隨著物聯網技術快速的發展，市場預估，未來幾年內將出現數百億個聯網裝置。但不幸的是，大量的聯網裝置同時也可能成為駭客的目標，入侵並用來發起分散式阻斷服務攻擊。為了偵測與時序相關的網路攻擊，循環神經網路可藉由輸入多維資料來呈現資料的時序關係。但當資料序列長度很長時，模型在透過反向傳播更新權值的時候可能會發生梯度消失的問題，造成不正確的學習結果。此外，循環神經網路對於每個時間點的資料一視同仁，對於突如其來的攻擊行為反應較遲緩，不太適合用於即時監測。
在特徵擷取部分，過往研究常見的是使用五元組流量來擷取特徵。然而，我們觀察分散式阻斷服務攻擊的開源資料集，發現攻擊流量會頻繁更動來源埠口，導致一直產生新的五元組流量資料。在這種情況下，我們很難收集足夠的歷史資訊以供識別。因此，基於既有的循環神經網路技術，本文提出了使用四元組流量的特徵，以產生足量的歷史數據，用以進行識別，並額外收集對稱性流量特徵，以有效利用分散式阻斷服務攻擊中的非對稱行為特性。另外，為了達到更好的模型訓練效果，我們使用了門控循環單元層以解決梯度消失問題，並引入結合指數加權移動平均的注意力機制，以分配不同權重給各個時間點的資料。實驗結果顯示，相較於現有的方法，我們提出的方法只需要15%的參數量，便可達到99.7%的準確率。

With the rapid development of Internet of Things technology, it is estimated that tens of billions of devices will be connected in the next few years. Unfortunately, such large amount of connected devices most likely become the target of hacking and thereby launching network attacks, such as Distributed Denial-of-Service (DDoS) attacks. To detect the network attacks, which is time-series related, Recurrent Neural Network (RNN) can describe and classify the time-series relationship of input data in multi-dimensional format. However, if the length of the data sequence is large, the model might incur gradient vanishing problem during back propagation, which causes incorrect learning results. Besides, RNN treats data at each time step equally and therefore responds slowly to sudden attacks, such that not suitable for real-time detection.
For feature extraction, previous studies usually use 5-tuple flow data to extract features. However, we observe from the open source data set of DDoS attacks that attack traffic constantly changes their source port, which keeps generating new 5-tuple flow entries. In this case, it is difficult to collect enough historical information for recognition. In this thesis, based on RNN, we propose to collect 4-tuple flow-based features to generate enough historical data for recognition. In addition, symmetric features are also collected to effectively utilize asymmetry property in DDoS attacks. Moreover, for better model training, we use Gate Recurrent Unit to deal with the gradient vanishing problem, and introduce a modified attention mechanism with exponentially weighted moving average to assign different weights to data at each time step. Compared with previous works, our method only requires 15% amount of parameters to achieve 99.7% accuracy.

[1] Cisco. Cisco annual internet report, 2018–2023 white paper, accessed on march 9,2020.
[2] Nick McKeown, Tom Anderson, Hari Balakrishnan, Guru Parulkar, Larry Peter-son, Jennifer Rexford, Scott Shenker, and Jonathan Turner. Openflow: Enabling innovation in campus networks. SIGCOMM Comput. Commun. Rev., 38(2):69–74,March 2008.
[3] Jelena Mirkovic and Peter Reiher. A taxonomy of ddos attack and ddos defense mechanisms. SIGCOMM Comput. Commun. Rev., 34(2):39–53, April 2004.
[4] S ́ergio dos Santos Cardoso Silva, Rodrigo Mathias Praxedes da Silva, RaquelCoelho Gomes Pinto, and Ronaldo Moreira Salles. Botnets: A survey.Com-puter Networks, 57(2):378 – 403, 2013. Botnet Activity: Analysis, Detection and Shutdown.
[5] Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Jeffrey Voas. Ddos in the iot: Mirai and other botnets.Computer, 50(7):80–84, 2017.
[6] Zaied Shouran, Ahmad Ashari, and Tri Priyambodo. Internet of things (iot) of smart home: privacy and security.International Journal of Computer Applications, 182(39):3–8, 2019.
[7] Bing Wang, Yao Zheng, Wenjing Lou, and Yiwei Thomas Hou. Ddos attack protection in the era of cloud computing and software-defined networking. Computer Networks, 81:308 – 319, 2015.
[8] John Ross Quinlan. Induction of decision trees. Machine learning, 1(1):81–106,1986.
[9] Vladimir Vapnik. Estimation of dependences based on empirical data. Springer Science & Business Media, 2006.[10] Lars Kai Hansen and Peter Salamon. Neural network ensembles. IEEE transactions on pattern analysis and machine intelligence, 12(10):993–1001, 1990.
[11] Andrew Ng et al. Sparse autoencoder. CS294A Lecture notes, 72(2011):1–19,2011.
[12] Xiaoyong Yuan, Chuanhuang Li, and Xiaolin Li. Deepdefense: Identifying ddosattack via deep learning. In 2017 IEEE International Conference on Smart Computing (SMARTCOMP), pages 1–8, 2017.
[13] Rodrigo Braga, Edjard Mota, and Alexandre Passito. Lightweight ddos flooding attack detection using nox/openflow. In IEEE Local Computer Network Conference, pages 408–415, 2010.
[14] Kamaldeep Singh, Sharath Chandra Guntuku, Abhishek Thakur, and Chittaranjan Hota. Big data analytics framework for peer-to-peer botnet detection using random forests. Information Sciences, 278:488 – 497, 2014.
[15] Philipp Winter, Eckehard Hermann, and Markus Zeilinger. Inductive intrusion detection in flow-based network data using one-class support vector machines. In 2011 4th IFIP International Conference on New Technologies, Mobility and Security, pages 1–5, 2011.
[16] Sepp Hochreiter and J ̈urgen Schmidhuber. Long short-term memory. Neural computation, 9(8):1735–1780, 1997.
[17] Felix A. Gers, Juergen Schmidhuber, and Fred Cummins. Learning to forget:continual prediction with lstm. IET Conference Proceedings, pages 850–855(5),January 1999.
[18] Kyunghyun Cho, Bart Van Merri ̈enboer, Caglar Gulcehre, Dzmitry Bahdanau, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. Learning phrase representations using rnn encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078, 2014.
[19] Pablo Torres, Carlos Catania, Sebastian Garcia, and Carlos Garcia Garino. Ananalysis of recurrent neural networks for botnet detection behavior. In 2016 IEEE Biennial Congress of Argentina (ARGENCON), pages 1–6, 2016.
[20] Chungsik Song, Younghee Park, Keyur Golani, Youngsoo Kim, Kalgi Bhatt, andKunal Goswami. Machine-learning based threat-aware system in software definednetworks. In 2017 26th International Conference on Computer Communication and Networks (ICCCN), pages 1–9, 2017.
[21] Anderson Santos da Silva, Juliano Araujo Wickboldt, Lisandro Zambenedetti Granville, and Alberto Schaeffer-Filho. Atlantic: A framework for anomaly traffic detection, classification, and mitigation in sdn. In NOMS 2016-2016 IEEE/IFIP Network Operations and Management Symposium, pages 27–35, 2016.
[22] Tuan A Tang, Lotfi Mhamdi, Des McLernon, Syed Ali Raza Zaidi, and MounirGhogho. Deep learning approach for network intrusion detection in software defined networking. In 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), pages 258–263, 2016.
[23] Elaheh Biglar Beigi, Hossein Hadian Jazi, Natalia Stakhanova, and Ali A. Ghor-bani. Towards effective feature selection in machine learning-based botnet detection approaches. In 2014 IEEE Conference on Communications and Network Security, pages 247–255, 2014.[24] Dzmitry Bahdanau, Kyunghyun Cho, and Yoshua Bengio. Neural machine translation by jointly learning to align and translate. In arXiv:1409.0473, 2016.
[25] Antonio Gulli and Sujit Pal.Deep learning with Keras. Packt Publishing Ltd,2017.
[26] Nickolaos Koroniotis, Nour Moustafa, Elena Sitnikova, and Benjamin Turnbull. Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset. Future Generation Computer Systems,100:779 – 796, 2019.
[27] Ayyoob Hamza, Hassan Habibi Gharakheili, Theophilus A. Benson, and Vijay Sivaraman. Detecting volumetric attacks on lot devices via sdn-based monitoring of mud activity. In Proceedings of the 2019 ACM Symposium on SDN Research, SOSR ’19, page 36–48, New York, NY, USA, 2019. Association for Computing Machinery.
[28] Ali Shiravi, Hadi Shiravi, Mahbod Tavallaee, and Ali Akbar Ghorbani. Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers & Security, 31(3):357 – 374, 2012.