Devising a hybrid approach for near real-time DDoS detection in IoT

Abstract

DDoS attacks have impacted businesses financially and hit their market reputation. Entropy variation and machine learning are two popular measures of DDoS detection in the literature. The entropy-based detection takes fewer resources yet a longer time to detect the attack and produces high false positive rate. Meanwhile, traditional machine learning classifiers churn out more accurate classification, however, need ample resources for processing huge data. Since IoT devices generate large amounts of data generally; therefore training ML classifiers with all data is impractical. This paper presents an overview of practical merits and demerits of entropy-based detection approach and ML-based detection. In this paper, we have proposed a two-tier hybrid approach for IoT networks that employs entropy variation to filter the attack traffic from benign traffic in first tier. Further, the remaining and reduced volume of supposedly benign data is fed to the second tier which is ML-based detection approach. We have utilized the CICDDoS2019 dataset to illustrate our notions, perform evaluation and findings. The proposed approach has yielded 99.99% f1-score in the second cycle of training and prediction. The proposed approach gives the first response in comparatively less duration as compared to the ML classifiers and significantly reduces the false positive rate as compared to entropy-based detection. It is found that the proposed detection process takes fewer resources too. The findings of the analysis were validated on the CICIoT2023 dataset, which resulted in similar performance. The proposed approach is compared with peer IDSs and results indicate the effectiveness of our approach. © 2024 Elsevier Ltd