"CYBERFORENSICS FOR IOT DEVICES:

DEMYSTIFYING DDOS ATTACKS WITH

EXPLAINABLE AI"

Submitted in partial fulfillment of the requirements for the degree of

INTEGRATED MTECH
in
SOFTWARE ENGINEERING

By
UPPALURU VINITHA REDDY
20MIS0388

Under the guidance of

Prof. MOHAN RAJ G
School of Computer Science Engineering and Information Systems
VIT, Vellore

Review 2

October, 2024
1. LITERATURE REVIEW

S.No Title Methodology Advantages Limitations

1. Analysis of Machine • offer real-time • complex to develop,

IoT Security learning (ML) threat detection requiring substantial
Challenges deep learning and improved expertise and
and Its (DL) models accuracy in computing
Solutions Techniques identifying resources.
Using like potential risks. • They rely heavily on
Artificial classification, • They automate large datasets, which
Intelligence regression, responses, may not always be
clustering reducing the available
need for human
intervention

2. Explainable (XAI) • Accurately ● Implementing the

AIBased combined identifies methodology
DDOS Attack with DDoS requires expertise in
Identification autoencodersattacks by AI, anomaly
focusing on
Method for for DDoS detection, and
the most
IoT Networks attack influential feature extraction,
detection infeatures, making it complex
IoT networks.
ensuring for nonexperts.
high
detection
accuracy.
• XAI provides
clear
explanations for
each detected
anomaly
3. Taxonomy of The • DDoS • They require
DDoS attacks methodology defense significant
and their involves mechanisms computational power
classifying can identify
defense and bandwidth,
DDoS attacks attack
mechanisms based on which many IoT
patterns
 in IoT attack rate, early, devices lack.
IoT layers. preventing
largescale • Deploying DDoS
disruptions.
defense mechanisms
• They offer
at scale can be
protection
expensive.
across different
IoT layers
4. Demystifying Application of ● Development of ● Potential limitations
machine XAI an autonomous in generalizing
techniques for detection system
learning for IoT attacks results to all smart
understanding in smart cities
models of city scenarios
IoT attack
massive IoT behaviors, ● Utilization of
attack Explainable ● Oversampling
detection with Artificial techniques may
Intelligence
Explainable (XAI) for introduce noise or
AI for interpreting and affect model
sustainable visualizing performance,
attack behavior,
and secure
future smart
cities.
5. Explainable Proposes a ● XAI enhances • Integrating XAI
AI for Human high level trust by into existing IoT
providing
Centric human human systems requires
Ethical IoT inclusive understandable sophisticated
explanations algorithms and
Systems Explainable
design, making
AI (XAI) ● By explaining it harder to
framework for AI decisions, develop and
users
IoT systems (developers, end maintain such
to address users, systems.
ethical regulators) can
better
concerns like understand the
privacy, rationale behind
security, and AI driven
actions, leading
transparency to more
informed
decisions.
6. Detection and Application ● Focus on ● May not cover all
mitigation of of SNMP, security potential attack
IoT based access challenges and vectors or emerging
attacks using control lists, threats in cloud threats.
SNMP and and moving assisted IoT
moving target target environments ● Effectiveness of
defense defense techniques may vary
techniques techniques ● Utilizes with different IoT
Detection techniques like and cloud
and SNMP, access configurations
mitigation control lists, and
strategies for moving target
DDoS and defense
false data
injection
attacks,
7. Critical Evaluation of ● Comprehensive ● Potential limitations
analysis of techniques coverage of in addressing
DDoS—An like botnet attack specific
detection,
emerging mechanisms, vulnerabilities or
signature
security threat based impacts, and unique IoT device
over IoT detection, and existing challenges
networks anomaly countermeasure
based s, Emphasis on
methods. protection at
various IoT
network levels
8. Review of Evaluation ● Detailed ● Focused on existing
network of analysis of literature, which
forensic components, components, may limit the scope
analysis methods, methods, and of newer techniques
optimization and performance or technologies
using deep performance parameters
learning parameters
against attacks in existing ● Identifies
on IoT literature, limitations and
devices findings of
current
approaches,
9. Semi Use of ● Provides a • May not include
supervised classificatio comprehensive the latest
learning based n and review of deep advancements or
security to evaluation learning based emerging
techniques in
detect and tables to forensic
deep learning
mitigate organize and techniques for and IoT
intrusions in assess IoT devices forensics,
IoT network approaches
Highlights the
●
effectiveness of
deep learning in
network
forensics
10. A Review of • Comprehensive • Focuses on existing
comprehensiv various survey of IoT literature, may lack
e survey of attack types and IIoT attacks experimental
attacks on IoT/IIoT, validation, does not
without analysis of • emphasizes the provide new
physical hardware need for robust detection
access vulnerabiliti security mechanisms, future
targeting es and side solutions, work needed on
hardware effects, provides platform specific
vulnerabilities discussion insights into side effects and
in iot/iiot of detection existing detection impact.
devices, and mechanisms detection
their detection and their mechanisms
mechanisms effectivenes
s.
2. GAP IDENTIFICATION

Identify gaps and limitations observed in the existing systems, such as:
➢ Models struggle to handle emerging, unknown attack vectors.
➢ Scaling DDoS defenses is expensive for large IoT deployments.
➢ Integrating explainable AI (XAI) into IoT systems is complex and resource
intensive.
➢ Methods may not cover all potential or emerging IoT attacks.
➢ Security mechanisms may reduce IoT system performance or usability.

3. OBJECTIVE FRAMING

1. Developing a Framework for Predicting and Mitigating DDoS Attacks

• The primary objective is to create a comprehensive framework designed to predict
and mitigate DDoS attacks on IoT devices.
• This framework will be based on a detailed analysis of historical DDoS attacks to
identify patterns, root causes, and vulnerabilities specific to IoT ecosystems.

2. Identifying Causes and Vulnerabilities in IoT Systems

• A critical part of the research is identifying the vulnerabilities within IoT devices
and networks that make them prone to DDoS attacks.
• This knowledge will drive the development of more effective strategies for
detecting and preventing such attacks.

3. Developing an Explainable AI (XAI) Model

• The study will develop an Explainable AI (XAI) model that can explain the
reasoning behind the detection of potential DDoS attacks.
• The XAI model will focus on making complex AI driven security decisions clear
and interpretable, helping both technical and nontechnical users understand why a
certain attack or anomaly has been flagged.
 4. Enhancing User Awareness and Education
• The research aims to increase user awareness of IoT security risks, with a focus on
understanding DDoS threats and defensive actions.
• Through enhanced education, users will be empowered to make informed decisions
and take proactive measures when potential attacks are detected.

5. Improving Accessibility to Cyber Forensics

• A key objective is to improve the accessibility of cyber forensics tools, particularly
for nontechnical users.
• The goal is to simplify the forensic processes and present clear, understandable
reports on detected threats, enabling users to act swiftly and effectively.

6. Facilitating Collaboration Between Technical and NonTechnical Stakeholders

• The project aims to bridge the gap between technical and nontechnical stakeholders
by developing security solutions that are both technically robust and easy to use.
• This collaboration ensures that the solutions can be implemented effectively across
various IoT environments.

7. Promoting Proactive Security Measures

• By integrating predictive models, XAI explanations, user education, and accessible
forensic tools, the research promotes proactive security measures.
• These efforts will contribute to a more resilient and secure IoT infrastructure that
can better withstand future DDoS attacks.

4. PROJECT PLAN

Phase 1: Planning and Research (2 weeks)

Start Date: 15 July 2024
End Date: 28 July 2024
Goal: Understand the problem domain, gather requirements, and conduct preliminary
research on DDoS attack detection, IoT vulnerabilities, and Explainable AI (XAI)
technologies to present clear information to nonexperts.

Tasks:
Literature Review:
➢ Research existing DDoS detection methods and machine learning (ML)
techniques used in IoT systems.
➢ Review academic papers on Explainable AI (XAI) for making complex ML
models interpretable to nonexpert users.

Requirement Analysis:
➢ Define key functional requirements such as realtime DDoS detection and
explainable insights for nonexpert users.
➢ Define nonfunctional requirements like scalability, accuracy, and ease of use.

Define Project Scope:

➢ Finalize the scope of the project (realtime DDoS detection and interpretation
using ML models and XAI) and identify technologies to be used (Python,
TensorFlow).

Resource Planning:
➢ Identify necessary hardware (GPUs) and ML frameworks (TensorFlow,
PyTorch) to be used in the project.

Deliverables:
Project Scope Document.
Requirement Specification Report.
List of hardware/software tools required.
Phase 2: Data Collection & Preprocessing (3 weeks)
Start Date: 29 July 2024
End Date: 18 August 2024
Goal: Gather DDoS attack data and preprocess it for training machine learning
models.

Tasks:
Data Collection:
➢ Curate a dataset of DDoS attack patterns targeting IoT devices.

Data Cleaning:
➢ Remove inconsistencies and standardize the dataset for effective training.

Feature Extraction:
➢ Extract key features (e.g., traffic anomalies, patterns) for use in ML models.

Deliverables:
Cleaned and preprocessed dataset.
Feature extraction report.

Phase 3: Model Development (4 weeks)

Start Date: 19 August 2024
End Date: 16 September 2024
Goal: Develop and train machine learning models to detect DDoS attacks, with
Explainable AI providing clear explanations.

Tasks:
Model Selection:
➢ Choose ML models suitable for DDoS detection (e.g., decision trees, neural
networks).
Model Training:
➢ Train the selected ML models on the preprocessed dataset to accurately detect
DDoS attacks.

Explainability Integration:
➢ Use Explainable AI techniques to provide clear, understandable insights about
the model’s decisionmaking process.

Deliverables:
Trained ML models with XAI capabilities.
Model performance report.

Phase 4: System Design & Integration (4 weeks)

Start Date: 17 September 2024
End Date: 14 October 2024
Goal: Design the system architecture, integrating ML models and XAI with a
userfriendly interface.

Tasks:
System Architecture Design:
➢ Design the overall architecture for data input, model execution, and output
interpretation.

FrontEnd Interface Development:

➢ Develop a userfriendly interface for nonexperts to view DDoS attack alerts and
explanations.

Deliverables:
Fully integrated system with DDoS detection and XAI explanations.
Userfriendly interface.

Phase 5: Testing & Evaluation (3 weeks)

Start Date: 15 October 2024
End Date: 31 October 2024
Goal: Test the system for performance, accuracy, and clarity of explanations provided
by the XAI.

Tasks:
Performance Testing:
Evaluate the model’s accuracy and realtime performance.

Explainability Evaluation:
Test the effectiveness of XAI in explaining attack details to nonexpert users.

Deliverables:
Testing report with performance metrics and feedback.

Phase 6: Documentation & Final Presentation (2 weeks)

Start Date: 1 November 2024
End Date: 15 November 2024
Goal: Complete documentation and prepare a presentation for project evaluation.

Tasks:
Project Documentation:
Provide detailed documentation, including technical reports and user manuals.

Final Presentation Preparation:

Summarize the project and demonstrate the system’s DDoS detection and XAI
explanation capabilities
5. DESIGN/ METHODOLOGY
5.1. DETAILED DESIGN

1.IoT Devices

The system begins by monitoring IoT devices, which are increasingly targeted by
cybercriminals due to their connectivity and typically weak security. These devices, when
compromised, to launch DDoS attacks, which overwhelm a network or service with
excessive traffic, rendering it inoperable.

2. Data Collection

The data generated by IoT devices is collected for further analysis. This includes network
traffic data, device logs, and any anomalies in communication patterns. Collecting this
data is essential to detecting abnormal traffic spikes, a common indicator of a DDoS
attack.

3. Data Preprocessing

The collected data is then preprocessed to remove noise and irrelevant information.
Preprocessing involves cleaning, normalizing, and formatting the data, ensuring that the
machine learning model can accurately analyze the incoming traffic for signs of a DDoS
attack.

4. Model Building

Machine learning models are developed to detect DDoS attack patterns within the IoT
device data. These models are trained using datasets that contain examples of both
normal traffic and DDoS attack scenarios. The models learn to identify abnormal traffic
volumes or unusual request patterns typical of a DDoS attack.

5. Attack Classification Result

After the data is processed through the model, the system classifies it to determine if a
DDoS attack is occurring. The classification result will indicate whether the incoming
traffic is normal or if it aligns with patterns typically associated with a DDoS attack, such
as a sudden surge in traffic volume targeting a specific service or device.

6. Explainable AI (XAI)

To enhance transparency, Explainable AI (XAI) techniques are applied to the

classification results. XAI provides human-readable insights into how the model detected
the DDoS attack. It explains the features and patterns the model considered—such as
traffic spikes, the number of requests, or the behavior of connected devices—that led to
the identification of a DDoS attack.
7. Attack Analysis
With the help of XAI, a detailed analysis of the detected DDoS attack is conducted. The
system examines how the attack occurred, including the volume of traffic involved,
which IoT devices were compromised, and how the attack overwhelmed the target
system. This in-depth analysis helps security teams understand the attack’s impact and
formulate countermeasures.

8. Data Repository

All classified DDoS attacks, along with their analysis and explanations, are stored in a
data repository. This repository allows for historical tracking of DDoS incidents, enabling
the system to refine its detection methods over time and providing security teams with
data for post-incident analysis.

9. Explanation Generation

This stage translates the technical explanation of the DDoS attack into a format that can
be easily understood by non-technical stakeholders. The system provides a clear and
concise explanation of the DDoS attack, including why it was classified as such, the
impact on the IoT devices, and potential mitigation strategies.

10. User Interface (UI)

The results and explanations are presented via a user interface, offering users a detailed
view of the detected DDoS attack. The UI allows for quick understanding of the attack’s
nature, severity, and suggested responses, ensuring that users can take appropriate action
to defend their systems from ongoing or future DDoS threats.
6.IMPLEMENTATION RESULTS

SIMPLE ANALYSIS OF DATA

EXPLORATORY DATA ANALYSIS
MODEL BUILDING

1.DECISION TREE

ROC CURVE
CONFUSION MATRIX
PRECISION- RECALL CURVE
2. KNN WITH PCA APPLIED
3. LOGISTIC REGRESSION
CYBERFORENSICS FOR IOT DEVICES:
DEMYSTIFYING DDOS ATTACKS WITH
EXPLAINABLE AI

Name : UPPALURU VINITHA REDDY

Reg no : 20MIS0388
agenda
Introduction
Literature Review
Gaps Identification
Objective Framing
Project Plan
Implementation And Analysis
Design
INTRODUCTION
• Key Technologies: Utilizes Explainable AI, IoT forensics, and data analysis techniques to
demystify DDoS attacks.
• Significance: Addresses the critical need to understand vulnerabilities in IoT devices,
particularly with the rising threat of DDoS attacks.
• Accessibility and Usability: Focuses on simplifying complex forensic data, making it
accessible and understandable for non-technical users.
• User Empowerment: Aims to educate users on IoT security, enabling them to take
informed, preventive actions against potential threats.
• Enhanced IoT Security: The project seeks to make IoT security more comprehensible
and actionable, bridging the gap between technical complexity and user understanding.
LITERATURE REVIEW
PAPER – 1
TITLE : Analysis of IoT Security Challenges and Its Solutions Using Artificial Intelligence

AUTHORS : T Mazhar, DB Talpur, TA Shloul

PUBLISHED YEAR : 2023

METHODOLOGY : Machine learning (ML) And deep learning Models

ADVANTAGES : offer realtime threat detection and improved accuracy in identifying potential
risks.

LIMITATION: complex to develop, requiring substantial expertise and computing resources

LITERATURE REVIEW…
PAPER – 2
TITLE : Explainable AIBased DDOS Attack Identification Method for IoT Networks

AUTHORS: CS Kalutharage, X Liu, C Chrysoulas, N Pitropakis, P Papadopoulos

PUBLISHED YEAR : 2023

METHODOLOGY : XAI combined with autoencoders for DDoS attack detection in IoT networks.

ADVANTAGES : Accurately identifies DDoS attacks by focusing on the most influential features,
ensuring high detection accuracy

LIMITATION: Implementing the methodology requires expertise in AI, anomaly detection, and feature
extraction, making it complex for nonexperts.
 LITERATURE REVIEW…
PAPER – 3
TITLE : Taxonomy of DDoS attacks and their defense mechanisms in IoT

AUTHORS: N Pandey, PK Mishra

PUBLISHED YEAR : 2021

METHODOLOGY : classifying DDoS attacks based on attack rate, IoT layers

ADVANTAGES : DDoS defense mechanisms can identify attack patterns early, preventing largescale
disruptions.

LIMITATION: They require significant computational power and bandwidth, which many IoT devices
lack.
GAPS IDENTIFIED

 Models struggle to handle emerging, unknown attack vectors.

 Scaling DDoS defenses is expensive for large IoT deployments.

 Integrating explainable AI (XAI) into IoT systems is complex and resource intensive.

 Methods may not cover all potential or emerging IoT attacks.

 Security mechanisms may reduce IoT system performance or usability.

 OBJECTIVE FRAMING
1. Developing a Framework for Predicting and Mitigating DDoS Attacks
 The primary objective is to create a comprehensive framework designed to predict and mitigate
DDoS attacks on IoT devices.
 This framework will be based on a detailed analysis of historical DDoS attacks to identify patterns,
root causes, and vulnerabilities specific to IoT ecosystems.

2. Identifying Causes and Vulnerabilities in IoT Systems

 A critical part of the research is identifying the vulnerabilities within IoT devices and networks that
make them prone to DDoS attacks.
 This knowledge will drive the development of more effective strategies for detecting and preventing
such attacks.
 OBJECTIVE FRAMING
3. Developing an Explainable AI (XAI) Model
 The study will develop an Explainable AI (XAI) model that can explain the reasoning behind the
detection of potential DDoS attacks.
 The XAI model will focus on making complex AIdriven security decisions clear and interpretable,
helping both technical and nontechnical users understand why a certain attack or anomaly has been
flagged.

4. Enhancing User Awareness and Education

 The research aims to increase user awareness of IoT security risks, with a focus on understanding
DDoS threats and defensive actions.
 Through enhanced education, users will be empowered to make informed decisions and take proactive
measures when potential attacks are detected.
 OBJECTIVE FRAMING…
5. Improving Accessibility to Cyber Forensics
 A key objective is to improve the accessibility of cyber forensics tools, particularly for nontechnical
users.
 The goal is to simplify the forensic processes and present clear, understandable reports on detected
threats, enabling users to act swiftly and effectively.

6. Facilitating Collaboration Between Technical and NonTechnical Stakeholders

 The project aims to bridge the gap between technical and nontechnical stakeholders by developing
security solutions that are both technically robust and easy to use.
 This collaboration ensures that the solutions can be implemented effectively across various IoT
environments.
 OBJECTIVE FRAMING…

7. Promoting Proactive Security Measures

 By integrating predictive models, XAI explanations, user education, and accessible forensic tools, the
research promotes proactive security measures.
 These efforts will contribute to a more resilient and secure IoT infrastructure that can better
withstand future DDoS attacks.
PROJECT PLANNING
Phase-1 Phase-3 Phase-5
15th July – 28th July 19th August – 16th September 15th October – 31th October

Planning and Testing and Evalution

Research Model Development

Data Collection and System Design And Documentation and Final

Pre-processing Integration Presentation
Phase-2 Phase-4 Phase-6
29th July – 18th August 17th September – 14th October 1th November – 15th November
DESIGN AND METHODOLOGY
 EXPLANATION OF DESIGN
1.IoT Devices

The system begins by monitoring IoT devices, which are increasingly targeted by cybercriminals due to their
connectivity and typically weak security. These devices, when compromised, to launch DDoS attacks, which
overwhelm a network or service with excessive traffic, rendering it inoperable.

2. Data Collection

The data generated by IoT devices is collected for further analysis. This includes network traffic data,
device logs, and any anomalies in communication patterns. Collecting this data is essential to detecting
abnormal traffic spikes, a common indicator of a DDoS attack.

3. Data Preprocessing

The collected data is then preprocessed to remove noise and irrelevant information. Preprocessing involves
cleaning, normalizing, and formatting the data, ensuring that the machine learning model can accurately
analyze the incoming traffic for signs of a DDoS attack.
 EXPLANATION OF DESIGN
4. Model Building

Machine learning models are developed to detect DDoS attack patterns within the IoT device data. These
models are trained using datasets that contain examples of both normal traffic and DDoS attack scenarios.
The models learn to identify abnormal traffic volumes or unusual request patterns typical of a DDoS attack.

5. Attack Classification Result

After the data is processed through the model, the system classifies it to determine if a DDoS attack is
occurring. The classification result will indicate whether the incoming traffic is normal or if it aligns with
patterns typically associated with a DDoS attack, such as a sudden surge in traffic volume targeting a
specific service or device.

6. Explainable AI (XAI)

To enhance transparency, Explainable AI (XAI) techniques are applied to the classification results. XAI
provides human-readable insights into how the model detected the DDoS attack. It explains the features
and patterns the model considered—such as traffic spikes, the number of requests, or the behavior of
connected devices—that led to the identification of a DDoS attack.
EXPLANATION OF DESIGN
7. Attack Analysis

With the help of XAI, a detailed analysis of the detected DDoS attack is conducted. The system
examines how the attack occurred, including the volume of traffic involved, which IoT devices were
compromised, and how the attack overwhelmed the target system. This in-depth analysis helps
security teams understand the attack’s impact and formulate countermeasures.

8. Data Repository

All classified DDoS attacks, along with their analysis and explanations, are stored in a data
repository. This repository allows for historical tracking of DDoS incidents, enabling the system to
refine its detection methods over time and providing security teams with data for post-incident
analysis.
EXPLANATION OF DESIGN
9. Explanation Generation

This stage translates the technical explanation of the DDoS attack into a format that can be easily
understood by non-technical stakeholders. The system provides a clear and concise explanation of
the DDoS attack, including why it was classified as such, the impact on the IoT devices, and potential
mitigation strategies.

10. User Interface (UI)

The results and explanations are presented via a user interface, offering users a detailed view of the
detected DDoS attack. The UI allows for quick understanding of the attack’s nature, severity, and
suggested responses, ensuring that users can take appropriate action to defend their systems from
ongoing or future DDoS threats.
THANK YOU