Abstract

Keywords

DDoS, IDS, Signature, Anomaly, Hybrid, SVM, Neural Network, Cloud, Machine Learning, Big Data

Share and Cite:

1. Introduction

Internet has led to cloud computing which constitutes three major services namely platform as a service, infrastructure as a service, and software as a service [1] . This increase in data and information storage within the cloud environment has raised cloud security concerns on the safety of data and information. It has also led to distributed attacks such as ICMP flood, the Ping of Death, the slowloris, the SYN flood attack, the UDP flood attack, malformed packet attacks, protocol vulnerability exploitation, and the HTTP flood molest [2] [3] . The choice on any attack type depends on the ease of such exploitation or its mastery by the attacker.

Previous researchers have expounded on how Distributed attacks in the cloud can be detected, prevented and mitigated. These techniques greatly apply two major detection mechanisms of signature or anomalies. They can use one, both, or be intelligent enough to learn new attacks based on set rules. The next section offers a review of various traditional based intrusion detection techniques. Further, it reviews the various classes of cloud computing based detection methods and offers examples. The underlying purpose being to compare the various detection methods and point out the strengths and limitations they pose. Beyond the review, the paper will show how specific techniques by specific scholars were successful or failed in the detection process against DDoS attacks in the cloud. In the analysis, the performance evaluation metrics used in a given technique will be shown. Additionally, the analysis will point out the various data sets and tools used by these techniques. As such, it will be possible to decide which of the techniques is efficient or has potential for future enhancement.

2. Literature Review

Existing techniques utilize different forms of algorithms to detect and determine attack levels within the cloud. HTTP-DoS and XML-Dos attacks are known to lead to exhaustion of resources [4] . Cloud-based intrusion detection techniques are an improved version of traditional intrusion detection system. The first section of this paper discusses various traditional intrusion detection techniques that are as well applied in the cloud. The second section will show cloud-specific intrusion detection techniques.

2.1. Traditional Intrusion Detection Techniques

2.1.1. Signature Based Detection Technique

This detection, also known as misuse technique, compares known information to already captured signatures stored in the database. The technique is only suitable for the detection of known attacks. A common tool used in signature detection technique is the SNORT tool [5] . SNORT is greatly used as it allows its users to set their rules and use those rules in regulating attacks on either the training set or real data set of attack.

In the study conducted by Mazzariello, Canonico, and Bifulco, the authors deployed the network based IDS at separate cloud positions. By considering two scenarios in calculating the performance of the IDS, two results were depicted. First, they inferred that the load on the controller increased, and the IDS detected the likelihood of the attack. Secondly, deploying an IDS close to the virtual machine resulted in the increase of the CPU load [6] .

2.1.2. Anomaly Based Detection Technique

These techniques observe the behavior of an event and determine existing anomalies. Shannon-Wiener’s index theory analyzes random data with an aim to unravel existing uncertainty. Reference [7] defines an entropy as the measure of abnormal behavior or randomness. In the separate study, data from a single class proved to contain a lesser entropy unlike statistics from multiple ones.

Headers present in the sampled data are analyzed to determine the IP and ports before computing their entropy. A certain threshold is then constituted to detect a DDoS attack where incase the observed abnormality surpasses a set threshold, the IDS raises alarm alerts [8] [9] . An approach for detecting HTTP based DDoS attacks is proposed by [10] . It entails a five step filter tree approach of cloud defense. These steps include filtering of sensors and Hop Counts, diverging IP frequencies, Double signatures, and puzzle solving [10] . The approach helped in determining anomalies with the various Hop Counts and treating the sources of such anomaly as attack source.

2.1.3. Artificial Neural Network Intrusion Detection Technique

Techniques utilizing ANN to detect intrusions aim at generalizing incomplete data and classifying it as either intrusive or normal. An ANN IDS can either utilize a Multi-Layer Perceptron (MLP), Back propagation (BP), or a Multi-Layer Feed-Forward (MLFF) technique. An approach by Gradiega Ibarra, Ledesma, and Garcia compared the use of self organization map (SOM) to MLP in determining intrusion rates and found that SOM provides high accuracy rates of detection compared to ANN [11] .

Cannady utilized a signature-based detection mechanism in a three layer neural network as a means to detect any intrusions. He used a nine network feature vector consisting of the Source port, protocol id, Raw data, destination port, Data Length, source IP address, ICMP code, the type of ICMP, and the destination IP address to determine the intrusions [11] .

2.1.4. Genetic Algorithm Intrusion Detection Systems

The use of genetic algorithms in the development of IDS helps in incorporating various network features towards determining best possible parameters for accuracy improvement and result optimization. Gong, Zulkernine, and Abolmaesumi implemented seven network features namely Duration, Protocol, Source IP, Destination IP, Source port, destination port, and attack name in analyzing packets. By using fitness function frameworks that support confidence, the authors were able to detect and determine network intrusions with high accuracy levels.

Reference [11] proposed a solution that combined both genetic algorithms and fuzzy to detect signature and anomaly attacks. Fuzzy logic helps in accounting for quantitative parameters while genetic algorithm determines the best fit parameters that are introduced by the fuzzy logic. This approach proved to solve the best fit problem in Cloud environment. It also showed that since selecting optimal network features as the parameters for intrusion detection increases an IDS accuracy level, the use of Genetic algorithm in developing IDS is effective for Cloud use [11] .

2.1.5. Fuzzy Logic Intrusion Detection System

Fuzzy logic provides high flexibility levels to intrusion detection problems. It helps deal with imprecise intrusions. A Fuzzy IDS was proposed by Tillapart, Thumthawatworn, and Santiprabhob to deal with network intrusions such as the Ping of Death, SYN, UDP floods, E-mail Bomb, port scanning, and FTP password guessing. Chavan, Shah, Dave, and Mukherjee implemented both Fuzzy logic and ANN to develop Evolving fuzzy neural network (EFuNN) that applied both unsupervised and supervised learning. Their experiment concluded that the used of EFuNN with fewer inputs produces high accuracy levels than the use of ANN alone [11] .

2.1.6. Support Vector Machine (SVM) Intrusion Detection Systems

Techniques utilizing SVM detect intrusions using limited samples of data whose dimensions do not affect the accuracy of the outcome. Comparing SVM to ANN, Chen, Su and Shen determined that rates of false positive were more accurate with SVM since the parameters set with SVM are minimum. A limitation for SVM is that it is only usable to test binary data. Li and Liu proposed and alternate intelligent network intrusion and prevention system that utilized a configurable firewall and a SNORT tool to reduce the rates of alarm and raise the accuracy levels of the intrusion detection system [12] .

2.1.7. Hybrid Intrusion Detection Systems

Hybrid IDS combine the advantages of two or more techniques discussed above. A new DDoS detection mechanism was introduced by Krishna and Quadir who implemented an architecture based on the Hidden Markov Model and the double TCP mechanism. Five packets apply the 3-way handshake procedure twice, and a SYN is used to maintain a log [13] . The purpose of the double TCP technique is to ensure that there is an identity match before a connection is completed.

Reference [14] notes that the Markov’s model when applied to wireless sensor networks helps in detecting any unusual activity. No connection is left half open as the client cannot reciprocate a matching pattern, and an attack is traceable back to its originator [15] . Vissers proposed the Cloud Trace Back (CTB) approach as a defense mechanism for web services through detection at the edge routers. In a reverse manner, SOA is applied to trace back the exact source of a distributed denial of service attack. A Cloud Traceback Mark (CTM) is placed within the header of a web message. All requests are then passed through the CTB thereby preventing any direct attack. To detect it, the victim client requests for message reconstruction in order to pull out the CTM which helps in retracing the source of the attacking request [16] [17] .

Ismail presented the covariance matrix approach to detect flood based denial of service attacks. A statistical method scrutinizes the correlativity aspects of network traffic and evaluates the resulting covariance matrix to the already preset one as exhibited by normal traffic. The covariance approach proved to be very effective and accurate in the Neptune and Smurf attack simulation experiments [16] . A separate variation that utilizes both the covariance approach and entropy based system is proposed by [18] that offers in-depth detection at the host and network levels.

A table illustrating the discussed traditional intrusion detection techniques and as presented in the works of [8] [10] and [11] alongside their advantages and limitations is depicted in Table 1.

2.2. Intrusion Detection Systems (IDS) Used in the Cloud

There exist four main IDS types that are applicable to cloud computing. They are the Host based IDS (HIDS), Network-based IDS (NIDS), Hypervisor based IDS, and Distributed IDS (DIDS). A pictorial representation of the various categories of IDS used in the cloud as illustrated by [6] is shown in the Figure 1.

2.2.1. Network Based Intrusion Detection Systems (NIDS)

These are IDS that detect malicious network activities by monitoring the network traffic. Collected information is the compared to already known attacks before an intrusion is confirmed. This approach is utilizes signature and anomaly techniques to determine both known and unknown network attacks. However, the approach is ineffective as it offers very limited visibility in the host machines and cannot be used to detect intrusion for encrypted network traffic.

Reference [19] proposed a network-based Intrusion Detection System by conducting a turning test for all the IP addresses in the network. It identifies faulty IPs and labels them as blacklist addresses. When an IP requests for the resource, it is checked against the blacklist list. If it exists in the survey, the IP request is dropped. In case the IP address is not faulty, the system checks if the requested resources are available and do not surpass the set threshold. Reference [20] recommended a trilateral trust mechanism for detection and protection against traffic injection attacks. A client always requests for a service through the specified data center hosted by the cloud service provider. Further, the request is routed via a traffic injection rate detector which is preset with the maximum threshold.

A survey by [21] on what security can help detect ARP spoof attacks concluded that by combining XArp 2 tool with an ARP request storm and ARP scanner, ARP spoofing can be greatly managed. Another study analyzed DDoS detection in the multilevel environment whereby a new user freely connects via a router, and the detection algorithm is used to verify the individual as genuine. A register status is stored in CDAP logs [22] During the subsequent access via the router, an entropy is calculated based on data packet size and then compared to already stored range to determine its legitimacy or raise the alarm [23] [24] .

Reference [25] recommended a network-based intrusion detection mechanism by combining the rough set theory with the K-nearest neighbor classification technique. Their approach aimed at performing mathematical analysis on connections within a network to determine their categories as either normal, probing, DOS, R2L, or U2R. The analysis further gives the rates of imperfect data that helps in determining the connection.

2.2.2. Host Based Intrusion Detection System (HIDS)

HIDS are deployed at the host machine to monitor and analyze the information collected by the host. They first learn the host’s file system, network events, system calls and then observes any modification that may occur at the kernel or file system of the host before raising an alert.

In a cloud environment, HIDS are placed on all VMs, host machines, and hypervisors to monitor and analyze log files, policies of security access, user login information in the bid to detect intrusions. Vieira and Schulter proposed a grid architecture where each node in the cloud has an IDS that interacts with the service offered such as IaaS, storage and IDS services. The IDS service consists of an analyzer and an alert system. Data is captured from and event auditor and the IDS uses either behavior techniques to detect unknown attacks or knowledge techniques to detect known attacks. When one host detects an attack, the IDS raises an alert and informs other IDS in other hosts. However this approach cannot detect any insider intrusion occurring within the hosts themselves [11] .

Reference [15] implemented a network-based IDS against known and unknown attacks. In their model, they used a snort tool and Bayesian classifier. The tool helps in detecting known attacks by comparing them to stored signatures while the classifier tracks any anomalies within the network. When the component of the model determines a possible intrusion, it sends an alert into a common knowledge base to be accessed by the other thereby increasing the rates of intrusion detection [6] [26] .

In another approach, a host-based IDS (HIDS) incorporates the external software agent at each cloud server with an aim to increase the resiliency of attacking the VMs without disrupting normal services in the cloud. The agents securely connected to the center of control using virtual LAN. An attack analyzer then decides whether to block or accept the user’s request [27] . Reference [28] proposed two way detection techniques that apply the bother tree in packet transmission and augment attack to enforce bottom up detection.

2.2.3. Distributed Intrusion Detection System

Multiple IDS can be combined to save a large network. All IDS collect information and transmit to the central analyzer where centralized analysis takes place. Reference [29] proposed a flexible, scalable and cost effective mechanism for intrusion detection in cloud applications using mobile agents. The mechanisms were meant to help monitor and protect VMs that were outside an organization. The approach was not as effective as it introduced large network loads with increase VMs attached to the mobile agent.

Reference [30] proposed DIDS with various agents for intrusion detection namely the collector agent, the misuse detection agent, the anomaly detection agent, the classifier agent, and the alert agent. Their approach used mobile agent to detect known and unknown attacks and centrally place them in a classifier before raising an alert via the alert agent.

Reference [31] proposed a Cloud service queuing defender (CSQD) technique that aims at protecting the cloud from HTTP and XML forms of DDoS attacks. Using this approach, a server has to be up before a request is processed which is uniquely prefixed with an ID. Reference [32] proposed a VM profiling model aimed at detecting virtual networks attacks by ensuring resilience in the explorations of zombies.

A team led by Lonea proposed a DDoS attack detection technique that uses the Dempster-Shafer theory [33] . In their proposition, the authors set a private cloud consisting of the front-end server and set of three virtual machines (nodes) each with a snort. The IDS set within nodes generate and store alerts in the Mysql database located within the CFU. These alerts are further analyzed and converted into basic probability assignments (bpa) of either true, false, or (true, false). By using the Dempster-Shafer's combination rule to analyze the computed bpa’s, the system increases true positive rates and greatly reduces false positive alarm rates [33] . Reference [34] ascertains the Dempster-Shafer Theory by arguing that the use of the centralized database reduces data loss risk and improves the capacity for result analysis and reduces any conflicts.

2.2.4. Hypervisor Based Intrusion Detection System

These are intrusion detection systems running at the hypervisor level. A hypervisor is a platform for running VMs. IDS at hypervisor levels work on virtual networks and allows a user to monitor and analyze all communications occurring within the hypervisor, between the various VMs, and between the VM and the hypervisor. The VM introspection based IDS is an example of a hypervisor intrusion detection system. Research by IBM gives hope to virtual machine introspection approach that creates layered security service levels within a protected VM running on the same machine consisting of guest VMs running in the cloud [11] .

Reference [35] proposed a VM introspection based approach that directly observes the hardware state, events, and software states of host machine and offers a robust view of the system. A VM monitor virtualizes the hardware and offers isolation and interposition. This approach helped in lie detection and row socket detection. A table summarizing the strengths and weaknesses of the above cloud based intrusion detection systems is depicted in the Table 2.

3. Analyzing Specific DDoS Detection Techniques

Different scholars have presented specific techniques for detecting distributed denial of service attacks in the cloud. Each technique depicts the metrics used for performance evaluation alongside the datasets and tools.

3.1. Big Data Testbed for Detecting Network Attacks

The detection method presented by [35] simulated network traffic and relied heavily on packet per second passing via a certain route. The technique only

captures HTTP based traffic and avoids other possible network attacks like the UDP and SMTP attacks that may lead to DDOS. This method is meant to detect HTTP GET flood attacks. This application layer attacks never use malformed packets and less consumers of bandwidth compared to other attacks like spoofing. Additionally, they do not generate significant traffic hence they are hard to detect [35] . The approach involved two phases of analyzing a training set of certain normal traffic and then using the parameters as inputs for detecting DDoS attacks using Snort tool

However, there is need to adjust the system in order to allow for detection of dynamic threats. There is need for a self-correction mechanism on already compromised data and a way for detecting already exploitable weaknesses. Introducing aspects of Fuzzy logic or SYSSTAT can help in leveraging the dynamism of the technique in offering proactive defense. Security for big data is an important aspect that needs integration into existing and upcoming cloud based intrusion detection system [35] . In the event that system component such as the memory are compromised, there is need to develop detective mechanisms using reactive defense strategies. This is possible if the system incorporates neural networks and machine learning techniques [36] .

3.2. Change-Point Detection Framework in the Cloud

Reference [37] proposed a conceptual cloud DDOS change-point detection mechanism as a means to detecting and preventing DDOS attacks. The technique consists of a change point detection, a packet inter-arrival time (IAT), and a flow based classifier (FBC). The technique is still in its conceptual stage and not practically tested but claims that by reading a packet header to determine its source and destination addresses, it will be possible to determine the packet inter-arrival time of packets from the same source and hence easy to detect any anomalies in packet transmission. A probable demerit with the approach is the possibility of high rates of false negatives and false positives [37] .

3.3. Hybrid Intrusion Detection System (H-IDS) for DDoS Attacks

Reference [38] presented a technique combining signature based and anomaly based mechanisms for attack detection. They used two different types of datasets; real data from previous penetration tests done on a commercial bank; and DARPA 2000 dataset. A time analysis was conducted on the DARPA 2000 dataset to offer a priori idea of the detection issue and results presented graphically in Figure 2. The performance metrics used included the packet inter-arrival time, the packet size, and the protocol frequencies.

Anomaly detection is provided for by use of the Gaussian Mixture Model (GMM). The detector distinguishes normal traffic from abnormal traffic using data from the extraction phase. The parameters for GMM are estimated using the Expectation Maximization (EM) algorithm and the informatics distance metric method. The EM algorithm helps in determining the probability density

function denoted by p(x). Distance between the parameters is computed and detection determined on that comparison. Using $X=\left\{x_1,x_2,\cdots ,x_n\right\}$ as a dataset and x_i as a measure of M-dimensional vector, then it a probability density function, p(x) having a finite K component is calculated as below.

$p\left(x|\theta \right)=\underset{k}{{\displaystyle \sum }}\left({\omega }_k{p}_k\right)\left(x|{\theta }_k\right)$

On the other hand, the information distance metric helps in determining the alarm level or mechanism of an attack [38] . The second part of the H-IDS system is the signature-based detective mechanism that uses the SNORT tool to set and modify rules as per the required performance results. A Hybrid Detection Engine (HDE) sets the rules granularity and the SNORT output is denoted as isAlarm_r which is calculated based on the number of alerts within a given time frame as is noted with the formula below.

${\text{isAlarm}}_{\text{r}}=\{\begin{array}{l}0,A\left(k\right)=0\\ 1,A\left(k\right)\ge 0\end{array}$

Using the HDE, the authors were able to calculate the attack probability by combining both the anomaly and signature-based detectors. Using the penetration test data, 99% accuracy on True Positive rate (TPR) was attained while DARPA dataset produced a 92.1% accuracy level on TPR [38] .

3.4. Hadoop as a Tool for Live DDoS Detection

Reference [39] proposed a live DDoS detection with Hadoop that comprises four stages of Network capturing and Log generation, Log transfer, DDoS detection, and Result notification. This technique utilizes a web interface with parameterized parameters before capturing the network traffic. A strength with the approach is its ability to detect and analyze live network traffic. The technique proved efficient while analyzing large data sizes unlike in the analysis of small data logs. The approach is as well non-intelligent to handle internal attacks resulting from compromised systems within itself. Introducing fuzzy and machine-learning approaches within the technique can help in tracking dynamic DDoS attacks.

A similar technique is proposed by [40] in which hadoop is used to analyze incoming HTTP, ICMP, UDP, and or TCP packets. The process will involve capturing the packets and generating logs, transferring the logs to HDFS, determining the DDoS attack, and keeping the result. A diagrammatic illustration of the above phases is depicted in Figure 3. Packet capturing is done by Wireshark as it proves to capture huge traffic amounts. Each packet consists of source IP, the packet protocol, some header data, and destination IP. A Traffic Handler is used in the generation of log files. The handler suspends the capturing process of Wireshark upon generating a log. It then transmits the file to the detecting server using a flume as illustrated in Figure 4.

The DDoS detection phase utilized a counter-based algorithm presented in Figure 5. The algorithm uses time interval, threshold and unbalanced ratio as the inputs for the detection. Time acts as a limiting feature to monitor page requests while threshold determines the page request frequency to the server in

comparison to normal network status. An unbalanced ratio is calculated as the ratio of page request response for a client and its server. An alarm is raised when requests by a client exceeds a threshold [40] . Even though the technique proves to be fast in detection of DDOS attacks and has low complexity of computation, mechanisms for internal attack detection need be introduced. Additionally, the success of its implementation lies in the capability to having beforehand determinacy of threshold value.

3.5. Real-Time Intrusion Detection Using Hadoop and Naive Bayes

Reference [41] proposed an approach for detecting intrusions in real-time by using Hadoop and Naive Bayes classifier. In their approach, the two created a heterogeneous and homogenous clusters for performing the training job. The Snort tool is used to capture packets from the NIC of a firewall and convert them into a binary file. Using Tshark, the system converts the binary data into CSV file which is then converted into UDP stream by a streamgen. A Naive Bayes Classifier present through MapReduce job writes records into an output file which is then read by a java program into disk. The results are graphically presented on a web interface using a D3 render. An architecture of this system is presented in Figure 6. Their approach proved a proof-of-concept technique with 90% success in detecting intrusions through the use of Hadoop and Naives classifier. But then, their results were based on comparison with another technique

which is a small percentage of all available techniques and parameters for analyzing and detecting attacks.

3.6. Botnet Detection Using Big Data Analytics

The work of [42] presented an important approach to combating botnet attacks in a peer-to-peer network. Their approach included three components; a traffic sniffer that captures and preprocesses packets, a feature extraction mechanism for engendering feature sets, and a machine learning techniques provided by Mahout that offers parallel processing in building a random forest based decision tree model. The technique uses dumpcap to sniff into network packets while Tshark extracts fields and sends them to Hadoop based Distributed File System. At feature extraction, an Apache Hive program extract, transforms, and loads the datasets. Using hadoop’s HQL language, selection of packet features is extracted using a group by clause based on an algorithm present in MapReduce. Mapping generated key-value pairs that are transmitted to a reducer that groups all values based on given key. This implies that Hadoop’s MapReduce framework is dependent on pair [42] . Both the input and output are pairs as presented in the formula below.

(input) → map → → combine → → reduce → (output)

The key and value pair is basically the source IP and port and the destination IP and port. This approach utilized the key and value pair mechanism as the great interest was determining problems based on raw data packet flow. By using the Ranker algorithm, the authors were able to determine from the entire feature set for the most influential features. The method measures Information Gain as described in the equation below.

$\text{Information}\text{Gain}\left(\text{Class},\text{Attribute}\right)=H\left(\text{Class}\right)-H\left(\text{Class}/\text{Attribute}\right)$

Capture files from existing Bot attacks such as those of Keliho-Hlux, Conficker, Storm, Zeus, and Waledac were used to train the system’s classification module. The datasets were PCAP captures. 90% of the dataset was used as training set while 10% formed the testing set. The classifier validity was tested by comparing results of the predicted against those of the experiments using the Pearson product-moment coefficient derived by the formula below [42] .

$r=\frac{{{\displaystyle \sum }}_{i=1}^n\left(X_i-\bar{X}\right)\left(Y_i-\bar{Y}\right)}{\sqrt{{{\displaystyle \sum }}_{i=1}^n{\left(X_i-\bar{X}\right)}^2}\sqrt{{{\displaystyle \sum }}_{i=1}^n{\left(Y_i-\bar{Y}\right)}^2}}$

A 99.7% accuracy level using Random Forest Algorithm with 10 trees was attained by the classifier as is presented in Table 3. A receive-operation (ROC) curve of various classifiers is presented in Figure 7. The Random Forest is seen to outperform all other machine learning algorithms like Naïve Bayes and SVM. The presented architecture ensures fault tolerance and dynamically adapts to various network situations [42] . The model can be applied in peer-to-peer security modules of threat detection.

3.7. MDRA-Based DDoS Detection Technique

Reference [43] proposes an almost perfect technique for detecting DDoS attacks using Multivariate Dimensionality Reduction Analysis (MDRA). This technique combines the features of Multivariate Correlation Analysis (MCA) and Principal Component Analysis (PCA) with aim to increase detection efficiency, reduce resource consumption and computing complexity, as well as handle large network traffic in Big Data. Even though the technique is still theoretical, its practicality will result in better detection mechanisms and reduced resource consumption. A KDD Cup 1999 dataset is used for verification against the novel algorithm. A flowchart for the novel method is illustrated in Figure 8.

The PCA method helps in obtaining P principal components. Linear combination for the maximum variance forms the first principal component. In the event that the first principal component does not satisfy the total reflection of the original variable, a second linear combination is formed. In their analogy, a sample set X of network traffic having n samples each with a dimension d then the principal components can be illustrated as below.

$X=\left\{X_1,X_2,\cdots ,X_n\right\}$ and $X_i=\left(x_{i1},x_{i2},\cdots ,x_{id}\right)R^d,i=1,2,\cdots ,n$ . A DDoS attack detection algorithm based on MDRA is shown in Figure 9. Using Precision, FPR, TNR, and DR formulae, this approach helps in DDoS attack detection using MDRA and MCA [43] .

$\text{Precision}=\text{TP}/\left(\text{TP}+\text{FP}\right)$

$\text{TNR}=\text{TN}/\left(\text{FP}+\text{TN}\right)$

$\text{FPR}=\text{FP}/\left(\text{FP}+\text{TN}\right)$

$\text{DR}=\text{TP}/\left(\text{TP}+\text{FN}\right)$

where:

1) TP is True Positive and represents attack numbers correctly classified as attacks,

2) FP is False Positive and represents normal record numbers in correctly classified as attacks,

3) TN is True Negative and represents normal record numbers correctly classified as normal records,

4) FN is False Negative and represents attack numbers incorrectly classified normal records.

Using a set between 1 and 3 with an increment of 0.2, Table 4 shows the resulting detection results of TP, TN, FN, and FP. Figure 10 and Figure 11 illustrates the tabulated detection results graphically for precision and TNR respectively. The approach led to high precision rate of almost 100% in True Negative Rate (TNR) with reduced computing time which equated to an eighth of the previous CPU time by MCA method. And even though the process was theoretical in nature, its practicability could alter how DDoS attacks are detected in Big Data environment. It would lead to greater efficacy even with heavy network traffic.

The strengths and limitations of the various specific cloud computing DDoS detection techniques as stipulated in this section are illustrated in Table 5.

4. Contrastive Analysis

Each discussed technique possesses its strengths and limitations. Their strengths are based on the need to fill a certain limitation offered by a previous technique. Before a scholar assumes the feasibility of their technique they make comparisons of their methods to those of their predecessors. To study an ideology, a researcher has to consider all the variants and objects making it up and their interrelation [44] . Further, they need to apply objective research to analyze and contrast their findings.

With DDoS attacks, contrastive analysis is greatly applied when using training data set to prepare the detection mechanism. For instance, datasets from previously known attacks are used to first test the new method before applying it into real-time situation. For instance, [10] used a DARPA 2000 dataset with already known anomalies so as to test if their technique could detect anomalies compared to other techniques that utilized the same set. Similarly, the same technique used data set from a previous penetration test done on a Turkish commercial bank. The tests results are already known and using the dataset as input is only meant to compare the technique's output to that of the penetration test. Other than mere detection, the use of datasets helps in determining the accuracy levels of the current technique in comparison to previous techniques.

In most instances, the use of contrastive research is successful since it is possible to adjust parameters to fit the required outcome or to alter the expected outcome to a given level. In the technique presented by [42] to combat botnets attack in a peer-to-peer network, training data was pulled from previous Bot attacks. These were the Conficker, Storm Zeus, Waledac, and Keliho-Hlux Bot attacks that then helped in creating a classification mechanism for this technique. The experimental results compared to the already predicted results helped to gauge the efficacy of the technique. The researchers would then alter their parameters to determine the attack outcome on those features.

In other scenarios, attacks are directly launched on hosts and the detection mechanisms deployed to try and detect. This is enabled through the use of rules that define attack behaviors. SNORT is one such tool that has rules defined to detect an attack based on those rules and threshold. Additionally, setting a threshold level helps in detecting traffic anomalies by raising an alarm if traffic goes beyond such level. However, threshold may not be as effective. Attacks such as HTTP GET consume little bandwidth resulting in insignificant network traffic. Using threshold as a measure to such attacks would lead to a lot of false negatives.

5. Conclusions and Future Work

There is need to ensure that data in the cloud is safe from any form of attack. Securing the cloud is hard but inevitable. One among the many feared attacks in the cloud is the Distributed Denial of Service attack. As this paper has expounded, the techniques against DDoS attacks borrow greatly from the already tested traditional techniques. However, no technique has proven to be perfect towards the full detection and prevention of DDoS attacks. In determining the detection or prevention mechanism for a DDoS attack, the motivation behind the attack has to be determined. Reference [45] stipulates seven motivations for DDoS attacks namely; financial and economic gain, slow network performance, ideological belief, revenge, intellectual challenge, cyberwarfare, and service unavailability.

One or multiple motivations can lead to an attack. Future researchers need to develop techniques that not only detect an attack but also intelligently identify the attacker’s methods and the traffic rates. As well, the mechanisms should be capable of determining the legitimacy of the source of the attack.

Most of the previously proposed and implemented approaches can further be advanced to ensure an increase in the IDS performance. For instance, instead of concentration on one point for detecting an attack, the approach can work towards having distributed points of attack detection and correction. To increase the detection and inference speed, the approaches can further provide distributed points of attack analysis separate from the attack points but relaying attacks descriptions to a central point. This would ensure that all facets of an attack are determined without negatively affecting performance.

NOTES

¹Cepheli, O., Buyukcorak, S. and Kurt, K., G. (2016) Hybrid Intrusion Detection System for DDoS Attacks. Journal of Electrical and Computer Engineering, 2016. Article ID 1075648, 8 pages, Figure 3.

²Korad, S., Kadam, S., Deore, P., Jadhav, M., and Patil, R. (2016) Detection of Distributed Denial of Service Attack with Hadoop on Live Network. International Journal of Innovative Research in Computer and Communication Engineering, 4, 93, Figure 2.

³Korad, S., Kadam, S., Deore, P., Jadhav, M., and Patil, R. (2016) Detection of Distributed Denial of Service Attack with Hadoop on Live Network, 95, Figure 3.

⁴Korad, S., Kadam, S., Deore, P., Jadhav, M., and Patil, R. (2016) Detection of Distributed Denial of Service Attack with Hadoop on Live Network, 95, Figure 6.

⁵Veetil, S., and Gao, Q. (2014) Real-time Network Intrusion Detection Using Hadoop-Based Bayesian Classifier. Emerging Trends in ICT Security, 288, Figure 1.

⁶Singh, K., Guntuku, S. C., Thakur, A., and Hota, C. (2014) Big Data Analytics framework for Peer-to-Peer Botnet detection using Random Forests. Information Sciences, 278, 492, Figure 4.

⁷Jia, B., Ma, Y., Huang, X., Lin, Z., and Sun, Y. (2016) A Novel Real-Time DDoS Attack Detection Mechanism Based on MDRA Algorithm in Big Data. Mathematical Problems in Engineering, 2016, 3, Figure 3.

⁸Jia, Ma, Huang, Lin, and Sun, A Novel Real-Time DDoS Attack Detection Mechanism Based on MDRA Algorithm in Big Data , 4, Algorithm 1.

⁹Jia, Ma, Huang, Lin, and Sun, A Novel Real-Time DDoS Attack Detection Mechanism Based on MDRA Algorithm in Big Data, 4, Figure 4.

¹⁰Jia, Ma, Huang, Lin, and Sun, A Novel Real-Time DDoS Attack Detection Mechanism Based on MDRA Algorithm in Big Data , 4, Figure 5.

Conflicts of Interest

The authors declare no conflicts of interest.

References