Real-time DDoS detection based on predictive multi- and polyscale metrics for cyber-physical systems internet traffic
Terrazas Gonzalez, Jesus David
This research investigates the appropriateness of Information-Theoretic-Based (ITB) metrics compliant with finite sense stationarity (FSS) and derived from the Variance Fractal Dimension Trajectory (VFDT), to augment network security against traffic anomalies. From the distinct and vast cyberattacks (infection, exploitation, probing, deception, cracking, concurrency, and unknown) types, this research focuses in those stemming from concurrency and specifically in Distributed Denial-of-Service (DDoS) cyberattacks. In this research, the design and application of robust methodologies and metrics to achieve powerful descriptors is pursued. The strength of ITB metrics, applied in alternate research areas like steganography, is a robust justification for this study. The usage of ITB metrics, rooted in multi- and polyscale analysis, for detecting network disruptions is novel in the network security area. This thesis introduces a novel multiscale analysis methodology, multiscalors, which permits the usage of arbitrary operators and transforms to be functional in the multiscale domain for inspecting complex signals. Multiscalors provide an analysis depth and insights into the signals that exceeds by far what other types of monoscale based analysis offer. Multiscale-based metrics have been scarcely utilized in the cybersecurity ecosystem. This thesis also showcases specific applications of metrics and methodologies powered by multiscale analysis for DDoS detection. The methodology presented formulates robust features, based on multi- and polyscale analysis, and successfully classifies DDoS disruptions. Such methodology integrates knowledge from: (i) Data acquisition, by verifying DDoS instances and deriving complementary data from them; (ii) design and implementation of ITB metrics, based on multiscalors operators for analysis; (iii) feature extraction, by applying such metrics to the PREDICT datasets, (iv) preparation of feature vectors that are highly representative of the Internet traffic characteristics carrying DDoS cyberattacks, and (v) classification of anomalies through Adaptive Resonance Theory (ART) as a non-supervised neural network that has provided the real-time component in the detection of DDoS attacks establishing the time classification in the one second mark. Concerning ART, through this research a new methodology, parametogram, for properly defining the vigilance parameter for both classification approaches used, ART1 and FuzzyART, has been designed, tested, and validated. Applications of the multiscalors based metrics in this research target Cyber-Physical-Social Systems (CPSS), e.g., Industrial Internet-of-Things (IIoT) sustained by the fact of the usage of non-simulated Internet traffic, which contains legitimate DDoS attacks. This research corroborated the detection of anomalies in Internet traffic with a high classification precision for which the multiscalor methodology is essential for extracting relevant features characterizing the DDoS cyberattacks examined.
Adaptive Resonance Theory, ART, Artificial Intelligence, ART1, Cyberattacks, Cyberdefence, Cyber-Physical Social Systems, Cyber-Physical Systems, Cybersecurity, DDoS, Detection, Distributed Denial of Service, Feature Extraction, IIoT, Industrial Internet-of-Things, Internet-of-Things, Internet Traffic, IoT, Machine Learning, Multiscale, Multiscalors, FuzzyART, Parametogram, Polyscale, Real-Time