cloud computing environment
and their possible impact on cloud services. An attack surface includes all the points in the
software environment through which an adversary or unauthorized users can try to gain access to
a system and cause damage to the environment. In cloud multitenant environment, resource
sharing is one of the most crtical issues creating new attack vectors. DDoS is most prominent
security attack in cloud computing which can impact on the availability of resourcs since it has
muti-tenant behavior of SaaS. DDoS aatacks are the malicious attempt to render the system or
network resources unavailable to users. Cloud computing infrastructures are shared by millions
of users, making it more difficult to resolve this sort of attacks due to its potiential to have much
greater impact compared to single tenanted architectures.

6
Yusof A. R. et al. (2017) proposed a method that integrate two feature selection method CSE
(Consistency-based-Subset-Evaluation) and DCF (DDoS characteristic based features) to pick
relevant features from entire data-set. On the full feature training dataset, they performed a
feature selection method, with a total of 41 features, before applying DDoS characteristic based
features (DCF) and Consistency based Subset-Evaluation (CSE) parallel. The o/p of these 2
feature selection method is combine using the simple majority vote method in order to select the
most appropriate features based on a selected threshold. If selected feature is beyond the
threshold, feature is dropped otherwise select the feature [16].

Gaurav Somani et al. (2017) provided a comprehensive and detailed survey about the DDoS
attack and defense mechanisms eventually available in the cloud computing environment.

Bin Jia et al. (2017) proposed a DDoS attack detection method based on hybrid heterogeneous
multiclassifier ensemble learning and design a heuristic detection algorithm based on Singular
Value Decomposition (SVD) to construct our detection system. Experimentally results show that
our detection method is excellent in TNR, accuracy and precision. Therefore, our algoritm has
good detective performance for DDoS attack. Through the comparisions with Random Forest, k-
Nearest Neighbor(k-NN) and Baaggging comprising the component classifiers when the three
algorithms are used alone by SVD and by un-SVD, it is shown that our model is superior to the
state-of-the-art attack detection techniques in system generalization ability, detection stability
and overall detection performance.

C. Wang et al. (2019) proposed a 2 level filter-selection method that is based on the MRMR and
IG. The mRMR algorithm is used to filter out the redundant features as well as remain the
maximum relevant features. Mutual information is used by MAMR filter selection method.
Mutual information is used to articulate the relationship and co-relation between features. Two
level filter selection method having four stages. Preparation stage define the raw dataset,
execution is used to select features using mRMR, result of last stage is further selected in
selection stage for rejecting irrelevant features and in the last stage integrate all the relevant
features from both the level [15]. Selecting relevant features from a dataset is not depending on
the classifier.

Omar E. Elejla et al. (2019) evaluates classification algorithms or detecting the dangerous and
popular IPv6 attacks which are ICMPv6-based DDoS attacks. A comparision between five
A comparison between five classification algorithms namely Decision Tree (DT), Support
Vector Machine (SVM), Naïve Bayes (NB), K-Nearest Neighbors (KNN) and Neural Networks
(NN) were conducted. The comparison was conducted using a publicly available flow-based
dataset. The experimental results showed that classifiers have detected most of the included
attacks with a range from 73%-85% for the true positive rate. Moreover, KNN classification
algorithm has been the fastest algorithm (0.12 seconds) with the best detection accuracy (85.7%)
and less false alarms (0.171). However, SVM achieved the lowest detection accuracy (73%)
while NN was the slowest algorithm in training the detection model (323 seconds).

7
6. Analysis of existing detection techniques

Ref.No Year Techniques Advantages Disadvantages

Signature (involves searching Fast processing The high response

network traffic for a series of bytes time and error is time during attack
[19, 20] 2013 or packet sequences known to be low is hard to achieve.
malicious)

Entropy (employed to provide

multilevel detection by allowing
legitimate users to traverse the
router. The confirmation algorithm
checks for the threshold value, if
the value is low it is forwarded to
[21] 2013 cloud service provider (CSP). The It is efficient Efficiency reduces
threshold is obtained with the against if the attack
entropy by collecting the IP, port spoofing. distribution varies.
and flow information. The CSP
notifies the intrusion in the cloud
and blocks the client sending high
rate of packets.)

Hop count detection ( the effective

scheme for detecting the spoofed
sources in the cloud. The
parameters used for detection are
source IP and TTL from the IP
packet. If the source IP and the
[10] 2014 associated TTL are found in the Efficient system Maintenance of
stored database, then the packet is to identify legitimate database
termed as legitimate. The attack spoofed sources is difficult.
packets are dropped at the gateway

8
 router itself and has less
computation overhead.)

Anomaly detection (technique

centres on the concept of a
baseline for network behaviour. Learning False positive at
This baseline is a description of algorithm low layer lead to
[18, 19] 2019 accepted network behaviour, increases the attack
which is learned or specified by efficiency of the misclassification at
the network administrators, or system the higher levels.
both)

7. Research Questions

1. How DDoS attack hazardous as compared to another attacks?

2. What are the current solutions and existing techniques proposed for DDoS detection?
3. Which Machine Learning techniques and models are existing as well as trending in recent
times in DDoS attack detections?
4. Which are the datasets used for DDoS attacks detection and types of features are used in
those datasets?
5. How to train the machine learning models to detect in DDoS attacks?

8. Objectives
The proposed research work will have following objectives
1. Designing a framework for detecting DDoS attack system based on the machine learning
model using feature selection method.
2. To generate the confusion matrix.
3. To compute parameters accuracy, precision, error rate and F1 Measure.
4. Compare, analyze and validate the proposed detection techniques and algorithms found in
the literature.

9
9. Proposed model

Distributed Denial of Services (DDoS)

Dataset

Feature Adjustment
Feature Elimination Label encoding for ordinal features/
Domain knowledge, One- hot encoding and removal of
duplication, muticollinearity dummy variables for categorical
features

Feature Selection Feature Normalization

Backward elimination, Forward Continuous features: Standard scaling,
selection, statistical scores min-max scaling

Machine Learning
KNN, NB, SVM, RF, ANN

Optimization Evaluation
Number of Neighbors, Validation Accuracy, false positives,
kernel trick, decision K-fold cross validation error ROC to avoid
trees, ANN layers accuracy paradox
10
 Figure 7: Proposed model for DDoS attack detection

9. Conclusion
Since the system is under the continuous attack, the existing security measures can be improved
with the machine learning technique for computerized security system, so that very little human
intervention is required for detecting, preventing and monitoring the attack. Feature selection
filter method used to pre-processing features datasets before attack classification in cloud. A
good feature filter selection method can increase the speed and simplify the model. Performance
of ML algorithm is depends on the good feature selection method.

10. References

1. Md. Tanzim Khorshed, A.B.M. Shawkat Ali, Saleh A. Wasimi, “A survey on gaps, threat
remediation challenges and some thoughts for proactive attack detection in cloud
computing,” Future Generation Computer Systems, Volume 28, Issue 6, 2012, Pages
833-851.
2. Subashini, Shashikala & Kavitha, V. (2011). A Survey on Security Issues in Service
Delivery Models of Cloud Computing. The Journal of Network and Computer
Applications, Elsevier. 35. 1-11.
3. Chaudhary, D., Bhushan, K., & Gupta, B. B. (2018). Survey on DDoS attacks and
defense mechanisms in cloud and fog computing. International Journal of E-Services and
Mobile Applications (IJESMA), 10(3), 61-83.
4. Shamsolmoali, P., Alam, M. A., & Biswas, R. (2014). C₂DF: High Rate DDOS filtering
method in Cloud Computing. Computer Network and Information Security no. August,
43-50.
5. Gaurav Somani, Manoj Singh Gaur, Dheeraj Sanghi, Mauro Conti, Rajkumar Buyya,
DDoS attacks in cloud computing: Issues, taxonomy, and future directions, Computer
Communications, Volume 107, 2017, Pages 30-48, ISSN0140-3664.
6. Yu, J., Kang, H., Park, D., Bang, H. C., & Kang, D. W. (2013). An in-depth analysis on
traffic flooding attacks detection and system using data mining techniques. Journal of
Systems Architecture, 59(10), 1005-1012.
7. Osanaiye, O., Cai, H., Choo, K. K. R., Dehghantanha, A., Xu, Z., & Dlodlo, M. (2016).
Ensemble-based multi-filter feature selection method for DDoS detection in cloud
computing. EURASIP Journal on Wireless Communications and Networking, 2016(1),
130.
8. Rastegari, S., Hingston, P., & Lam, C. P. (2015). Evolving statistical rule sets for network
intrusion detection. Applied soft computing, 33, 348-359.

11
9. Elejla, O. E., Belaton, B., Anbar, M., Alabsi, B., & Al-Ani, A. K. (2019). Comparison of
Classification Algorithms on ICMPv6-Based DDoS Attacks Detection. In Computational
Science and Technology (pp. 347-357). Springer, Singapore.
10. P. Shamsolmoali and M. Zareapoor, "Statistical-based filtering system against DDOS
attacks in cloud computing," 2014 International Conference on Advances in Computing,
Communications and Informatics (ICACCI), New Delhi, 2014, pp. 1234-1239.
11. Kilari, N., & Sridaran, R. (2015). An Overview of DDoS Attacks in Cloud
Environment. International Journal of Advanced Networking & Applications.
12. Srinivasan, K., Mubarakali, A., Alqahtani, A. S., & Kumar, A. D. (2019, February). A
Survey on the Impact of DDoS Attacks in Cloud Computing: Prevention, Detection and
Mitigation Techniques. In Intelligent Communication Technologies and Virtual Mobile
Networks (pp. 252-270). Springer, Cham.
13. Sun Y, Zhang J, Xiong Y, Zhu G. Data security and privacy in cloud computing.
International Journal of Distributed Sensor Networks. 2014 Jul 16;10(7):190903.
14. Deshmukh, R. V., & Devadkar, K. K. (2015). Understanding DDoS attack & its effect in
cloud environment. Procedia Computer Science, 49, 202-210.
15. Wang, C., Ye, X., He, X., Tian, Y., & Gong, L. (2019, April). Two-Level Feature
Selection Method for Low Detection Rate Attacks in Intrusion Detection. In International
Conference on Security and Privacy in New Computing Environments (pp. 689-696).
Springer, Cham.
16. Yusof, A. R., Udzir, N. I., Selamat, A., Hamdan, H., & Abdullah, M. T. (2017). Adaptive
feature selection for denial of services (DoS) attack. 2017 IEEE Conference on
Application, Information and Network Security (AINS).doi:10.1109/ains.2017.8270429 
17. C. Chung, P. Khatkar,T. Xing, J. Lee and D. Huang, “NICE: Network Intrusion Detection
and Countermeasure Selection in Virtual Network Systems”, IEEE Transactions on
Dependable and Secure Computing, vol.10, no.4, pp.198 - 211, 2013.
18. Elejla, O. E., Belaton, B., Anbar, M., Alabsi, B., & Al-Ani, A. K. (2019). Comparison of
Classification Algorithms on ICMPv6-Based DDoS Attacks Detection. In Computational
Science and Technology (pp. 347-357). Springer, Singapore.
19. Parneet Kaur, Manish Kumar & Abhinav Bhandari, “ A review of detection approaches
for distributed denial of service attacks,” Systems Science & Control
Engineering, 5:1, 301-320
20. Chirag Modi, Dhiren Patel, Bhavesh Borisaniya, Hiren Patel, Avi Patel, Muttukrishnan
Rajarajan, “A survey of intrusion detection techniques in Cloud,” Journal of Network and
Computer Applications, Volume 36, Issue 1, Pages 42-57, 2013.
21. A.S.Navaz, V.Sangeetha, C.Prabhadevi, “Entropy based Anomaly Detection System to
Prevent DDoS Attacks in Cloud”, International Journal of Computer Applications,
vol.62, no.14, 2013.

12