Proceedings of the Fifth International Conference on Computing Methodologies and Communication (ICCMC 2021)

IEEE Xplore Part Number: CFP21K25-ART

A Deep Learning-Based Methodology in Fog

Environment for DDOS Attack Detection
2021 5th International Conference on Computing Methodologies and Communication (ICCMC) | 978-1-6654-0360-3/20/$31.00 ©2021 IEEE | DOI: 10.1109/ICCMC51019.2021.9418363

Shubham Bishnoi Sagarika Mohanty Bibhudatta Sahoo

Department of CSE Department of CSE Department of CSE
National Institute of Technology National Institute of Technology National Institute of Technology
Rourkela, India 769008 Rourkela, India 769008 Rourkela, India 769008
[email protected] sagarika [email protected] [email protected]

Abstract—The Distributed denial-of-service (DDoS) attack the information across sequence steps and also helps to deal
pose a great threat to a heterogeneous network like Internet with problem of vanishing gradient. We have used CNN
of things (IoT). The loss to a firm caused by a DDoS attack model as it deals with classification issues by changing size
is directly proportional to the duration of the attack so it is
important to identify and mitigate the attack as soon as possible. of the network. CNN model can also be used to capture
The traditional architecture of IoT has three layers consisting of subtle nuances of data by converting data to image data. The
the end device in the bottommost layer, controllers in the middle contributions of this paper are as follows:
layer, and cloud in the uppermost layer. Any kind of decision- • We have adopted a 4 layer IoT architecture consisting of
making is done in the cloud so the whole process is slowed down
due to latency delay. We have adopted the architecture of a fog a fog layer to reduce the transmission latency and make
layer with sufficient computing power above the end device layer. it more efficient.
We have used two deep Learning-based models. First long short- • A Deep Learning based methodology using LSTM and
term memory (LSTM) model to identify the malicious data from CNN is proposed to detect the DDoS attack. Flow data
the benign data and second convolutional neural network (CNN) is converted into image data to capture subtle nuances
model to further classify the data into attack categories. Our
lstm model has an accuracy of 98 percent and cnn model has an using CNN model.
accuracy of 86 percent. The rest of the paper is organized as follows. Section II shows
Index Terms—IoT, Fog Environment, Deep Learning, Long the related work. Section III shows the system model. Section
short-term memory, Convolutional Neural Network, DeepInsight, IV discuss DDoS attack in IoT. Section V shows methodology.
DDoS.
Section VI shows performance evaluation. Section VII has the
conclusion.
I. I NTRODUCTION
Internet of Things is growing day by day as new devices II. R ELATED WORK
are being added to the network but these devices have small DDOS attack has been plaguing the internet for a long time.
size and have low power so it is not possible to implement It not only disrupts the service of the target but it also affects
sophisticated defence mechanism on them. Due to lack of their reputation which leads to losing customers. The longer
security these devices can be easily accessed by an attacker the time services are down the more the damage is done, So
to create a bot [1] [2]. As IoT devices are interconnected and it is necessary to identify and mitigate the attacks as soon as
interdependent this bot can further infect the connected devices they are launched.
and create a botnet. An example of this can be seen from the Authors of [2], have provided a method to manage the services
Mirai botnet discovered in 2017 [3]. This botnet target the old running even during an attack. This work was specifically pro-
devices that didn’t have a firmware layer and infect them. posed for the DNS flood attack. In this method, a bot program
The process of detecting and mitigating a DDoS attack has is installed in DNS local server. This bot continuously send
to be executed as fast as possible. If the attack continues for DNS requests to target such that Target’s IP is continuously in
a long time target’s service may deteriorate and in the worst- cache of local servers. Now in case of a DDOS attack, when
case server may crash. DDoS attack not only affect the services response time for DNS request is larger then threshold, target
provided by a company but also degrade the reputation. can work with DNS local servers to access the IP from cache.
In the traditional IoT architecture, any kind of operation has Authors of [5] have provided an edge-based mechanism to
to be performed in the cloud layer and the data transmission identify and mitigate the DDOS attack as quickly as possible.
leads to an increase in time consumption. We have adopted the They propose two deep learning models namely LSTM and
architecture of Maiti et.al [4]. In this architecture an additional CNN. LSTM has been because it can retain information
layer called the fog layer is introduced between the cloud layer across sequence steps and can overcome problem of vanishing
and the IoT devices. Data analysis is done in the fog layer for gradient. LSTM Model has been used to classify whether data
the detection of DDoS attack in real-time. is benign or malicious data. Further CNN model is used to
We have used LSTM model because it is useful to retain classify the malicious flows into benign flows, Flooding based

201

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 18,2021 at 18:11:07 UTC from IEEE Xplore. Restrictions apply.
attacks and timing based attacks. Filtration rules are updated III. S YSTEM M ODEL
according to observations. Authors of [6], proposed another
We have adopted the 4 tier architecture Maiti et.al [4] , as
method to reduce the time consumption in the detection of
shown in Fig.1.
DDOS. They propose a methodology to sample the input flow
instead of using it as a whole. They take first n packets from A. Tier 1
each flow and each packet is further divided into l bytes. Short
bytes are padded with 0 to make them of similar size. Trimmed This layer is the lowest of all layers and it consists of end
bytes are viewed as 1-D vectors with n*l elements. The data devices which are called smart sensor nodes(SSNs) uniquely
is further converted into grey scale images. Grey scale images identified with an IPv6 address and compressed into a mesh
are fed into CNN model to detect anomalies in data. network by 6LoWPAN protocol. SSNs are a collection of
Authors of [7] have presented a methodology named LEDEM sensors and actuators which are used to collect the information
for attacks from wireless IoT to IoT servers. Authors have and transmit it to the upper layers. A central device called a
used a semi-supervised ML algorithm to identify malicious Coordinating Device(CD) is used to overlook a network. As
or DDOS flow and if the flow is classified as DDOS then SSNs belong to different networks these CDs may be named
the network segment it was generated from is blocked.. They differently in different environments e.g. cluster head in sensor
also have proposed separate mitigation strategies for fixed network, reader in RFID network, etc.
IoT(fIOT) and mobile IOT(mIOT) devices. In case of fIOT
B. Tier 2/Fog Tier
devices, malicious IOT are clubbed together in a group and a
drop rule is applied collectively for the group. On the other Coordinating Devices(CDs) send their information to the
hand for mIOT temporary drop rules are assigned to groups next layer of devices known as Fog Nodes (FNs). These
of devices. devices consist of Edge devices such as routers, switches, gate-
Authors of [8], present the DDOS classification as an op- ways etc. These devices not only store the data temporarily but
timisation problem with six different conflicting objectives are also equipped to perform its analysis and processing. As
like relevance, redundancy, number of features, classification the devices are close to SSNs, transmission latency is reduced
accuracy, recall and precision. They use NSGA-II to find the not only decreasing the processing time but also reducing the
optimum features from the dataset and in the best case they load on the network. Due to the small-time consumption, tier
were able to reduce the number of features to 6 with an 2 handles all the latency-sensitive applications and real time
accuracy of 99 percent. Authors of [9], use a similar approach applications.
and present the DDOS attack detection as an optimisation
problem and use Grasshopper Optimisation algorithm to figure C. Tier 3
out the most important features of the dataset. Next these Tier 2 sends its data to SDN-controllers(SDN-Cs). SDN-Cs
feature used to train multiple Machine Learning models like perform traffic control. SDN-Cs act as OpenFlow controllers
MLP, NB, SVM and C4.5. After comparison of outputs from are connectivity managers between Fog Controllers(FCs) and
these model C4.5 gives better performance. Authors of [10], IoT devices. SDN-Cs are higher in network hierarchy and
propose a deep belief network-based IDS(DBNIDS). The Deep each SDN-C is responsible for connecting multiple FCs.
Belief network consists of stacked RBM layers. Each RBM Open-flow switches are used for interconnection of network
layer performs training on the output from previous layer. Each partitions enabling connection between various controllers.
layer uses greedy approach to get the optimum output for that For communication between devices of different partitions
layer. The model is tested on CICDDOS2017 dataset along traffic flow has to be scheduled.
with other models like Support Vector Machine(SVM), Rec-
curent Neural Network(RNN), Spiking Neural Network(SNN),
Feedforward Neural Network(FNN). The DBNIDS performs D. Tier 4
better compared to other models.
Tier 4 is the cloud layer. It consists of data centres and
Authors of [11], mainly analysed four features namely flow
high power servers. A data center has multiple servers that
duration,flow size, flow ratio and flow length during attacks
are connected to each other by LAN cables and connected to
on SDN controllers. They also proposed a new concept called
the internet by a high bandwidth network. Wired networks are
degree of attack. Degree of attack is calculated by taking the
used to connect IoT gateways and data centres.
average of Net Gains of above 4 features. Using the above con-
cept a detection algorithm is proposed which classify a flow IV. DDOS ATTACKS IN IOT
as attack if degree of attack is greater then 0.5. The detected
attacks are further classified into multiple categories by use of As the IoT network is increasing and new devices are getting
K-Nearest Neighbour(KNN) algorithm. Authors in [12], have connected it is becoming more vulnerable to attacks.
proposed a method to improve the fog computing. They have
used Ethereum Blockchain technology and interplanetary file A. Reasons of Security Threats
system (IPFS) to secure the distributed file system. As in [1] [2] the reason for increasingly serious security
problems are given below.

202

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 18,2021 at 18:11:07 UTC from IEEE Xplore. Restrictions apply.
 Fig. 1. System Model [4].

1) Lacking Security: Manufacturers may compromise se- attacks such as UDP flooding, TCP flooding, NTP flooding,
curity to make the devices easy to use. For example devices DNS flooding.
generally have predefined passwords which are mainly taken 2) Protocol attacks: Protocol attacks exploit vulnerabilities
from a fixed set. These passwords are rarely changed. on the network layer and exhaust target’s resources. For exam-
2) The resource constraints of devices: Another reason for ple an attacker may exploit 3 way handshake protocol starting
less security is because as terminal devices are generally small multiple communications by sending Synchronisation(SYN)
on size and have low power. They can be used for simple signals but not responding to any of the Acknowledgement
calculations and distributed computing but they are not suitable signals.
to implement complex security algorithms. 3) Application attacks: In these attacks, attackers exploit
3) Poor maintenance: IoT devices are rarely maintained the weakness in the defence of various applications. Attackers
which leads to becoming more vulnerable to the latest attacks. may manipulate the input or obtain confidential information
4) Minimal Interactive User Interface: IoT devices have from the application.
either non-interactive or minimal interactive user interface this Attacks like ARP Spoofing and SQL injection come under
leads to infections remaining unnoticed and functioning for a this category.
longer period.
C. DDoS Attacks over Perception Layer
B. Various Categories of DDOS The perception layer is mainly used for data acquisition and
Attackers consume the resources of a target via a DDOS device control. It can also be called the device layer due to
attack so that the resources are not available to actual user the use of many device technologies. The following attacks
causing delayed response and network failure. According are associated with the perception layer.
to [3] (Fig.2). DDOS attack can be further classified into 1) Bootstrapping Attacks: IoT devices need to trust each
following categories: other before sharing confidential data. Therefore a mechanism
1) Volumetric attacks/ Flooding attacks: These attacks are is required to configure two devices during bootstrapping. For
conducted by consuming the bandwidth of the target’s commu- resource constrained devices this may be done using push
nication channel. There are multiple methods to execute these button mechanism. These push buttons when pressed bring

203

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 18,2021 at 18:11:07 UTC from IEEE Xplore. Restrictions apply.
 2) Reprogramming Networks: Attackers may use some
tools to get access to the source code of an application and
may modify it to disrupt services.

F. Impact of DDoS Attacks on IOT

Globally Industries are adapting to IoT, and due to the
limited computational capacities of the terminal devices, they
are relatively easy to turn into bots. Due to this IOT provides
an Ideal platform for attackers to set up a botnet to control and
execute large-scale DDoS attacks. According to [3], in 2016 a
botnet based on Mirai malware was found. Mirai targeted old
devices without any firmware capabilities. It used a set of 62
commonly used default usernames and passwords and apply a
brute force approach to access the device settings. After few
months, Mirai was available on rent and its source code was
Fig. 2. Categories of DDoS attacks [3]. made public which lead to the introduction of multiple variants
of Mirai.
the devices in distinctive join. Attackers take advantage of V. M ETHODOLOGY
this system and intrude into the system.
Algorithm 1: DDoS attack detection and classification
2) Jamming Attacks: These attacks are executed by dis-
rupting the communication between user devices. This is Filter data for null and redundant values;
done by interfering with the communication signal of user Pre-process data to feed into Model 1(LSTM);
devices. Devices known as jammers are used for this purpose. while Process all fields in the input do
The jammers send signals on the same signal bandwidth and Feed the inputs in model 1;
frequency as the user devices and disrupt the communication. if If the flow is benign then
Allow the data flow;
3) Kill Command Attacks: The password of the terminal
else
devices can be cracked and disabled easily due to its con-
Mark for further classification using Model 2;
strained memory and processing power.
Convert all the marked flows to image data.
D. DDoS Attacks over Transport Layer while Process all fields in the input do
The transport layer consists of multiple heterogeneous trans- Feed the inputs in model 2;
mission technologies. Due to the significant disconnection Classify the fields using the model 2;
between different technologies various vulnerabilities are ex-
The workflow of the algorithm is given in Fig.3. The data
posed.
1) Flooding Attacks: In flooding attacks, huge data is sent is cleaned by removing the redundant and null fields. Next the
across the communication channel by multiple devices that are Data is preprocessed for classification using the available ML
being coordinated by an attacker. Due to this attack network models. Data is divided into into two fields (input and output)
gets crowded and performance is affected. and further divided into training and testing data. Next we
2) Reflection Attacks: In this attack, the attacker sends a propose a two step methodology to identify and classify the
message to the server with a victim’s IP address. Due to this, DDoS attack. First the input data is fed into Long Short Term
the server replies to the victim. If this process is executed Memory(LSTM) model. LSTM model is especially useful to
multiple times then an attack is generated. retain the information across sequence steps. DDoS attacks
3) Amplification Attacks: This is a type of Reflection attack. such as Slow Request/Response attack occur over a period
In this attack, attackers use routers to coordinate the attack. of time and are hard to identify using traditional models but
They spoof the IP address to the victim’s IP address and LSTM can identify them. LSTM model separates the benign
broadcast messages to the destination IP address. For example, data from attack data. Next CNN model is used to classify
the attacker may send a broadcast request to the DNS server attack data into specific categories. CNN model was used as
for lookup from the victim’s ID. thT DNS server will then it can handle classification issues by changing the size of the
unintentionally reply to all the requests of victim’s IP address network. The malicious data is converted to image format so
leading to victim’s resources being consumed. that CNN can capture the nuances of the data. Next CNN takes
the DDoS data and classifies it into different categories.
E. DDoS Attacks over Application Layer
According to [3], [13] DDOS attacks on application layer VI. P ERFORMANCE E VALUATION
target various applications and services available on this layer. We have used the CICDDoS2019 [14] [15] for evaluation.
1) HTTP Flooding Attacks: Attackers send GET or POST This dataset was created by conducting various modern attacks
method from bots to exhaust the resources of the target. and capturing their flow. According to the authors of [14],

204

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 18,2021 at 18:11:07 UTC from IEEE Xplore. Restrictions apply.
 1) LSTM Model Evaluation: The input for the LSTM
model is converted into a 3-d form (N, Ns, Ni) where n is
the number of flows and Ns is the number of times input is
fed to the model and Ni is the number of inputs. The output
of LSTM model has binary values where 1 shows attack flow
while 0 shows binary flow.

Fig. 4. LSTM Model Accuracy

Fig. 3. DDoS attack Detection and Classification.

special care was taken to create realistic benign data and

background traffic.

A. Performance metrics
Four metrics have been used for the evaluation of our model.
1) Accuracy(A): Accuracy is the ratio of correctly predicted
flows to the total flows.

A = (T rueP ositive + T rueN egative)/(T otalF lows) (1)

2) Loss(L): Loss is a measure of how much the model’s Fig. 5. LSTM Model Loss
predicted answer varies from the correct answer. We have
used crossentropy loss function for our models.
As seen by Fig.4. the accuracy of the LSTM model increases
∑N smoothly and saturates around 98 percent. On the contrary the
J(w) = - ( i=1 [(t) ∗ log(p) + (1 − t) ∗ log(1 − p)]/N )(2) loss of the model decreases smoothly and saturates around
0.07 as seen from Fig.5.
where N,t,p represent the total number of records processed,
2) CNN Model Evaluation: The non-image input to CNN
true value of data and predicted value of data respectively.
layer is converted to image input using the pyDeepInsight
layer [16]. Also the output is classified into various categories
B. Results and Analysis for different DDoS attacks(UDPLag, DNS, LDAP, MSSQL,
We start by preprocessing the data. We load five attack NTP).
data namely(UDPLag, DNS, LDAP, MSSQL, NTP) and then We can see from Fig.6. and Fig.7. that the training for CNN
combine these attack data into a single file. Next, we remove model is not as smooth as the training of the LSTM model it
all the null values and missing values. Then we remove increases varyingly and saturates around 86 percent. Similarly
features from the dataset that do not contribute to decision the loss of the CNN model is also not very smooth and it
making. reaches saturation around 0.50.

205

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 18,2021 at 18:11:07 UTC from IEEE Xplore. Restrictions apply.
 [4] M. Prasenjit , K. A. Hemant, S. Bibhudatta, K. T. Ashok, ”An effective
approach of latency-aware fog smart gateways deployment for IoT
services,” in Internet of Things, Volume 8, 2019, 100091, ISSN 2542-
6605.
[5] Y. Jia, F. Zhong, A. Alrawais, B. Gong and X. Cheng, ”FlowGuard:
An Intelligent Edge Defense Mechanism Against IoT DDoS Attacks,”
in IEEE Internet of Things Journal, vol. 7, no. 10, pp. 9552-9562, Oct.
2020, doi: 10.1109/JIOT.2020.2993782.
[6] R. Hwang, M. Peng, C. Huang, P. Lin and V. Nguyen, ”An Unsupervised
Deep Learning Model for Early Network Traffic Anomaly Detection,”
in IEEE Access, vol. 8, pp. 30387-30399, 2020, doi: 10.1109/AC-
CESS.2020.2973023.
[7] N. Ravi and S. M. Shalinie, ”Learning-Driven Detection and Mitigation
of DDoS Attack in IoT via SDN-Cloud Architecture,” in IEEE Internet
of Things Journal, vol. 7, no. 4, pp. 3559-3570, April 2020, doi:
10.1109/JIOT.2020.2973176.
[8] R. Monika et al. Multi-objective-based feature selection for DDoS attack
detection in IoT networks, in IET Networks 9 (2020): 120-127.
[9] D. Shubhra, V. Manu and T. Sarsij (2020), ”Defense against dis-
Fig. 6. CNN Model Accuracy tributed DoS attack detection by using intelligent evolutionary algo-
rithm,” in International Journal of Computers and Applications, DOI:
10.1080/1206212X.2020.1720951.
[10] S. Manimurugan, S. Al-Mutairi, M. M. Aborokbah, N. Chilamkurti,
S. Ganesan and R. Patan, ”Effective Attack Detection in Internet of
Medical Things Smart Environment Using a Deep Belief Neural Net-
work,” in IEEE Access, vol. 8, pp. 77396-77404, 2020, doi: 10.1109/AC-
CESS.2020.2986013.
[11] S. Dong and M. Sarem, ”DDoS Attack Detection Method Based
on Improved KNN With the Degree of DDoS Attack in Software-
Defined Networks,” in IEEE Access, vol. 8, pp. 5039-5048, 2020, doi:
10.1109/ACCESS.2019.2963077.
[12] Bhalaji, N. et.al. ”Fog ComputngA Rasperry P Decentralzed Network,”
in Journal ofInformation Technology 2, no. 01 (2020): 27-42
[13] G. A. Jaafar, S. M. Abdullah, S. Ismail, ”Review of Recent Detection
Methods for HTTP DDoS Attack,” in Journal of Computer Networks
and Communications, vol. 2019, Article ID 1283472, 10 pages, 2019.
https://doi.org/10.1155/2019/1283472
[14] Ddos evaluation dataset, https://www.unb.ca/cic/datasets/ddos-
2019.html, 2019.
[15] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, De-
veloping realistic distributed denial of service (ddos) attack dataset
Fig. 7. CNN Model Loss and taxonomy, in 2019 International Carnahan Conference on Security
Technology (ICCST). IEEE, 2019, pp. 18
[16] Sharma, A., Vans, E., Shigemizu, D. et al. ”DeepInsight: A methodology
to transform a non-image data to an image for convolution neural network
VII. C ONCLUSION architecture,” in Sci Rep 9, 11399 (2019). https://doi.org/10.1038/s41598-
In this paper, we have adopted a fog layer architecture and 019-47765-6
Deep Learning based methodology for real-time DDOS attack
detection. We have proposed two models for DDoS attack
identification and detection respectively. Our first model uses
LSTM and trains on its features to classify real-time data as
malicious or benign with an accuracy of 98 percent. Next,
we convert flow data to image data and then train the model
using CNN and classify it into different attack categories with
an accuracy of 86 percent. In the future work, we will try to
increase accuracy and efficiency by decreasing the number of
training features. We will also try other models for evaluation.
R EFERENCES
[1] H. Wu, H. Han, X. Wang and S. Sun, ”Research on Artificial Intelligence
Enhancing Internet of Things Security: A Survey,” in IEEE Access, vol.
8, pp. 153826-153848, 2020, doi: 10.1109/ACCESS.2020.3018170.
[2] T. Mahjabin, Y. Xiao, T. Li and C. L. P. Chen, ”Load Distributed and
Benign-Bot Mitigation Methods for IoT DNS Flood Attacks,” in IEEE
Internet of Things Journal, vol. 7, no. 2, pp. 986-1000, Feb. 2020, doi:
10.1109/JIOT.2019.2947659.
[3] A. Lohachab and B. Karambir, ”Critical Analysis of DDoSAn Emerging
Security Threat over IoT Networks,” in Journal of Communications
and Information Networks, vol. 3, no. 3, pp. 57-78, Sept. 2018, doi:
10.1007/s41650-018-0022-5.

206

Authorized licensed use limited to: San Francisco State Univ. Downloaded on June 18,2021 at 18:11:07 UTC from IEEE Xplore. Restrictions apply.