1.1 Background of the Research Problem
Malicious actors and their activities have found space on the internet. The use of the internet to access services of all kinds has also seen malicious actors bent on disrupting the services. All organisations that offer web-based services are vulnerable to DDoS attacks. Financial services, commercial, news, politics and entertainment, are now accessible through the internet. Malicious actors with diverse motives target web-based servers intending to bring down the services or at least degrade the quality of service offered to genuine customers. One of the most common ways of disrupting a web-based service is Distributed Denial of Service (DDoS). The malicious actors attempt to bring down or at least slow down a service by overwhelming the server’s resource limits in terms of CPU, memory or network bandwidth. The attackers launch DDoS attacks by taking advantage one way or the other of protocols found at the Application layer, Transport layer and Network layer of the TCP/IP protocol suite. All network communication devices implement the TCP/IP protocols when they communicate. The Internet of Things has dramatically increased the number of online devices. The number of devices that can be recruited to form botnets which are then used to amplify DDOS attacks is huge (Kim, 2020). The TCP/IP model together with the OSI models, were not built with security in mind. When these models were proposed the motivations for most current cyber-attacks were not as prevalent as they are today since there was very little online activity then. The majority of Network capable devices such are those found among IoT terminals were also not built with the required focus on security. These appliances are, therefore, easily targeted and recruited to increase the size of botnets. Effective network intrusion detection systems are needed to counter the many possible DDOS attack vectors.
Malicious actors have various ways of implementing DDoS attacks. A botnet or network of compromised remotely controlled computers is commonly used to launch DDoS attacks (Khan, 2019). Other malicious actors amplify their DDoS attacks by making use of computers on various networks broadcast domains to send packets to a server at the same time to choke the server’s processing capacity and resources. The malicious actors evolve their mechanisms of attack as technology evolves. Early botnets used Internet Relay Chat (IRC) protocol for sending instructions to the botnets from the botmaster using a client-server networking model. Then peer-to-peer (P2P) protocol was used by botnets before HTTP became the most commonly used protocol (Kim, 2020). In 2016 a botnet called Mirai took over control of hundreds of thousands of Internet of Things (IoT) devices that resulted in a widespread loss of Internet access in the USA. The botnet managed to recruit a large number of Internet of Things (IoT) devices that used default login credentials for Telnet protocol. On 29 January 2018, three Dutch banks ABN AMRO, ING Bank and Rabobank were attacked by DDoS resulting in loss of internet banking and inaccessibility of websites. In 2016 Twitter, Sound Cloud, Spotify, and Shopify all went down after a DDoS attack was launched against the cloud domain hosting company Dynamic DNS (Bonguet, 2017). With DDoS defence and mitigation systems, time is limited from the launch of attack to mitigation (Wangy, 2017).
DDoS attacks cause loss of revenue to service providers and cause inconveniences and frustration to customers as services become inaccessible. A DDoS detection and mitigation strategy is called for as part of a cybersecurity strategy. Cybersecurity focuses on preventing, detecting and reacting to threats and attacks timeously (Darko Galinec, 2017). The research offers a solution for detecting DDoS attacks. The built system can be adapted to be part of a broader cybersecurity strategy. Since the launching of DDoS attacks cannot be prevented, detecting DDoS timeously with high precision is the best that can be done. However, for high precision models to be trained, the dataset needs to be balanced. For all network intrusion detection and DDoS attack detection, correctly balanced datasets, are hard to get. Some techniques to balance the dataset before model training have been explored. The methods that have been adopted to balance data sets which include under-sampling the majority class and Oversampling of the minority class are discussed in Section 2 Literature Review. It is also essential that the DDoS detection systems be scalable to train models that can handle extensive network traffic data associated with the Internet and the evolving Internet of Things. Traditional machine learning classifiers also fell short of scalability besides requiring that the data set be balanced before training the model. Currently adopted data balancing techniques will be reviewed and show how the VAE offers an alternative to deal with unbalanced data sets. The scalability that cannot be achieved by traditional machine learning techniques is achieved by the VAE. VAE achieves scalability because it uses a mini-batch Stochastic Gradient when updating weights during training. The re-parameterization trick which makes stochastic gradient possible with VAE is explained in Section 2 Literature Review. The continually evolving nature of DDoS attacks is addressed by the profound neural network nature of A Variational Autoencoder, which makes a VAE automatically learn new patterns in network flows. Reliable datasets usable for training intrusion detection models are hard to get. In this research, the CICIDS 2017 dataset is used to train a VAE DDoS detector.