Detection of Adversarial DDoS Attacks Using Symmetric Defense Generative Adversarial Networks

Abstract

DDoS (distributed denial of service) attacks consist of a large number of compromised computer systems that launch joint attacks at a targeted victim, such as a server, website, or other network equipment, simultaneously. DDoS has become a widespread and severe threat to the integrity of computer networks. DDoS can lead to system paralysis, making it difficult to troubleshoot. As a critical component of the creation of an integrated defensive system, it is essential to detect DDoS attacks as early as possible. With the popularization of artificial intelligence, more and more researchers have applied machine learning (ML) and deep learning (DL) to the detection of DDoS attacks and have achieved satisfactory accomplishments. The complexity and sophistication of DDoS attacks have continuously increased and evolved since the first DDoS attack was reported in 1996. Regarding the headways in this problem, a new type of DDoS attack, named adversarial DDoS attack, is investigated in this study. The generating adversarial DDoS traffic is carried out using a symmetric generative adversarial network (GAN) architecture called CycleGAN to demonstrate the severe impact of adversarial DDoS attacks. Experiment results reveal that the synthesized attack can easily penetrate ML-based detection systems, including RF (random forest), KNN (k-nearest neighbor), SVM (support vector machine), and naïve Bayes. These alarming results intimate the urgent need for countermeasures against adversarial DDoS attacks. We present a novel DDoS detection framework that incorporates GAN with a symmetrically built generator and discriminator defense system (SDGAN) to deal with these problems. Both symmetric discriminators are intended to simultaneously identify adversarial DDoS traffic. As demonstrated by the experimental results, the suggested SDGAN can be an effective solution against adversarial DDoS attacks. We train SDGAN on adversarial DDoS data generated by CycleGAN and compare it to four previous machine learning-based detection systems. SDGAN outperformed the other machine learning models, with a TPR (true positive rate) of 87.2%, proving its protection ability. Additionally, a more comprehensive test was undertaken to evaluate SDGAN’s capacity to defend against unseen adversarial threats. SDGAN was evaluated using non-training data-generated adversarial traffic. SDGAN remained effective, with a TPR of around 70.9%, compared to RF’s 9.4%.

1. Introduction

A denial of service (DoS) attack is a type of cyberattack in which the attacker attempts to restrict or entirely disable access to the resources of a system or network, rendering services inaccessible to their legitimate users. Since the 1980s, the scientific community has been aware of the DoS attack. Gligor published one of the earliest descriptions of a denial-of-service attack on an operating system in 1983 [1]. DoS attacks are one of the most dangerous types of cyber security threats to server infrastructure. These attacks target a server, application, or service platform by flooding it with malicious traffic to exhaust its computational or network resources, resulting in malfunction and congestion.

Distributed denial of service (DDoS) attacks are on a much greater scale. DDoS attacks seize control of a network of compromised systems, referred to as a botnet, and conduct offensive operations against the victim system. There is a broad spectrum of victims, including government agencies, financial institutions, healthcare providers, and limited consumer networks [2].

DDoS attacks have proliferated in recent years, both in scale and in frequency. According to Link11’s report for the first half of 2021 [3], numerous attacks were recorded in this period. There was an increase of 33% in frequency compared to the first half of 2020, with 65% of attacks taking advantage of multi-vector attacks. The maximum value for attack bandwidth was up to 555 Gbps. For the time being, cloud services are well embraced by many companies serving as their primary computing and data storage facility. Cloud services have also received the attention of attackers. Up to 35% of attacks target data center operators and hosting service providers, with a wide variety of attack methods, such as carpet-bombing attacks and DDoS extortion.

DDoS attacks bring about a profound impact on an organization’s reputation and, therefore, its revenue. Before any mitigation measures can be taken, it is essential to detect DDoS attacks as soon as possible [4]. In the early era, the attack alarm was triggered by hand-coded rules. This strategic approach appears to have fallen behind the evolving nature of DDoS attacks. As AI (artificial intelligence) has demonstrated its potential in various fields, ML (machine learning) and DL (deep learning) have also been employed for the detection of DDoS attacks. They have achieved impressive success, as reviewed in [5].

The IDS (intrusion detection system) proposed by Das et al. [6] utilized numerous machine learning methods, including KNN, SVM, MLP (multilayer perceptron), and DT (decision tree). Dincalp [7] used the rate of various sorts of arriving packets as the central concept for identifying DDoS and employed the inefficient DBSCAN (density-based spatial clustering of applications with noise) algorithm for grouping the data. Comparing the performance of various categorization algorithms, Khuphiran et al. [8] provided a basis for selecting an approach to prevent a DDoS attack. Ramanauskaite et al. [9] provided a model for calculating the success likelihood of an attack on the basis of botnet size and agent allocation tactics. The model can be used to evaluate the probability of victim resistance in various assault and defense scenarios. Xiang and Li [10] created a model describing the interaction between the attacking and defending parties, which evaluates the efficacy of the defense system and estimates the appropriate security investment. Yong et al. [11] presented a framework for detection and mitigation. The shortcoming of the provided paradigm is that internal and external networks and hosts are not adequately separated. Previous models evaluated malicious agents and attack traffic behavior, giving a comprehensive analysis of attack dynamics and assessing the associated success criteria. Nevertheless, in addition to the advancement of defensive models, DDoS attacks have become increasingly harmful and complex to defend.

A new type of DDoS attack called an adversarial DDoS attack could pose new threats to ML/DL-based detection approaches. The GAN (generative adversarial network) [12] is well known for the generation of fake but real-looking data, such as image synthesis. We believe that the GAN is also capable of generating malicious but legitimate-like traffic to confuse DDoS detection systems. This study substantiates such a scientific hypothesis. We synthesize attacking traffic using a cycle generative adversarial network (CycleGAN) [13]. As shown in Section 4, the synthesized traffic can penetrate DDoS detection systems, including random forest, k-nearest neighbor, support vector machine, and naïve Bayes, undetected.

The flexibility and unpredictability of adversarial attacks are a vulnerability of traditional DDoS defense systems. While detection of adversarial DDoS attacks is still in its infancy, the AI community has made substantial attempts to confront these attacks. Kolosnjaji et al. [14] presented an evasive attack based on gradients. The authors attached a sequence of bytes to the end of the malicious code without interfering with its functionality, and then computed the gradient to generate adversarial samples. The limitation of this work is that the dataset used was not large enough to produce thorough results. Song et al. [15] described how to create and test genuine malware capable of carrying out the elusive attack. The adversarial attack was created using a custom action set and verification function. However, the defense mechanisms and robustness of the framework have received less attention. In the research direction emphasizing adversarial attacks, our study concentrates on building an adequate defense model against adversarial attacks.

This article makes contributions by proposing a novelty framework for detecting adversarial DDoS attacks, entitled the symmetric defense generative adversarial network (SDGAN). To address adversarial attack issues, the proposed SDGAN employs a symmetrically constructed generator and discriminator defense system. Both symmetric discriminators are designed to identify adversarial DDoS traffic simultaneously. To assess SDGAN’s effectiveness, it is trained using adversarial DDoS traffic generated by a CycleGAN generating system. SDGAN surpassed RF, KNN, SVM, and naïve Bayes with a TPR of 87.2%. Additionally, a more challenging test was performed to evaluate SDGAN’s capacity in dealing with unseen adversarial threats. SDGAN was assessed using adversarial traffic produced from different training datasets. SDGAN remained effective with a TPR of around 70.9%, compared to RF’s 9.4%.

The remainder of this article is structured as follows: Section 2 summarizes prior work and the GAN; Section 3 outlines the basis for the suggested strategy; in Section 4, the experimental results are reported; Section 5 concludes this study.

2. Related Work

2.1. Artificial Intelligence for DDoS Detection

Various ML technologies have been employed in the detection of DDoS attacks, primarily as classifiers. These are support vector machine (SVM) [16], k-nearest neighbor (KNN) [17], naïve Bayes classifier [18], random forest (RF) [19], and density-based spatial clustering of applications with noise (DBSCAN) [7], to name a few. Providing further information, Gavrilis proposed the RBF-NN detector [20], which utilizes nine packet parameters and associated parameters generated using these frequencies. It is predicted that, depending on the frequency, RBF-NN traffic will be classified as normal, until it is classified as an attack. Alternatively, as Ibrahim stated, the distributed time delay neural network (DTDNN) [21] has a high probability of detecting attacks with increased precision.

Numerous investigations on decision tree analytical advancements were conducted in order to identify the DDoS attack. Pandya and Pandya employed C4.5, C5.0, and ID3 algorithms in [22] to create a more robust decision tree with improved performance. According to the findings obtained, C5.0 performed better in terms of accuracy and memory use. Shoo et al. [23] proposed a novel evolutionary model for classifying DDoS attack traffic that uses a combined SVM algorithm to classify malicious traffic. Genetic algorithms (GA) were applied for SVM optimization as a feature selection method to improve the model’s classification performance. Tan et al. [24] proposed an alternative framework for DDoS attack security. The model consisted of two modules utilizing machine learning algorithms. The k-means algorithm was applied in the data processing module to select the best features. The k-nearest neighbor (KNN) algorithm was employed in the detection module to distinguish attack flows.

2.2. Generative Adversarial Networks

The GAN, proposed by Goodfellow et al. [12] in 2014, has shown a wide range of applications in recent years. As shown in Figure 1, a GAN is formed by two functional blocks: a generator and a discriminator. These two blocks act as parties in game theory and contend with each other. The generator aims to generate artificial data to fool the discriminator. Conversely, the discriminator is responsible for judging the authenticity. As a GAN converges after a long training period, the generator should be able to produce artificial data indistinguishable from the real one. Equation (1) can be used to express the GAN’s loss function.

$$\underset{G}{min}\underset{D}{max}V\left(D,G\right)={\mathbb{E}}_{p_{data}\left(x\right)}\left[logD\left(x\right)\right]+{\mathbb{E}}_{p_z\left(z\right)}\left[log(1-D\left(G\left(z\right)\right)\right],$$

(1)

where $x$ denotes the data, $z$ is the input noise to the generator, $p_{data}$ is the data distribution, $p_z$ is the noise distribution, G is the generator, and D is the discriminator.

Despite its widespread popularity, GAN training and convergence continue to pose difficulties for trainers. The original GAN is subject to converging problems, such as loss functions that do not provide training direction and data that lack variation. The Wasserstein GAN (WGAN) [25] presents the Wasserstein distance as a way to circumvent the gradient vanishing problem inherent in original GANs. The WGAN was found to be more stable during the training process, with fewer examples collapsing.

While WGAN improves upon the original GAN, it still suffers from data quality and divergence concerns. These challenges are a result of the weight clipping method used by various WGANs. Weight clipping must be used to enforce the Lipschitz restriction. Even as consequence, it is possible that the WGAN weights will converge to critical values, reducing the model’s generation efficiency or possibly causing it to collapse. To overcome this issue, gradient penalty WGAN (GP-WGAN) suggested the gradient penalty technique [26]. After employing the gradient penalty technique, GP-WGAN learns a uniformly distributed gradient. Gradient penalty enhances the stability of WGAN training and generates higher-quality data.

2.3. Adversarial DDoS Attacks

According to hackers and academicians, GAN has the potential to introduce a new sort of DDoS attack: adversarial DDoS attack. In other words, GANs can be used to generate malicious traffic that seems to be legal. At CYBERSEC-2019, Trend Micro Inc. disclosed adversarial DDoS attacks. Adversarial machine learning (AML) is a technique used by hackers to identify flaws in machine learning-based detection systems and to mislead them with adversarial traffic. Numerous studies on the consequences of adversarial DDoS attacks have been executed. The least square GAN (LSGAN) was suggested in [27] for the purpose of artificially generating traffic on the basis of the fact that DDoS attacks closely resemble typical flash crowds. Up to 99% of LSGAN-generated DDoS traffic was incorrectly labeled as legitimate flash crowds. Hu et al. introduce MalGAN, an intriguing architecture for adversarial DDoS attacks, including a black-box detector and two neural networks [28]. As a victim system, the black-box detector was used. The black-box detector was used to distinguish the instances of the generator. The discriminator was then fed the classifying results. Whenever the discriminator was unable to discern the difference between adversarial and benign attacks, the system converged.

While detection of adversarial DDoS attacks is still in its infancy, the AI community has made substantial attempts to confront these attacks. Kolosnjaji et al. [14] presented an evasive attack based on gradients. The authors attached a sequence of bytes to the end of the malicious code without interfering with its functionality, and then computed the gradient to generate adversarial samples. The limitation of this work is that the dataset used was not large enough to produce thorough results. Song et al. [15] described how to create and test genuine malware capable of carrying out the elusive attack. The adversarial attack was created using a custom action set and verification function. However, the defense mechanisms and robustness of the framework have received less attention. Ebrahimi et al. [29] advocated the use of MalRNN to produce adversarial malware variants automatically. MalRNN is a revolutionary deep learning model that obtains data via system sampling and uses RNN to learn the language model of benign malware binaries. The study is limited by the simplicity of its strategy for bypassing antivirus.

2.4. CycleGAN

CycleGAN, or cycle-consistent generative adversarial network, is one kind of GAN originally designed for unpaired image-to-image translation [13]. Unsupervised training is used to develop the models, utilizing a variety of unrelated data from the source and target domains. This simple approach is very effective, producing aesthetically stunning outcomes across a variety of application areas. A notable application is the conversion of photos of horses and zebra. CycleGAN is a variant of standard GAN that allows for the concurrent training of two generator models, $G_A$ and $G_B$, and two discriminator models, $D_A$ and $D_B$. CycleGAN learns a mapping $G_A$: ${\mathsf{\Phi }}_B$→${\mathsf{\Phi }}_A$ and $G_B$: ${\mathsf{\Phi }}_A$→${\mathsf{\Phi }}_B$ between two different domains, ${\mathsf{\Phi }}_A$ and ${\mathsf{\Phi }}_B$. A distinctive feature of CycleGAN is inspired by the intuition that these translations should be inverses of one another, and both mappings should be bijective. This unique feature can be achieved by a cycle consistency loss that favors both $G_A$ and $G_B$. Combining this loss with the adversarial losses for ${\mathsf{\Phi }}_A$ and ${\mathsf{\Phi }}_B$, we can then reach the objective of translating unpaired data to data.

This article explores the potential of CycleGAN in the synthesis of adversarial DDoS attacks. We partition the NSL-KDD dataset into two unpaired sub-datasets: the attack dataset and the benign dataset. We employ an architecture consisting of two GANs, each with its own discriminator and generator model. The first GAN generates attack data from the benign input, whereas the second GAN generates benign data from the attack data. In addition, each GAN includes a discriminator to judge the authenticity of input data. As the models converge, they can generate data that closely resemble those from the target domains.

3. Proposed Approach

3.1. Proposed Approach

As illustrated in Figure 2, the CycleGAN model has the advantage of being trained without using paired examples. No instances of data before and after translation are required. Instead, the model can extricate and leverage the underlying style of the data from each domain to perform the translation. The proposed model comprises two generators; the first generator, $G_A$, is used to generate data for the “attack domain”, ${\mathsf{\Phi }}_A$, while the second generator, $G_B$, is used to generate data for the “benign domain”, ${\mathsf{\Phi }}_B$.

The generators perform data translation depending on input data, i.e., data from the other domain. Data from ${\mathsf{\Phi }}_B$ are fed into $G_A$, whereas $G_B$ takes data from ${\mathsf{\Phi }}_{A }$ as input. $G_A$ tries to generate adversarial data that look similar to traffic from ${\mathsf{\Phi }}_A$ as much as possible and vice versa. Each generator contends with a discriminator. The first discriminator, $D_A$, pulls real attack data and adversarial data from $G_A$ to deliver a real or fake decision. The second discriminator, $D_B$, also performs the same function with authentic benign traffic and adversarial traffic from $G_B$.

As with conventional GAN models, the discriminator and generator of CycleGANs are trained according to the adversarial zero-sum concept. The generators aim to improve their ability to mislead the discriminators, while the discriminators try to identify artificial fake data with the same effort. The training process strives to achieve an equilibrium. Furthermore, the generators are regularized to synthesize reconstructed data from the source domain, not just create adversarial data in the destination domain. This is accomplished by feeding the produced data into the adequate generator and correlating the results to the original data. A cycle is defined as the passage of data across both generators. Each pair of generators is trained in tandem to improve the reproduction of the source data, a process referred to as cycle consistency, as shown in Figure 3.

Additionally, as illustrated in Figure 4, the architecture includes identity mappings. Input data from the target domain are anticipated to provide resemble results. This design is optional but improves input data matching.

3.2. Loss Functions

• Adversarial Loss

Both mapping functions are closely related to adversarial losses. We express the loss function for the mapping function $G_A: {\mathsf{\Phi }}_B\to {\mathsf{\Phi }}_A$ and its discriminator $D_A$ as follows:

$${\mathcal{L}}_{adv}\left(G_A,D_A\right)={\mathbb{E}}_{A\in {\mathsf{\Phi }}_A}\left[log\left(D_A\left(A\right)\right)\right]+{\mathbb{E}}_{B\in {\mathsf{\Phi }}_B}\left[log\left(1-D_A\left(G_A\left(B\right)\right)\right)\right],$$

(2)

where $A$ is the attack traffic in the attack training set ${\mathsf{\Phi }}_A$, and $B$ is the benign traffic in the benign training set ${\mathsf{\Phi }}_B$.

• Cycle Consistency Loss

The data translation cycle should be able to restore B to its original instance for each benign data from ${\mathsf{\Phi }}_B$, i.e.,

$$\forall B\in {\mathsf{\Phi }}_B, B\to G_A\left(B\right)\to G_B\left(G_A\left(B\right)\right)\approx B.$$

(3)

Similarly, $G_A$ and $G_B$ should also meet the following requirement for each A from ${\mathsf{\Phi }}_A$:

$$\forall A\in {\mathsf{\Phi }}_A, A\to G_B\left(A\right)\to G_A\left(G_B\left(A\right)\right)\approx A/$$

(4)

We use a cycle consistency loss to enforce the abovementioned characteristic.

$${\mathcal{L}}_{cyc}\left(G_A,G_B\right)={\mathbb{E}}_{A\in {\mathsf{\Phi }}_A}\left[|\left|G_A\left(G_B\left(A\right)\right)-A\right|{|}_1\right]+{\mathbb{E}}_{B\in {\mathsf{\Phi }}_B}\left[|\left|G_B\left(G_A\left(B\right)\right)-B\right|{|}_1\right],$$

(5)

where $A$ is the attack traffic in the attack training set ${\mathsf{\Phi }}_A$, and $B$ is the benign traffic in benign the training set ${\mathsf{\Phi }}_B$.

• Identity Loss

Identity mapping is a feature of the adopted architecture. It is expected that input data from the target domain would provide similar outcomes, i.e.,$G_A\left(A\right)\approx A$ and $G_B\left(B\right)\approx B$. We employ an identity loss to support this.

$${\mathcal{L}}_{ide}\left(G_A,G_B\right)={\mathbb{E}}_{A\in {\mathsf{\Phi }}_A}\left[|\left|G_A\left(A\right)-A\right|{|}_1\right]+{\mathbb{E}}_{B\in {\mathsf{\Phi }}_B}\left[|\left|G_B\left(B\right)-B\right|{|}_1\right],$$

(6)

where $A$ is the attack traffic in the attack training set ${\mathsf{\Phi }}_A$, and $B$ is the benign traffic in benign the training set ${\mathsf{\Phi }}_B$.

• Generator Loss Function

The generator attempts to generate data that resemble the source data. The discriminator attempts to discern between translated and original samples. The generator aims to minimize the loss function, while the discriminator tries to maximize it. As a result, the following is the expression for the generator loss function of the proposed framework:

$$\underset{G_A,G_B}{min}\mathcal{L}\left(G_A,G_B,D_A,D_B\right)={\mathcal{L}}_{adv}\left(G_A,D_A\right)+{\mathcal{L}}_{adv}\left(G_B,D_B\right)+\lambda ·{\mathcal{L}}_{cyc}\left(G_A,G_B\right)+\mu ·{\mathcal{L}}_{ide}\left(G_A,G_B\right),$$

(7)

where λ and µ are parameters controlling the relative weightings of the cycle consistency loss and the identity loss, respectively.

The discriminator’s intention is to replicate the machine learning-based detection. It provides input to the generator for prompting adversarial traffic to be generated. The generated traffic should be undetected by the target machine learning-based detector. Algorithm 1 illustrates the operation of the CycleGAN architecture generating system.

Algorithm 1. Training of the CycleGAN architecture generating system

Input: $G_A$$: \mathrm{attack} \mathrm{domain} \mathrm{generator}, D_A$$: \mathrm{attack} \mathrm{domain} \mathrm{discriminator}, G_B$$: \mathrm{benign} \mathrm{domain} \mathrm{generator}, G_B$$: \mathrm{benign} \mathrm{domain} \mathrm{discriminator}, {\mathsf{\Phi }}_A$$: \mathrm{attack} \mathrm{domain}, {\mathsf{\Phi }}_B$: benign domain Output: Trained CycleGAN architecture system    for n_epochs do      $\mathrm{Attack} \mathrm{sample} \mathrm{batch} \leftarrow {\left\{A^{\left(i\right)}\right\}}_{i=1}^m\in {\mathsf{\Phi }}_A$      $\mathrm{Benign} \mathrm{sample} \mathrm{batch} \leftarrow {\left\{B^{\left(i\right)}\right\}}_{i=1}^m\in {\mathsf{\Phi }}_B$      $\mathrm{Generate} m$$\mathrm{sample} \mathrm{of} G_B\left(A\right)\to \widehat{A}$$\mathrm{and} G_A\left(B\right)\to \widehat{B}$      $\mathrm{Generate} m$$\mathrm{sample} \mathrm{of} G_B(G_B\left(A\right))$$\mathrm{and} G_B(G_A\left(B\right))$      $\mathrm{Generate} m$$\mathrm{sample} \mathrm{of} G_A\left(A\right)$$\mathrm{and} G_B\left(B\right)$      $\mathrm{Update} \mathrm{the} \mathrm{discriminator} D_A$$\mathrm{and} D_B$ according to the adversarial loss function using Equation (2)        $\underset{D_A}{max}$${\mathcal{L}}_{adv}\left(G_A,D_A\right)$        $\underset{D_B}{max}$${\mathcal{L}}_{adv}\left(G_B,D_B\right)$      $\mathrm{Update} \mathrm{the} \mathrm{Generator} G_A$$\mathrm{and} G_B$ according to the total CycleGAN loss function using Equation (7)        $\underset{G_A,G_B}{min}\mathcal{L}\left(G_A,G_B,D_A,D_B\right)$    end for

3.3. Adversarial DDoS Attack Detection Using Symmetric Defense GAN (SDGAN)

The proposed SDGAN is a GAN with a symmetrically designed generator and discriminator system that can provide a solution to detect adversarial DDoS attacks, as illustrated in Figure 5, where $G_A$ and $D_A$ represent the generator and discriminator trained on the attacking domain, and $G_B$ and $D_B$ represent the generator and discriminator trained on the benign domain, respectively. The traffic generated by the CycleGAN system is included in the training set of the SDGAN. Throughout conventional DDoS traffic discrimination, $D_A$ tends to distinguish attack traffic, while the $D_B$ aims to differentiate benign traffic from attack traffic. Simultaneously, both discriminators scrutinize the adversarial attack data in parallel.

In a conventional GAN, the generator generates new instances by using samples from the target domain. To guarantee the identification of adversarial DDoS traffic, the SDGAN generator is fed both standard DDoS traffic and adversarial samples created using the CycleGAN generating architecture. The following defines the generator’s loss function:

$$L\left(G_A\right)={\mathbb{E}}_{B,N,E}\left\{D_A\right[D_B\left(G_A\left(B,E,N\right)\right]\},$$

(8)

$$L\left(G_B\right)={\mathbb{E}}_{A,N,E}\left\{D_B\right[D_A\left(G_B\left(A,E,N\right)\right]\},$$

(9)

where $A$ repsents conventional attack traffic, $B$ represents conventional benign traffic, $N$ is the generator’s noise input, and $E$ represents adversarial attacks.

In a similar manner, the training for the two discriminators $D_A$ and $D_B$ is carried out. We train the discriminator using the generators’ adversarial DDoS traffic. Accordingly, we obtain the correct gradient when confronted with the generator. The CycleGAN generating system’s adversarial attack data are used to improve the discriminator’s capability of detecting the adversarial attack. Conventional traffic is also considered when training the discriminator aims to prepare it with the ability to distinguish legitimate from attack traffic. The following is the definition of the discriminator’s loss function:

$$\underset{D_A}{max} {\mathcal{L}}_{adv}\left(G_A,D_A\right)={\mathbb{E}}_A\left[log\left(D_A\left(A\right)\right)\right]+{\mathbb{E}}_{B,E}\left[log\left(1-D_A\left(E,B,D_B\left(G_A\left(B,E,N\right)\right)\right)\right)\right],$$

(10)

$$\underset{D_B}{max} {\mathcal{L}}_{adv}\left(G_B,D_B\right)={\mathbb{E}}_B\left[log\left(D_B\left(B\right)\right)\right]+{\mathbb{E}}_{A,E}\left[log\left(1-D_B\left(E,A,D_A\left(G_B\left(A,E,N\right)\right)\right)\right)\right],$$

(11)

where $A$ represents conventional attack traffic, $B$ represents conventional benign traffic, $N$ is the generator’s noise input, and $E$ represents adversarial attacks.

Algorithm 2 presents the operation of the SDGAN.

Algorithm 2. Algorithm for SDGAN

Input: $G_A$$: \mathrm{attack} \mathrm{domain} \mathrm{generator}, D_A$$: \mathrm{attack} \mathrm{domain} \mathrm{discriminator}, G_B$$: \mathrm{benign} \mathrm{domain} \mathrm{generator}, D_B$: benign domain discriminator, N: noise, B: benign traffic, A: normal DDoS attack, E: adversarial attack generated by CycleGAN Output: Trained SDGAN    for n_epochs do       $\mathrm{Generate} \mathrm{sample} \mathrm{of} G_A\left(B,E,N\right)$$\mathrm{and} G_B\left(A,E,N\right)$       //Training of G       $L\left(G_A\right)\leftarrow {\mathbb{E}}_{A,N,E}\{D_A[D_B\left(G_A\left(B,E,N\right)]\right]\}$       $L\left(G_B\right)\leftarrow {\mathbb{E}}_{A,N,E}\{D_B[D_A\left(G_B\left(A,E,N\right))\right]\}$       $\mathrm{Update} G_A$$\mathrm{and} G_B$ according to the gradient of G’s loss function       //Training of D     Let:     $S_A\leftarrow D_B\left(G_A\left(B,E,N\right)\right)$     $S_B\leftarrow D_A\left(G_B\left(A,E,N\right)\right)$     $\underset{D_A}{max} {\mathcal{L}}_{adv}\left(G_A,D_A\right)={\mathbb{E}}_A\left[log\left(D_A\left(A\right)\right)\right]+{\mathbb{E}}_{B,E}\left[log\left(1-D_A\left(E,B,S_A\right)\right)\right]$     $\underset{D_B}{max} {\mathcal{L}}_{adv}\left(G_B,D_B\right)={\mathbb{E}}_B\left[log\left(D_B\left(B\right)\right)\right]+{\mathbb{E}}_{A,E}\left[log\left(1-D_B\left(E,A,S_B\right)\right)\right]$     $\mathrm{Update} D_A$$\mathrm{and} D_B$ according to the gradient of D’s loss function    end for

4. Experimental Results and Discussion

Various experiments were conducted to determine the feasibility and effectiveness of the proposed approaches. In the experiments, each of the statements below was looked at in turn to determine their validity.

• ML-based and SDGAN are highly effective in DDoS detection.
• Adversarial DDoS attacks from the CycleGAN generation system have the ability to bypass ML-based DDoS detection systems.
• The proposed SDGAN system is effective in identifying adversarial DDoS attacks.

The experiments were carried out using a Windows 10 personal computer equipped with an Intel i7-8700 processor, 32GB of RAM, and an NVIDIA RTX 2060 graphics card. The CycleGAN architecture generating system for the synthesis of adversarial DDoS attacks and SDGAN for detecting adversarial DDoS detection were implemented with PyTorch.

This study operated with two widely used datasets, NSL-KDD [30] and CIC-IDS2018 [31]. These datasets made available by the Canadian Institute for Cybersecurity for the purpose of doing research on intrusion detection. The NSL-KDD dataset is an approach developed from the KDD’99 [32] dataset that contains no redundant or duplicate data. The CIC-IDS2018 dataset contains benign and up-to-date common attacks, as well as the results of network traffic analysis performed using CICFlowMeter [33], which includes labeled flows based on the time stamp, source and destination IP addresses, source and destination ports, protocols, and attack type (CSV files). We concentrated on DDoS traffic and utilized these datasets to build machine learning models for DDoS detection and synthesis of adversarial DDoS attacks.

For comparative purposes, various performance indices were used. True positive rate (TPR) and false positive Rate (FPR) are defined in Equations (12) and (13), respectively, with reference to

Table 1. Confusion matrix.

	Actual	Attack	Normal
Predicted
Attack		TP (true positive)	FP (false positive)
Normal		FN (false negative)	TN (true negative)

. The receiver operating characteristic (ROC) curve could be used to assess the impact of adversarial DDoS attacks and the proposed SDGAN’s effectiveness in detecting DDoS attacks.

$$TPR=\raisebox{1ex}{$TP$}\!\left/ \!\raisebox{-1ex}{$\left(TP+FN\right)$}\right..$$

(12)

$$FPR=\raisebox{1ex}{$FP$}\!\left/ \!\raisebox{-1ex}{$\left(FP+TN\right)$}\right..$$

(13)

4.1. ML-Based and SDGAN Detection of Conventional DDoS

To mitigate the possibility of adversarial DDoS attacks, we established SDGAN, which was described in Section 3. As discussed in Section 3, SDGAN’s two discriminators are designed to work in unison and symmetrically to detect both adversarial attacks and conventional DDoS traffic. The proposed SDGAN’s network configuration and training parameter settings are listed in

Table 2. Configuration of $D_A$ and $D_B$ of SDGAN.

Layer	Configuration
Input	(None, 40)
Dense	(None, 20)
PReLU	(None, 20)
Dense	(None, 10)
PReLU	(None, 10)
Dense	(None, 10)
Dropout	(None, 10)
Dense	(None, 2)
PReLU	(None, 2)

and

Table 3. Training parameter settings of SDGAN generating system.

Epoch/Batch Size	Learning Rate	Optimizer	Lambda	Mu
500/60	0.000135	Adam	10	0.1

.

The disorientation of the training direction caused by the gradient vanishing phenomenon is a basic issue in training GANs. The SDGAN model described in this article enables the PReLU activation function to allow the model to modify the direction of the gradient by itself, thereby avoiding information loss. Additionally, it includes dropout layers to handle the overfitting problem. Additionally, the proposed SDGAN’s optimization function integrates the gradient penalty as a constraint to improve the stability of the entire training process. The experimental findings imply that the offered model configurations helped to decrease the gradient distraction, thereby stabilizing the training process.

Many studies have reported that machine learning was successfully used for DDoS detection. This part of the report examines the detection of DdoS attacks using four ML-based defense systems (RF, KNN, SVM, and NB) to compare with SDGAN on the NSL-KDD and CIC-IDS2018 datasets. Prior to training, data were classified as legitimate or malicious; 80% of the sample was utilized for training, while 20% was used for validation.

Table 4. ML-based defense DDoS detection and SDGAN on conventional NSL-KDD.

Model	TPR	FPR
RF	0.911	0.048
KNN	0.902	0.059
SVM	0.864	0.124
Naïve Bayes	0.844	0.188
SDGAN	0.973	0.032

and

Table 5. ML-based defense DDoS detection and SDGAN on conventional CIC-IDS2018.

Model	TPR	FPR
RF	0.925	0.074
KNN	0.922	0.075
SVM	0.91	0.075
Naïve Bayes	0.806	0.063
SDGAN	0.977	0.029

present the outcomes of applying RF, KNN, SVM, and NB to the NSL-KDD and CIC-IDS2018 datasets, respectively. Higher TPR scores indicate increased detectability. As shown, all four machine learning-based DDoS detection techniques can be regarded as effective. This observation corroborates prior research. Additionally, on the basis of the results of these two data tables, it is clear that SDGAN outperformed ML-based defense systems in terms of DDoS detection capability, with a TPR index of approximately 0.97 compared to an RF peak of approximately 0.92.

Along with the TPR, the ROC curve is an effective performance statistic for evaluating detection and classification accuracy. A greater area under the curve (AUC) signifies a higher detection accuracy for an ROC curve. Figure 6a,b show that SDGAN had the best detection rate, compared to RF, followed by the other three machine learning defense systems.

4.2. Detection of Adversarial DDoS Attacks with SDGAN

We established SDGAN to mitigate the possibility of adversarial DDoS attacks. SDGAN’s two discriminators are designed to work symmetrically and in tandem to detect both adversarial attacks and conventional DDoS traffic. The adversarial DDoS attacks generated by the CycleGAN can also be used to validate the proposed SDGAN’s ability to detect adversarial DDoS attacks.

4.2.1. Adversarial DDoS Attack Synthesis Employing CycleGAN

GAN is well known for its ability to generate realistic-looking false images. We anticipated that GAN could also be used to produce malicious traffic that appears to be legal, i.e., adversarial DDoS attacks. We used the CycleGAN architecture described in Section 3 with the network design and training settings specified in

Table 6. Network configuration of CycleGAN generating system.

Layer	Configuration
Input (conventional DDoS)	(None, 40)
Dense	(None, 20)
Leaky ReLU	(None, 20)
Dense	(None, 10)
Leaky ReLU	(None, 10)
Dense	(None, 10)
Leaky ReLU	(None, 10)
Dense	(None, 20)
Input (conventional DDoS)	(None, 40)

and

Table 7. Training parameter settings of CycleGAN generating system.

Epoch/Batch Size	Learning Rate	Optimizer	Lambda	Mu
500/60	0.00014	Adam	10	0.1

. The gradient penalty was used to maintain the training process’s stability. The neural network activation function used Leaky ReLU rather than sigmoid to increase the resilience of the training process and to avoid the vanishing gradient phenomenon.

After training, the CycleGAN architecture system’s adversarial DDoS attacks were used to target machine learning-based DDoS detectors and SDGAN to evaluate their capabilities of detecting adversarial DDoS attacks; we experimented with four ML-based defense systems and SDGAN, on adversarial DDoS attacks trained using NSL-KDD and CIC-IDS2018.

4.2.2. Detection of Adversarial DDoS Attacks with SDGAN

As shown in

Table 8. TPRs of ML-based DDoS detectors and SDGAN on adversarial DDoS attacks.

	NSL-KDD	CIC-IDS2018
RF	0.177	0.185
KNN	0.159	0.161
SVM	0.137	0.142
Naïve Bayes	0.096	0.138
SDGAN	0.857	0.872

, the TPRs of the four ML-based DDoS defense systems dropped dramatically below 0.2. This means that adversarial DDoS attacks could slip undetected via machine learning-based DDoS detectors. The ROC curves in Figure 7 further demonstrate the failure of machine learning-based DDoS detectors to detect adversarial DDoS attacks. We can conclude that adversarial DDoS attacks constitute a significant vulnerability for conventional machine learning-based DDoS detectors. Additionally, the CycleGAN generating system used in this study was highly effective for synthesizing adversarial DDoS attacks. On the other hand, the suggested SDGAN retained a high TPR of 0.857 and 0.872 on the NSL-KDD and CIC-IDS2018 datasets, respectively. This demonstrates that the proposed SDGAN is a viable option for combating adversarial DDoS attacks.

In comparison to SDGAN, Figure 7 illustrates the ROC curves for ML-based DDoS detection techniques on adversarial DDoS attacks. The higher AUC value and steepness of SDGAN’s ROC curve indicate its superiority over the four machine learning-based defense systems.

The next experiment considered a more difficult and realistic scenario. The SDGAN was trained using adversarial DDoS traffic generated by CIC-IDS2018 and evaluated using adversarial DDoS traffic generated by NSL-KDD. This experiment arrangement was used to evaluate the SDGAN’s capacity to deal with previously unseen adversarial DDoS attacks.

Table 9. TPRs of ML-based DDoS detections on unseen adversarial DDoS attacks.

	RF	KNN	SVM	NB	SDGAN
TPR	0.094	0.047	0.034	0.031	0.709

and Figure 8 summarize the findings. The performance of machine learning-based techniques deteriorated further. Even the best possible outcome, RF, had a TPR of 0.094. The TPR of SDGAN declined, while the steepness and AUC of the ROC curve likewise decreased. SDGAN continued to have a TPR of 0.709. This conclusion is indicative of the enigmatic nature of unseen adversarial DDoS attacks. SDGAN, on the other hand, was still deemed to be effective in comparison to the other techniques.

Therefore, in the more difficult and realistic case of cordoning off unseen adversarial attacks, SDGAN was still effective, with a TPR of approximately 70.9%, compared to 9.4% for RF. Figure 8 reveals the same conclusion. With an AUC of 0.734, SDGAN’s ROC curve was steep, indicating that its sensitivity improved more quickly than its specificity. On the other hand, because of the low TPR rates, the ROC curves of the other machine learning-based algorithms were typically closer to the diagonal, signifying a lower sensitivity and a higher specificity.

5. Conclusions

This study examined the possible threat posed by a novel type of DDoS attack called adversarial DDoS. The CycleGAN-based architecture is capable of generating legal malicious traffic. The experiment findings indicated that synthetic adversarial DDoS attacks could easily penetrate machine learning-based detection systems such as RF, KNN, SVM, and NB. This occurrence serves as a drastic warning that adversarial DDoS attacks necessitate immediate retaliation. This research proposed the SDGAN architecture as a reaction to this emerging threat. The experimental results showed that adversarial DDoS attacks could be effectively avoided by using SDGAN’s two symmetric discriminators protection paradigm. SDGAN could achieve TPRs of 0.977, 0.872, and 0.709 in terms of conventional DDoS attacks, adversarial DDoS attacks, and unseen adversarial DDoS attacks, respectively. The suggested SDGAN can be deemed adequate, whereas it could be improved against unseen adversarial DDoS. Integrating open set identification technology may be a worthwhile avenue to pursue.