Detection of botnet attacks in real-time using machine learning

Abstract

Distributed Denial of Service (DDoS) attacks have become a major threat to current computer networks. DDoS attacks are still some of the most sophisticated attacks carried out with the use of Botnets which are interconnected computers that are controlled as a group by a Botmaster (a super computer) and used to carry out the attacks. Botmasters have evolved with technology and have come up with new techniques like packet encryption and obfuscation which would render the packet inspection techniques unable to detect the malicious packets any more. Basing on the reviewed literature, machine learning techniques employed in the detection of DDoS attacks use outdated datasets and are not deployed in real-time on physical networks but rather using simulated networks. A dataset was generated using a Network emulating tool called Mininet, and then a model was trained using the best classification algorithms which were combined using an Ensemble technique called Stack Generalization to achieve great accuracy, then finally the model was tested on a live network and confirmed that it could detect DDoS attacks in real time. A physical network containing four computers was set-up, one server and 3 clients. We deployed the model on the server and used 2 of the clients to attack the server. It detected the attack in 1.5 minutes. The model deployed on a live network detected UDP flood attacks the quickest followed by TCP syn flood attacks and finally ICMP flood attacks.