Feature Selection to Enhance DDoS Detection Using Hybrid N-Gram Heuristic Techniques

Andi Maslan - Universitas Putera Batam, Indonesia
Kamaruddin Malik Mohamad - Universiti Tun Hussein Onn Malaysia, Batu Pahat Johor, Malaysia
Abdul Hamid - Universiti Tun Hussein Onn Malaysia, Batu Pahat Johor, Malaysia
Hotma Pangaribuan - Universitas Putera Batam, Indonesia
Sunarsan Sitohang - Universitas Putera Batam, Indonesia

Citation Format:

DOI: http://dx.doi.org/10.30630/joiv.7.3.1533


Various forms of distributed denial of service (DDoS) assault systems and servers, including traffic overload, request overload, and website breakdowns. Heuristic-based DDoS attack detection is a combination of anomaly-based and pattern-based methods, and it is one of three DDoS attack detection techniques available. The pattern-based method compares a sequence of data packets sent across a computer network using a set of criteria. However, it cannot identify modern assault types, and anomaly-based methods take advantage of the habits that occur in a system. However, this method is difficult to apply because the accuracy is still low, and the false positives are relatively high. Therefore, this study proposes feature selection based on Hybrid N-Gram Heuristic Techniques. The research starts with the conversion process, package extract, and hex payload analysis, focusing on the HTTP protocol. The results show the Hybrid N-Gram Heuristic-based feature selection for the CIC-2017 dataset with the SVM algorithm on the CSDPayload+N-Gram feature with a 4-Gram accuracy rate of 99.86%, MIB- Dataset 2016 with the 2016 algorithm. SVM and CSPayload feature +N-Gram with 100% accuracy for 4-Gram, H2N-Payload Dataset with SVM Algorithm, and CSDPayload+N-Gram feature with 100% accuracy for 4-Gram. As a comparison, the KNN algorithm for 4-Gram has an accuracy rate of 99.44%, and the Neural Network Algorithm has an accuracy rate of 100% for 4-Gram. Thus, the best algorithm for DDoS detection is SVM with Hybrid N-Gram (4-Gram).


Chi-square distance; DDoS; Heuristic; N-Gram; Payload

Full Text:



J. J. Kim, Y. S. Lee, J. Y. Moon, and J. M. Park, “Network payload and correlation analysis in bigdata environments,†Int. J. Grid Distrib. Comput., vol. 11, no. 3, pp. 109–124, 2018, doi: 10.14257/ijgdc.2018.11.3.10.

M. Alkasassbeh, A. B. A. Hassanat, and G. Al-naymat, “Detecting Distributed Denial of Service Attacks Using Data Mining Techniques,†vol. 7, no. 1, pp. 436–445, 2016.

A. W. Muhammad and I. Riadi, “DDoS Attack Detection Using Neural Network with Fixed Moving Average Window Function,†vol. 1, no. 3, pp. 115–122, 2017.

A. Rahmatulloh, G. M. Ramadhan, I. Darmawan, N. Widiyasono, and D. Pramesti, “Identification of Mirai Botnet in IoT Environment through Denial-of-Service Attacks for Early Warning System,†vol. 6, no. September, pp. 623–628, 2022.

K. M. I. A. Fouda, “Payload Based Signature Generation for DDoS Attacks,†University of Twente, 2017.

K. M. Prasad, A. R. M. Reddy, and K. V. Rao, “DoS and DDoS Attacks: Defense, Detection and TracebackMechanisms -A Survey,†vol. 14, no. 7, 2014.

A. Oza, “HTTP Attack Detection using N-gram Analysis,†2013.

M. Najafimehr, S. Zarifzadeh, and S. Mostafavi, A hybrid machine learning approach for detecting unprecedented DDoS attacks, no. 0123456789. Springer US, 2022.

D. Ariu, R. Tronci, and G. Giacinto, “HMMPayl: An intrusion detection system based on Hidden Markov Models,†Comput. Secur., vol. 30, no. 4, pp. 221–241, 2011, doi: 10.1016/j.cose.2010.12.004.

K. Kato and V. Klyuev, “An Intelligent DDoS Attack Detection System Using Packet Analysis and Support Vector Machine,†Int. J. Intell. Comput. Res., vol. 5, no. 3, pp. 464–471, 2014.

J. David and C. Thomas, “DDoS attack detection using fast entropy approach on flow-based network traffic,†Procedia Comput. Sci., vol. 50, no. August, pp. 30–36, 2015, doi: 10.1016/j.procs.2015.04.007.

N. Bindra and M. Sood, “Evaluating the impact of feature selection methods on the performance of the machine learning models in detecting DDoS attacks,†Rom. J. Inf. Sci. Technol., vol. 23, no. 3, pp. 250–261, 2020.

K. Bouzoubaa, Y. Taher, and B. Nsiri, “Predicting DOS-DDOS Attacks: Review and Evaluation Study of Feature Selection Methods based on Wrapper Process,†Int. J. Adv. Comput. Sci. Appl., vol. 12, no. 5, pp. 132–145, 2021, doi: 10.14569/IJACSA.2021.0120517.

Q. Niyaz, W. Sun, and A. Y. Javaid, “A Deep Learning Based DDoS Detection System in Software-Defined Networking (SDN),†ICST Trans. Secur. Saf., vol. 4, no. 12, p. 153515, 2017, doi: 10.4108/eai.28-12-2017.153515.

W. Khreich, B. Khosravifar, A. Hamou-Lhadj, and C. Talhi, “An anomaly detection system based on variable N-gram features and one-class SVM,†Inf. Softw. Technol., vol. 91, pp. 186–197, 2017, doi: https://doi.org/10.1016/j.infsof.2017.07.009.

S. Sridharan, “Defeating n-gram Scores for HTTP Attack Detection,†SJSU Sch. Work., vol. 6, no. San Jose State University, pp. 1–37, 2016, doi: 10.31979/etd.japx-z6eu.

S. Khunkitti, A. Siritaratiwat, and S. Premrudeepreechacharn, “Multi-objective optimal power flow problems based on slime mould algorithm,†Sustain., vol. 13, no. 13, 2021, doi: 10.3390/su13137448.

L. Csikar, “Decision making in the sciences : understanding heuristic use by students in problem solving,†p. 124, 2018, doi: 10.25777/dzej-k872.

R. R. Rumare and H. T. Ciptaningtyas, “HTTP Attack Detection Application Using N-Gram,†J. Tek. ITS, vol. 6, no. 2, pp. 2–5, 2017, doi: 10.12962/j23373539.v6i2.24230.

S. Bista and R. Chitrakar, “DDoS Attack Detection Using Heuristics Clustering Algorithm and Nave Bayes Classification,†J. Inf. Secur., vol. 09, no. 01, pp. 33–44, 2018, doi: 10.4236/jis.2018.91004.

A. Maslan, K. M. Mohamad, and C. F. M. Foozy, “Enhancement detection distributed denial of service attacks using hybrid n-gram techniques,†Telkomnika (Telecommunication Comput. Electron. Control., vol. 20, no. 1, pp. 61–69, 2022, doi: 10.12928/TELKOMNIKA.v20i1.18103.

H. Zhao, Z. Chang, G. Bao, and X. Zeng, “Malicious Domain Names Detection Algorithm Based on N -Gram,†vol. 2019, 2019.

W. B. Cavnar and J. M. Trenkle, “N-Gram-Based Text Categorization N-Gram-Based Text Categorization,†Proc. Third Annu. Symp. Doc. Anal. Inf. Retr., no. May, pp. 1–14, 2001.

J. Daniel and J. H. Martin, “stanford n-gram_Speech and Language Processing,†2021.

F. Angiulli, L. Argento, and A. Furfaro, “Exploiting n-gram location for intrusion detection,†CS.CR, vol. 3, no. Cornell University, pp. 1–6, 2016, doi: 10.1109/ICTAI.2015.155.

Z. Bazrafshan, H. Hashemi, S. M. H. Fard, and A. Hamzeh, “A survey on heuristic malware detection techniques,†IKT 2013 - 2013 5th Conf. Inf. Knowl. Technol., no. May, pp. 113–120, 2013, doi: 10.1109/IKT.2013.6620049.

W. Halim, “Deteksi Malware dengan Menggunakan API Calls,†Paper, p. 15, 2020.

A. Shabtai, R. Moskovitch, C. Feher, S. Dolev, and Y. Elovici, “Detecting unknown malicious code by applying classification techniques on OpCode patterns,†Secur. Inform., vol. 1, no. 1, p. 1, 2012, doi: 10.1186/2190-8532-1-1.

T. Abou-Assaleh, N. Cercone, V. Keselj, and R. Sweidan, “N-gram-based detection of new malicious code,†in Proc of the 28th Annual International Computer Software and Applications Conference, IEEE Computer Society, 2004, vol. 2, pp. 41–42 vol.2, doi: 10.1109/CMPSAC.2004.1342667.

I. Journal, O. F. Engineering, C. Of, M. Virus, and U. N. Gram, “International journal of engineering sciences & research technology classification of metamorphic virus using n gram analysis,†vol. 6, no. 2, pp. 364–370, 2017.

L. Tan, “The worst-case execution time tool challenge 2006,†STTT, vol. 11, pp. 133–152, 2009, doi: 10.1109/ISoLA.2006.72.

T. McCabe, “A Complexity Measure,†IEEE Trans. Softw. Eng., vol. SE-2, pp. 308–320, 1976.

P. Jalote, An Integrated Approach to Software Engineering. 1997.

M. A. H. Azmi, C. F. M. Foozy, K. A. M. Sukri, N. A. Abdullah, I. R. A. Hamid, and H. Amnur, “Feature Selection Approach to Detect DDoS Attack Using Machine Learning Algorithms,†Int. J. Informatics Vis., vol. 5, no. 4, pp. 395–401, 2021, doi: 10.30630/JOIV.5.4.734.

A. Martín, R. Lara-Cabrera, and D. Camacho, “Android malware detection through hybrid features fusion and ensemble classifiers: The AndroPyTool framework and the OmniDroid dataset,†Inf. Fusion, vol. 52, no. December, pp. 128–142, 2019, doi: 10.1016/j.inffus.2018.12.006.

S. Almutairi, S. Mahfoudh, S. Almutairi, and J. S. Alowibdi, “Hybrid Botnet Detection Based on Host and Network Analysis,†J. Comput. Networks Commun., vol. 2020, no. Hindawi, pp. 1–16, 2020, doi: 10.1155/2020/9024726.

C. Ma, X. Du, and L. Cao, “Analysis of multi-Types of flow features based on hybrid neural network for improving network anomaly detection,†IEEE Access, vol. 7, pp. 148363–148380, 2019, doi: 10.1109/ACCESS.2019.2946708.

Z. Chiba, N. Abghour, K. Moussaid, A. El, and M. Rida, “Intelligent and Improved Self-Adaptive Anomaly based Intrusion Detection System for Networks,†vol. 11, no. 2, pp. 312–330, 2019.

T. Mahjabin, Y. Xiao, G. Sun, and W. Jiang, “A survey of distributed denial-of-service attack, prevention, and mitigation techniques,†Int. J. Distrib. Sens. Networks, vol. 13, no. 12, 2017, doi: 10.1177/1550147717741463.