Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems

A DDoS attack is the most prevalent threat, viz., flooding the computing and communication resources in order to make the service unavailable for legitimate users, since a decade and continues to be threatening till date. Therefore, these critical resources must be protected against the DDoS attacks. The detection of DDoS attacks requires adaptive and incremental learning classifier, less computational complexity, and accurate decision making from uncertain information. Hence, the DDoS attacks could be detected using existing soft computing techniques such as fuzzy logic, neural networks, and genetic algorithms. Fuzzy logic has the advantage of interpreting the rules well but it suffers from the disadvantage of not able to acquire the rules automatically. The neural networks generalize the network well but they cannot interpret the rules. Genetic algorithm provides optimal solutions but the time complexity is high. Hybrid methods, Neuro-fuzzy and genetic fuzzy have been proposed to overcome the drawbacks of interpretability and manual rules acquisition. In this paper, adaptive and hybrid neuro-fuzzy systems were proposed as subsystems of the ensemble. Sugeno type Adaptive Neuro-Fuzzy Inference System (ANFIS) has been chosen as a base classifier for our research as Mamdani type ANFIS is not suitable for real time due to its high computational complexity and non-adaptiveness to extract exact knowledge from the dataset. Single classifier makes error on different training samples. So, by creating an ensemble of classifiers and combining their outputs, the total error can be reduced and the detection accuracy can be increased. Improvement in the performance of ANFIS ensemble is the focus of this paper. Our proposed DDoS classification algorithm, NFBoost, differs from the existing methods in weight update distribution strategy, error cost minimization, and ensemble output combination method, but resembles similar in classifier weight assignment and error computation. Our proposed NFBoost algorithm is achieved by combining ensemble of classifier outputs and Neyman Pearson cost minimization strategy, for final classification decision. Publicly available datasets such as KDD Cup, CAIDA DDOS Attack 2007, CONFICKER worm, UNINA traffic traces, and UCI Datasets were used for the simulation experiments. NFBoost was trained and tested with the publicly available datasets and our own SSE Lab(1) SSENET 2011 datasets. Detection accuracy and Cost per sample were the two metrics used to analyze the performance of the NFBoost classification algorithm and were compared with bagging, boosting, and AdaBoost algorithms. From the simulation results, it is evident that NFBoost algorithm achieves high detection accuracy (99.2%) with fewer false alarms. Cost per instance is also very less for the NFBoost algorithm compared to the existing algorithms. NFBoost algorithm outperforms the existing ensemble algorithms with a maximum gain of 8.4% and a minimum gain of 1.1%. (C) 2012 Elsevier B.V. All rights reserved.