DDOS Detection on Internet of Things Using Unsupervised Algorithms





Distributed denial of service (DDOS), internet of things (IOT), machine learning algorithms, transmission control protocol (TCP), user datagram protocol (UDP), security


The increase in the deployment of IOT networks has improved productivity of humans and organisations. However, IOT networks are increasingly becoming platforms for launching DDOS attacks due to inherent weaker security and resource-constrained nature of IOT devices. This paper focusses on detecting DDOS attack in IOT networks by classifying incoming network packets on the transport layer as either “Suspicious” or “Benign” using unsupervised machine learning algorithms. In this work, two deep learning algorithms and two clustering algorithms were independently trained for mitigating DDOS attacks. Emphasis was laid on exploitation based DDOS attacks which include Transmission Control Protocol SYN-Flood attacks and UDP-Lag attacks. Mirai, BASHLITE and CICDDOS2019 datasets were used in training the algorithms during the experimentation phase. The accuracy score and normalized-mutual-information score are used to quantify the classification performance of the four algorithms. Our results show that the autoencoder performed overall best with the highest accuracy across all the datasets.


Download data is not yet available.

Author Biographies

Victor Odumuyiwa, Department of Computer Science, University of Lagos, Nigeria

Victor Odumuyiwa obtained his Ph.D. in 2010 from Nancy 2 University in France. He was an ETT fellow at the Massachusetts Institute of Technology, Boston, USA in 2013. He is a certified security intelligence analyst and application security analyst. He is also a member of the Global EPIC eco-system centred on innovation and cyber security. His research centres on Web Intelligence and Cyber Security. He is a Senior Lecturer at the Department of Computer Science, University of Lagos, Nigeria.

Rukayat Alabi, Department of Computer Science, University of Lagos, Nigeria

Rukayat Alabi is a business analyst and also an aspiring Ph.D. student in Computer science. She was part of the team that developed the pensioner automated system used currently in Nigeria. She is certified in the following: MCSA, ITIL, MOS Master, MCE and IC3. Her research area currently covers security in internet of things and positive impacts of technology in business.


Shirazi, “Evaluation of anomaly detection techniques for scada communication resilience,” IEEE Resilience Week, 2016.

N. Mirai, “mirai-botnet,” 2016. [Online]. Available: https://www.cyber.nj.gov/threat-profiles/botnetvariants/mirai-botnet. [Accessed 31 December 2019].

H. Zhou, B. Liu and D. Wang, “Design and research of urban intelligent transportation system based on the Internet of Things,” Internet of Things, pp. 572–580, 2012.

S. Lim, S. Yang and Y. Kim, “Controller scheduling for continued SDN operation under DDOS attacks,” Electronic Letter, pp. 1259–1261, 2015.

A. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications Surveys & Tutorials, vol. 18.2, 2016.

P. Baldi, “Autoencoders, Unsupervised Learning, and Deep Architectures,” Proceedings of ICML workshop on unsupervised and transfer learning, 2012.

R. Doshi, N. Apthorpe and N. Feamster, “Machine Learning DDOS Detection for Consumer Internet of Things Devices,” IEEE Deep Learning and Security Workshop, 2018.

Q. Yan, F. Yu and Q. Gong, “Sotware defined networking and Distributed denial of service attacks in cloud computing environments,” IEEE Communications Survey & Tutorial, no. 18, pp. 602–622, 2016.

N. Z. Bawany, J. A. Shamsi and K. Salah, “DDOS Attack Detection and Mitigation Using SDN,” Arabian Journal for Science & Engineering, no. 2, pp. 1–19, 2017.

B. Kang and H. Choo, “An SDN-enhanced load-balancing technique in the cloud system[J].,” Journal of Supercomputing, pp. 1–24, 2016.

O. Osanaiye and D. M. Choo, “Distributed denial of service (DDOS) resilience in cloud,” Journal of Network & Computer Applications, pp. 147–165, 2016.

H. Luo, Z. Chen and J. Li, “Preventing Distributed Denial-of-Service Flooding Attacks With Dynamic Path Identifiers[J],” IEEE Transactions on Information Forensics & Security, pp. 1801–1815, 2017.

U. Dick and T. Scheffer, “Learning to control a structured-prediction decoder for detection of HTTP-layer DDOS attackers,” in Machine Learning, 2016, pp. 1–26.

Z. Gao and N. Ansari, “Differentiating Malicious DDOS Attack Traffic from Normal TCP Flows by Proactive Tests[J],” Communications Letters IEEE, pp. 793–795, 2006.

K. Borisenko, A. Rukavitsyn and A. Gurtov, “Detecting the Origin of DDOS Attacks in OpenStack Cloud Platform Using Data Mining Techniques[M]// Internet of Things,” Smart Spaces, and Next Generation Networks and Systems, 2016.

N. Hoque, D. Bhattacharyya and J. Kalita, “Botnet in DDOS Attacks: Trends and Challenges[J],” IEEE Communications Surveys & Tutorials, pp. 1–1, 2015.

A. Saeed, R. E. Overill and T. Radzik, “Detection of known and unknown DDOS attacks using Artificial Neural Networks,” Neurocomputing, pp. 385–393, 2016.

S. Ramanauskaite, N. Goranin and A. Cenys, “Modelling influence of Botnet features on effectiveness of DDOS attacks[J],” Security & Communication Networks, pp. 2090–2101, 2015.

C. Buragohain, M. J. Kaita, S. Singh and D. K. Bhattacharyya, “Anomaly based DDOS attack detection,” International Journal of Computer Applications, pp. 35–40, 2015.

A. Aggarwal and A. Gupta, “Survey on data mining and IP traceback technique in DDOS attack,” International Journal of Engineering and computer science, vol. 4(6), pp. 12595–12598, 2015.

G. Nadiammai and M. Hemalatha, “Effective approach towards intrusion detection system using data mining technique,” Egyptian Informatics Journal, vol. 15(1), pp. 37–50, 2014.

Y. A. Mahmood, “Autoencoder-based feature learning for cybersecurity applications,” International Joint Conference on Neural Networks (IJCNN), 2017.

S. Yadav and S. Subramanian, “Detection of Application Layer DDOS attack by feature learning using Stacked AutoEncoder,” International Conference on Computational Techniques in Information and Communication Technologies (ICCTICT), 2016.

A. Fischer and C. Igel, “An introduction to restricted Boltzmann machines. In Ibero American congress on pattern recognition,” Springer, Berlin, Heidelberg, pp. 14–36, 2012.

V. G. Ryzin and G. Vulcano, “An expectation maximization method to estimate a rank-based,” 2017.

D. Ferreiraetal, “Extreme Dimensionality Reduction for Network Attack Visualization with Autoencoders,” International Joint Conference on Neural Networks (IJCNN), 2019.

I. Sharafaldin, A. H. Lashkari, S. Hakak and A. Ghorbani, “Developing Realistic Distributed Denial of Service (DDOS) Attack Dataset and Taxonomy,” International camahan conference on security (ICCST). IEEE, pp. 1–8, 2019.

Y. Meidan, M. Bohadana, Y. Mathov, Y. Mirsky and Shabtai, “Network based detection of IOT botnet attacks using deep autoencoders,” IEEE Pervasive Computing, pp. 12–22, 17(3).

C. Elkan, “Using the triangle inequality to accelerate k-means,” ICML-03, pp. 147–153, 2003.

B. Barricelli and E. Casiraghi, “A Survey on Digital Twin: Definitions, Characteristics, Applications, and Design Implication,” IEEE Acces, vol. 7, pp. 167653–167671, 2019.






Emerging Trends in Cyber Security and Cryptography