The Identification of DDoS

Attacks in Software Defined

Networks for IoT Devices
MSc. Genaro Almaraz

Santa Cruz, Bolivia. October 2022

1
Agenda
Today’s presentation

1. Introduction and Problem Definition

2. Solution Proposal

3. Experimental Results and Discussion

4. Conclusions and Future Work

2
Introduction & Problem Definition

3
Quarter Trends
Total number of DDoS attacks

Q2 2021 Q2 2022
400%

300%

200%
302.5%
273.12%
100%
100% 100%

0%
Total Smart attacks

Source: Q2 2022, Kaspersky Reports

4
Distribution of DDoS Attacks by Type
HTTP
2.43%
GRE
3.39%
TCP
11.40%

SYN
20.25% UDP
62.53%

Source: Q2 2022, Kaspersky Reports

5
The Internet of Things
An attack surface that considerably grows

6
Objectives

• The application of a Machine Learning (ML) and Deep Learning (DL) models selection for the
design of an Intrusion Detection System (IDS) with an accuracy of at least 95%, for DoS and
DDoS attacks directed to IoT devices in Software De ned Networks (SDN).

1. Analyze the state of the art for a proper ML and DL models selection.

2. Create a smart IDS for DoS and DDoS attacks based on UDP, TCP, and HTTP protocols.

3. Deploy the IDS in a production simulated environment based on ONOS controller and
Mininet.

7
fi
Solution Proposal

8
 Data Distribution for the IDS
Class balancing from the Bot-IoT dataset*

36,340 records ( ows)

*Koroniotis, N., Moustafa, N., Sitnikova, E., & Turnbull, B. (2019). Towards the development of realistic botnet dataset in the Internet of Things for network forensic
analytics: Bot-IoT dataset. Future Generation Computer Systems, 100, 779–796. doi:10.1016/j.future.2019.05.041

9
fl
Feature Sets Selected
Range between 15 and 18 variables

Name Features Description

stime, pkts, bytes, ltime, Using timestamps, the

seq, dur, mean, stddev, Argus sequence number,
First feature set sum, min, max, spkts, and the statistical
dpkts, sbytes, dbytes, variables (i.e., rates,
rate, srate, drate mean, maximum, etc.).

pkts, bytes, dur, mean, With no timestamps

stddev, sum, min, max, neither the Argus
Second feature set
spkts, dpkts, sbytes, sequence number, only
dbytes, rate, srate, drate the statistical variables.

pkts, bytes, seq, dur,

mean, stddev, sum, min, With the Argus sequence
Third feature set max, spkts, dpkts, number and the statistical
sbytes, dbytes, rate, variables.
srate, drate
10
 Smart Intrusion Detection System
Comparison against the related work around the Bot-IoT dataset
Koroniotis, Ferrag, et Zhang, et Ge, et al. Sha q, et Biswas, et Churcher,
This work et al. 2019 al. 2020 al. 2020 2019 al. 2021 al. 2021 et al. 2021

Class
balancing

ML models
evaluation

DL models
evaluation

Feature
set(s)
proposal
Time
performance
evaluation

Flow-level
detection

11
fi
The LATAM-DDoS-IoT Dataset
Based on physical IoT devices and real users

12
LATAM-DDoS-IoT
Comparison against the popular related work around IoT datasets
LATAM Bot-IoT (2019) TON_IoT (2020) CIC IoT (2022)

Flow-level
information

Ground truth les

Physical IoT devices

DDoS attacks tra c

Normal tra c from

real external users

Number of
20 32 22 48
attributes
13
ffi
fi
ffi
LATAM Dataset
Balanced data distribution for the DoS and DDoS versions

DoS version DDoS version

2,407,102 ows 2,431,453 ows

14
fl
fl
SDN Architecture
A modular framework*

*J. A. Pérez-Díaz, I. A. Valdovinos, K. -K. R. Choo and D. Zhu, "A Flexible SDN-Based Architecture for Identifying and Mitigating Low-Rate DDoS Attacks
Using Machine Learning," in IEEE Access, vol. 8, pp. 155859-155872, 2020, doi: 10.1109/ACCESS.2020.3019330.
15
SDN Testbed for the IDS Deployment
An architecture with physical and virtual components

16
Experimental Results &
Discussion

17
 Bot-IoT Dataset Results
Time performance and Classi cation results of Decision Tree

Multiclass classi cation Multiclass classi cation

Binary classi cation Binary classi cation
100% 99.945%
34,000
99.917% 99.89%
99.862% 99.862% 99.862%

Avg. ows / second

33,094
32,607
Accuracy

30,362
29,940
29,453 29,452
99% 29,000
1st feature set 2nd feature set 3rd feature set 1st feature set 2nd feature set 3rd feature set
18
fl
fi
fi
fi
fi
fi
 LATAM-DDoS-IoT Dataset Results
Time performance and Classi cation results

Decision Tree Multi-layer Perceptron Decision Tree Multi-layer Perceptron

99% 40,000
98.911% 98.908%
98.834% 98.834%

Avg. ows / second

32,349 32,320
Accuracy

9,990 9,764

98% 0
Binary classi cation Multiclass classi cation Binary classi cation Multiclass classi cation
Using the 2nd feature set from the Bot-IoT dataset experiments Using the 2nd feature set from the Bot-IoT dataset experiments
19
fl
fi
fi
fi
fi
fi
IDS Deployment Results in the SDN Testbed
Results from concatenating the Bot-IoT and LATAM-DDoS-IoT

Accuracy Precision Recall F1-score

94.608% 100% 91.406% 95.51%

20
IDS Deployment Results in the SDN Testbed
Runtime screenshots

21
Conclusions & Future Work

22
Conclusions
The Bot-IoT dataset

• The proposed IDS trained with the Bot-IoT dataset presents results without
biases towards a majority class, achieving an average accuracy >99% with
our 3 distinct feature sets, whilst being suitable for implementation in real-
time production environments.

• We achieved 100% across accuracy, precision, recall, and F1 score metrics,

with the Decision Tree and the Random Forest for several combinations of
Normal ows vs the DoS/DDoS protocols.

23
fl
Conclusions
The LATAM dataset

• It is a novel state-of-the-art dataset with real normal tra c from actual clients
consuming real services, and also real attack tra c directed to physical IoT devices.

• We conducted binary and multiclass classi cations with its balanced DoS and
DDoS versions, getting an average accuracy of 99.967% and 98.872%,
respectively.

• When concatenating it with the Bot-IoT dataset, we achieved results such as the
99.99% of accuracy from the Decision Tree in binary classi cation for DoS.

24
fi
ffi
fi
ffi
 Conclusions
IDS deployment in the SDN testbed

• We moved from a 100% simulated architecture to a hybrid architecture

running ONOS as a Linux service instead of using Docker.

• We can say our smart IDS behaves strongly, where 100% of the ows
identi ed as attacks were correctly classi ed, and above 90% of the attack
ows were detected.

• Our defense system does not misclassify legitimate tra c.

25
fl
fi
fi
ffi
fl
Future Work
The next steps

• This work can be extended creating and deploying an Intrusion Prevention

System (IPS), which integrates and communicates with our IDS.

• To test in a fully physical architecture, the next component to remove would

be Mininet.

26
Future Work
The next steps

• It will be interesting to see what kind of experiments derive from other

colleagues' use of the LATAM-DDoS-IoT dataset, such as one-class

classi ers, since the characteristics of real tra c from actual clients and also

attack tra c directed to physical IoT devices make our dataset convenient for

real production environments.

27
fi
ffi
ffi
Appendix

28
 Transport and Application Layer Towards the Protection of IoT
DDoS Attacks Detection to IoT Networks: Introducing the LATAM-
Devices by Using ML and DL Models DDoS-IoT Dataset

29
LATAM-DDoS-IoT
Dataset

30
Project Funding

• This work was partially supported by FRIDA (Fondo Regional para la

Innovación Digital en América Latina y el Caribe) and partially supported by
the project “Red temática Ciencia y Tecnología para el Desarrollo (CYTED)
519RT0580” by the Ibero-American Science and Technology Program for
Development CYTED.

31
 ¡Gracias!
Any questions?

genaroalmaraz@exatec.tec.mx
LinkedIn: Genaro Almaraz

32