Variational Bayesian Hidden Markov Model for the Prediction of Distributed Denial of Service Attacks

Author: Afolorunso, Aderenle Abolanle

Supervisors: Olayide Abass and Harrison O. D.

Global interconnectivity of systems has left inter-networked systems vulnerable to various forms of complex attacks. Researchers continue to work on new ways, which includes proactive ones of securing such systems, in order to eradicate or minimise security threats. One of such attempts is network attack prediction systems. Distributed Denial of Service (DDoS) attack is a class of network attack that can span several continents. It floods the computer network with heavy loads of unwanted packets and requests that weigh down the system resources such as memory and processors. Hidden Markov model (HMM) is one of the models that can be used to predict and detect such attacks. Issues associated with the use of HMM are determination of the hidden and observable states and subsequently, the model parameters estimation since the performance of the model depends on the accurate selection of these parameters. Related issue is the need to overcome long training time of the traditional HMM algorithm especially during model construction as well as ensuring that the learning algorithm does not converge to a local maximum. This study presents a novel parsimonious HMM-based model in which the entropy-based values of the network traffic features and the Distributed Denial of Service (DDoS) attack phases form the observable and the hidden states of the model, respectively. Entropy and K-Means clustering were deployed respectively to determine the observable and hidden states that characterise the HMM. In order to improve computational efficiency of the algorithm for estimating the parameters of the model, Kullback-Liebler Divergence (KLD) method was employed for reducing and selecting appropriate parameters to achieve a good prediction model. Variational Bayesian Inference (VBI) was employed in optimising the HMM. The performance of the model was evaluated through experiments using DARPA 2000 Intrusion Specific dataset, DARPA 1999 dataset and CAIDA 2007 simulated real time DDoS attack data. The experimental results when compared with an existing work, where Markov Chain was used, show that the model gives faster and higher prediction accuracy for predicting DDoS attack. Specifically, the prediction accuracy, false positive rate and false negative rate show 10%, 11% and 9% improvement, respectively while the computational time was reduced by 42%.