隨著有線和無線通信技術的進步，物聯網設備也在不斷增加。
其中一種造成分散式阻絕服務攻擊發生原因是駭客入侵大量缺乏安全保護的物聯網設備，使設備成為殭屍網絡，並命令其攻擊特定的主機或服務。
我們採用軟體定義網路架構並新增分散式阻絕服務攻擊檢測模塊的來管理並收集物聯網所有設備的輸入輸出封包資訊。
在軟體定義網路架構管理的幫助下，基於flow的分散式阻絕服務檢測方法更適用於物聯網。

本文提出了一種在物聯網中，以不同機器學習模型在flow中加入更多時間步(timestep)架構來檢測物聯網的分散式阻絕服務攻擊。
我們使用私有物聯網測試資料集中發現在五個時間步長（5-timestep）和三元組(3-tuple)索引的bi-GRU模型，其精度達到100％。
我們從其他論文推薦在分散式阻絕服務攻擊偵測的機器學習模型中選擇了四個出色的模型，發現隨機森林和bi-GRU模型均達到了100％的準確度。
此外，如果將三元組索引轉換為來源IP位址，目標IP子網域和協定號碼，則在未分散式阻絕服務攻擊的準確性可達80％的檢測準確度。

With the advancement of wired and wireless communication technologies, the growth of Internet of Things (IoT) devices is also increasing.
Hackers exploit huge amount of IoT devices, which lack security protection for specific purposes.
To ease the problem, we adopt the SDN architecture to manage the IoT devices with DDoS detection module.
Distributed denial of service (DDoS) attack is an enhanced denial of service (DoS) attack, and is one of common usages of these hacked devices.
With over 20 years history of development of Detection of DoS or DDoS attacks, the flow-based method is more suitable for IoT.

In this paper, we propose a timestep architecture in differnet machine learning model and suitable model and parameters in IoT.
We find the bi-GRU model with 5 timesteps (25s) and 3-tuple index achieve 100\% accuracy in the private NTHU IoT testing dataset.
We select the 4 outstanding models from the related work and find the random forest and bi-GRU model have achieve 100\% accuracy.
In addition, the accuracy in unknown DDoS attack is up to 80\% detection accuracy if we transform the flows 3-tuple formats into source IP, destination subnet, and protocol number.

[1]
L. Chettri and R. Bera, "A Comprehensive Survey on Internet of Things
(IoT) Toward 5G Wireless Systems," IEEE Internet of Things Journal,
vol. 7, no. 1, pp. 16--32, 2020.

[2]
M. Ge, X. Fu, N. Syed, Z. Baig, G. Teo, and A. Robles-Kelly,
"Deep Learning-Based Intrusion Detection for IoT Networks," in 2019
IEEE 24th Pacific Rim International Symposium on Dependable Computing
(PRDC), pp. 256--25609, 2019.

[3]
P. Nicholson, "Five Most Famous DDoS Attacks and Then Some." [Online].
Available: https://www.a10networks.com/blog/5-most-famous-ddos-attacks,
July 2020.

[4]
B. Tang, E. Shuster, C. Seaman, L. Cashdollar, M. Zioni, and G. Bellas,
"[state of the internet] / security DDoS and Application Attacks Report :
Volume 5, Issue 1." [Online]. Available:
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/state-of-the-internet-security-ddos-and-application-attacks-2019.pdf,
2019.

[5]
NSFOCUS, "2019 DDoS Attack Landscape Report," tech. rep., NSFOCUS, 2019.

[6]
C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, "Ddos in the iot:
Mirai and other botnets," Computer, vol. 50, no. 7, pp. 80--84, 2017.

[7]
A. Wang, W. Chang, S. Chen, and A. Mohaisen, "Delving into internet
ddos attacks by botnets: Characterization and analysis," IEEE/ACM
Transactions on Networking, vol. 26, no. 6, pp. 2843--2855, 2018.

[8]
N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford,
S. Shenker, and J. Turner, "Openflow: Enabling innovation in campus
networks," SIGCOMM Comput. Commun. Rev., vol. 38, p. 69–74, Mar.
2008.

[9]
Q. Yan, F. R. Yu, Q. Gong, and J. Li, "Software-defined networking
(sdn) and distributed denial of service (ddos) attacks in cloud computing
environments: A survey, some research issues, and challenges," IEEE
Communications Surveys Tutorials, vol. 18, no. 1, pp. 602--622, 2016.

[10]
M. Latah and L. Toker, "Artificial intelligence enabled software-defined
networking: a comprehensive overview," IET Networks, vol. 8, no. 2,
pp. 79--99, 2019.

[11]
J. Mirkovic and P. Reiher, "A taxonomy of ddos attack and ddos defense
mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, 05
2004.

[12]
S. T. Zargar, J. Joshi, and D. Tipper, "A survey of defense mechanisms
against distributed denial of service (ddos) flooding attacks," IEEE
Communications Surveys Tutorials, vol. 15, no. 4, pp. 2046--2069, 2013.

[13]
N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, J. Rexford,
S. Shenker, and J. Turner, "Openflow: Enabling innovation in campus
networks," SIGCOMM Comput. Commun. Rev., vol. 38, p. 69–74, Mar.
2008.

[14]
L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred,
"Statistical approaches to ddos attack detection and response," in
Proceedings DARPA Information Survivability Conference and Exposition,
vol. 1, pp. 303--314 vol.1, 2003.

[15]
O. Osanaiye, H. Cai, K.-K. R. Choo, A. Dehghantanha, Z. Xu, and M. Dlodlo,
"Ensemble-based multi-filter feature selection method for ddos detection in
cloud computing," EURASIP Journal on Wireless Communications and
Networking, vol. 2016, p. 130, May 2016.

[16]
M. Amini, R. Jalili, and H. R. Shahriari, "Rt-unnid: A practical solution to
real-time network-based intrusion detection using unsupervised neural
networks," Computers Security, vol. 25, no. 6, pp. 459 -- 468,
2006.

[17]
L. Koc, T. A. Mazzuchi, and S. Sarkani, "A network intrusion detection system
based on a hidden naïve bayes multiclass classifier," Expert Systems
with Applications, vol. 39, no. 18, pp. 13492 -- 13500, 2012.

[18]
X. Yuan, C. Li, and X. Li, "Deepdefense: Identifying ddos attack via
deep learning," in 2017 IEEE International Conference on Smart
Computing (SMARTCOMP), pp. 1--8, 2017.

[19]
X. Liang and T. Znati, "A long short-term memory enabled framework for
ddos detection," in 2019 IEEE Global Communications Conference
(GLOBECOM), pp. 1--6, 2019.

[20]
A. Saied, R. E. Overill, and T. Radzik, "Detection of known and unknown ddos
attacks using artificial neural networks," Neurocomputing, vol. 172,
pp. 385 -- 393, 2016.

[21]
Z. Chen, F. Jiang, Y. Cheng, X. Gu, W. Liu, and J. Peng, "Xgboost
classifier for ddos attack detection and analysis in sdn-based cloud," in
2018 IEEE International Conference on Big Data and Smart Computing
(BigComp), pp. 251--256, 2018.

[22]
Y. Xiang, K. Li, and W. Zhou, "Low-rate ddos attacks detection and
traceback by using new information metrics," IEEE Transactions on
Information Forensics and Security, vol. 6, no. 2, pp. 426--437, 2011.

[23]
J. N. Bakker, B. Ng, and W. K. G. Seah, "Can machine learning techniques
be effectively used in real networks against ddos attacks?," in 2018
27th International Conference on Computer Communication and Networks
(ICCCN), pp. 1--6, 2018.

[24]
R. Doshi, N. Apthorpe, and N. Feamster, "Machine learning ddos detection
for consumer internet of things devices," in 2018 IEEE Security and
Privacy Workshops (SPW), pp. 29--35, 2018.

[25]
S. S. Bhunia and M. Gurusamy, "Dynamic attack detection and mitigation in
iot using sdn," in 2017 27th International Telecommunication Networks
and Applications Conference (ITNAC), pp. 1--6, 2017.

[26]
J. Zhang, X. Chen, Y. Xiang, W. Zhou, and J. Wu, "Robust network
traffic classification," IEEE/ACM Transactions on Networking, vol. 23,
no. 4, pp. 1257--1270, 2015.

[27]
T. M. Nam, P. H. Phong, T. D. Khoa, T. T. Huong, P. N. Nam, N. H.
Thanh, L. X. Thang, P. A. Tuan, L. Q. Dung, and V. D. Loi,
"Self-organizing map-based approaches in ddos flooding detection using
sdn," in 2018 International Conference on Information Networking
(ICOIN), pp. 249--254, 2018.

[28]
R. Braga, E. Mota, and A. Passito, "Lightweight ddos flooding attack
detection using nox/openflow," in IEEE Local Computer Network
Conference, pp. 408--415, 2010.

[29]
C. Li, Y. Wu, X. Yuan, Z. Sun, W. Wang, X. Li, and L. Gong, "Detection and
defense of ddos attack–based on deep learning in openflow-based sdn,"
International Journal of Communication Systems, vol. 31, no. 5, p. e3497,
2018.

[30]
S. Hochreiter and J. Schmidhuber, "Long short-term memory," Neural
Comput., vol. 9, p. 1735–1780, Nov. 1997.

[31]
J. Chung, C. Gulcehre, K. Cho, and Y. Bengio, "Empirical evaluation of gated
recurrent neural networks on sequence modeling," in NIPS 2014 Workshop
on Deep Learning, December 2014, 2014.

[32]
E. Biglar Beigi, H. Hadian Jazi, N. Stakhanova, and A. A. Ghorbani,
"Towards effective feature selection in machine learning-based botnet
detection approaches," in 2014 IEEE Conference on Communications and
Network Security, pp. 247--255, 2014.

[33]
L. Latha and S. Thangasamy, "Efficient approach to normalization of multimodal
biometric scores," International Journal of Computer Applications,
vol. 32, no. 10, pp. 57--64, 2011.

[34]
S. J. Stolfo, Wei Fan, Wenke Lee, A. Prodromidis, and P. K. Chan,
"Cost-based modeling for fraud and intrusion detection: results from the jam
project," in Proceedings DARPA Information Survivability Conference and
Exposition. DISCEX'00, vol. 2, pp. 130--144 vol.2, 2000.

[35]
A. Shiravi, H. Shiravi, M. Tavallaee, and A. A. Ghorbani, "Toward developing a
systematic approach to generate benchmark datasets for intrusion detection,"
Computers Security, vol. 31, no. 3, pp. 357 -- 374, 2012.

[36]
N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, "Towards the
development of realistic botnet dataset in the internet of things for network
forensic analytics: Bot-iot dataset," Future Generation Computer
Systems, vol. 100, pp. 779 -- 796, 2019.

[37]
A. Hamza, H. H. Gharakheili, T. A. Benson, and V. Sivaraman, "Detecting
volumetric attacks on lot devices via sdn-based monitoring of mud activity,"
in Proceedings of the 2019 ACM Symposium on SDN Research, SOSR '19,
(New York, NY, USA), p. 36–48, Association for Computing Machinery, 2019.