Neural Network-Based DDoS Attack Detection in the Context of Unbalanced Classes: A Comparative Study of Resampling Methods
Kalala Kanyinda Norbert *
Université Pédagogique Nationale, Kinshasa, Republic of the Congo.
Kafunda Katalayi Pierre
Université Pédagogique Nationale, Kinshasa, Republic of the Congo.
*Author to whom correspondence should be addressed.
Abstract
Cyberattacks have been steadily increasing for the past twenty years. DDoS attacks, in particular, represent one of the greatest threats to organizations. A DDoS attack aims to render an information system's resources unavailable by overwhelming them with numerous requests originating from networks known as "botnets."
In this study, we propose an automatic DDoS attack detection model based on neural networks. The objective is to classify network traffic into two categories: normal traffic and abnormal traffic. However, in real-world scenarios, abnormal cases are often marginal within network traffic, leading to class imbalance. Most machine learning algorithms tend to predict the majority of normal cases more accurately. To mitigate the negative effects of this imbalance, methods exist to rebalance the classes before training the model. Among these, we can mention: 1) the choice of evaluation metrics, 2) data resampling, and 3) algorithm tuning. In this work, we opted for the resampling method to balance the data.
The study was conducted within the Department of Mathematics and Computer Science at the National Pedagogical University of the Democratic Republic of Congo.
In this study, we used the "unbalaced_20_80_dataset.csv" data from the Kaggle platform. This data shows an imbalance between normal (benign) cases, representing 80%, and DDoS attacks, representing 20%. Resampling was performed to rebalance the classes. After training the model using oversampled, undersampled, and hybrid sampling data, the results revealed few differences in the outcomes obtained. However, the model trained with oversampled data using the SMOTE technique demonstrated better learning and generalization capabilities to new data.
Conclusion: Detecting DDoS attacks presents a significant challenge for organizations. A neural network-based DDoS detection model appears to be a reliable and effective solution to this threat. By using unbalanced class data to train the model, we simulated real-world conditions where anomalous cases are rare and in the minority. Therefore, resampling was necessary to avoid bias. The model trained with oversampled data using the SMOTE technique yielded better results in terms of learning speed and its ability to generalize to unknown data.
Keywords: DDoS attack detection, neural network, oversampling, undersampling, backpropagation of gradient, confusion matrix, SMOTE, random undersampling