Network Incident Identification through Genetic Algorithm-Driven Feature Selection: Comparison
Please note this is a comparison between Version 2 by Camila Xu and Version 1 by Ahmet Aksoy.

The cybersecurity landscape presents daunting challenges, particularly in the face of Denial of Service (DoS) attacks such as DoS Http Unbearable Load King (HULK) attacks and DoS GoldenEye attacks. These malicious tactics are designed to disrupt critical services by overwhelming web servers with malicious requests.

  • network traffic analysis
  • incident classification
  • automated incident detection
  • network security
  • traffic pattern recognition

1. Introduction

Over the past few years, Denial of Service (DoS), Operating System (OS) fingerprinting, and Domain Name System (DNS) botnet techniques have undergone significant advancements, becoming increasingly complex and challenging to identify [1,2,3,4,5,6,7,8][1][2][3][4][5][6][7][8]. While these activities may not always constitute an attack in the traditional sense, they encompass a spectrum of activities, including reconnaissance and denial of services. The distinction lies in the intent and context of such actions.
Among all the types of cyber attacks, DoS attacks are considered the most harmful, as they can entirely disconnect an organization from the Internet or severely impede network links, resulting in a significant disruption of packet delivery [8,9,10][8][9][10]. Similarly, OS fingerprinting attacks are crucial for cybercriminals to identify the OS of a target system, which can be exploited to launch further attacks or gain unauthorized access to the system. Unlike DoS attacks, which aim to disrupt the target system, OS fingerprinting is a crucial component of reconnaissance rather than a standalone attack. In this stage, attackers gather crucial data about the target system regarding any potential security weaknesses that could be exploited, such as its network layout, interdependencies of services, and OSes in use [11,12][11][12]. While OS fingerprinting is not typically considered an attack, it plays a significant role in the broader context of cyber activities. It may be part of an attack described within the cyber kill chain framework. A widespread tool most commonly used for reconnaissance is NMAP. The output of NMAP provides information such as device type, OS family and generation, Common Platform Enumeration (CPE) representation, OS details, uptime guess, network distance, details of the operating system, estimation of uptime, network distance, prediction of Transmission Control Protocol (TCP) sequences, and generation of Internet Protocol (IP) Identifier (ID) sequences [13]. To perform fingerprinting, NMAP sends out a series of probes, analyzes the responses received, and compares them against a database of known OS characteristics. By carefully analyzing network traffic, NMAP is widely used for attempting to determine the OS running on the target device [14]. However, it is worth noting that the accuracy of NMAP’s OS identification in real-world networks and on the Internet remains a topic of debate, and there is limited research available on this subject to serve as a reference [15].
Denial of Service (DoS) attacks have been increasingly disruptive and pose a significant challenge to the stability and security of networked systems. These attacks have been utilized for political purposes, encompassing cyberwarfare, hacktivist actions, and acts of terrorism [16]. Over time, the landscape of cyber threats has evolved, and the prevalence and impact of DoS and Distributed DoS (DDoS) attacks have continued to escalate. As such, these attacks now stand as formidable adversaries that security systems must confront [8,17,18][8][17][18]. The DoS GoldenEye and Http Unbearable Load King (HULK) attacks are malicious techniques aimed at overwhelming a target web server’s resources, rendering it inaccessible to legitimate users. In the case of GoldenEye, it operates by bombarding the target server with an extensive barrage of HyperText Transfer Protocol (HTTP) GET or POST requests, exploiting the HTTP protocol’s statelessness. This incessant flood of requests forces the server to allocate resources to each incoming request, leading to resource exhaustion and rendering the server unable to handle legitimate traffic. Similarly, the HULK attack generates numerous HTTP requests rapidly, aiming to exhaust the web server’s resources, especially its network bandwidth and computing capacity. Both attacks share the goal of causing service unavailability, but they employ different methods to achieve this disruptive outcome, making them potent tools in the arsenal of cyber attackers [8,19][8][19]. Attackers are adopting more intricate strategies, utilizing botnets composed of compromised devices to launch DDoS attacks. These botnets can execute coordinated, large-scale attacks, making detection and mitigation more challenging. Attack vectors and techniques are also diversifying, including reflection and amplification attacks that exploit vulnerable servers to magnify the assault’s impact. Moreover, attackers increasingly leverage encryption to obfuscate their activities and make attribution more complex. In response to these advancements, defenders are developing more resilient mitigation measures and leveraging machine learning, Artificial Intelligence (AI), and advanced traffic analysis to detect and thwart attacks in real-time. As the arms race between attackers and defenders continues, the evolution of DoS attacks remains critical in cybersecurity [20,21,22][20][21][22].
Amidst this ever-evolving landscape, a particular threat has gained prominence as well. As an insidious strain of malware, DNS botnets have significantly intensified their presence on the digital landscape and caused several negative economic impacts [7]. Their operational methods are remarkably disruptive, utilizing an extensive network of compromised devices to coordinate and execute synchronized attacks. The primary impact of DNS botnets is their potential to overwhelm and flood their target with malicious DNS traffic, rendering the targeted system virtually inaccessible. This assault can paralyze essential online services and disrupt business operations, thereby incurring significant economic losses. These economic disruptions can affect organizations ranging from corporations and financial institutions to e-commerce platforms, healthcare, and governmental agencies. As a result, DNS botnets have emerged as a formidable threat in the cybersecurity arena. The harm inflicted by DNS botnets goes beyond mere financial losses. The consequences of these attacks extend to an erosion of trust and reputation for the targeted entities. Downtime resulting from a DNS botnet assault can leave a lasting impact on the user experience, potentially driving customers away and causing long-term damage to an organization’s brand [6,7,23,24][6][7][23][24]. Additionally, service disruptions can result in significant data loss, posing a severe threat to the confidentiality and integrity of sensitive information. The consequences become dangerous when these attacks are directed towards vital infrastructure. They can potentially disrupt essential services such as healthcare, transportation, and emergency response systems, as noted in various studies [25,26][25][26]. It is worth highlighting that the increasing integration of Internet of Things (IoT) devices into critical infrastructure renders them particularly susceptible to exploitation. These connected devices often lack robust security measures, making them attractive targets for malicious actors seeking to amplify the impact of their attacks [27,28][27][28].

2. Network Scanning Incident Classification

In [44][29], the authors present a passive Operating System (OS) fingerprinting approach to detect unauthorized OSes in an enterprise network. They use Transmission Control Protocol (TCP) fields such as Time to live (TTL), total length, and window size to detect the OSes generating the packets. Their methodology involves analyzing network traffic and comparing it to a database of known OS fingerprints. The results show a high accuracy in identifying and detecting unauthorized OSes. Another paper aims to do something similar, but instead looks at the popular network scanning tool NMAP https://netml.github.io (accessed on 5 January 2024) [11,12][11][12]. Their paper discusses the importance of detecting NMAP scanning behavior to protect hosts from malicious attacks. They discuss that traditional defense methods like firewalls are less effective at detecting NMAP scanning. However, Intrusion Detection Systems (IDS) can monitor network security events and alert when abnormalities appear. The authors propose a Comprehensive NMAP Detection Rules (CNDR) set based on the Suricata system and consider IDS evasion. The CNDR achieves a detection rate of 100% for regular NMAP scanning and 91.7% for the detection accuracy of NMAP with IDS evasion on the authors’ designed dataset.

3. DDoS Attack Incident Classification

Considerable efforts have been dedicated to classifying and detecting Denial of Service (DoS) attacks. Many papers employ similar approaches, which aim to detect and classify DoS attacks [45,46,47,48,49][30][31][32][33][34]. The Distributed Reflection Denial-of-Service attack (DRDoS) is covered extensively in [45][30]. Their study examines and identifies the differences between TCP-based and User Datagram Protocol (UDP)-based DRDoS attacks. They examine the DRDoS attack, and find that it exploits vulnerabilities in the UDP protocol to flood a target with traffic; they explain that the UDP protocol is vulnerable because it allows the amplification of responses and does not verify the source Internet Protocol (IP) addresses. A proposed solution is IEWA, which combines increased expenses and weak authentication to protect the Network Time Protocol (NTP). Another paper in which DRDoS is examined is [46][31]. The authors evaluate the susceptibility of popular UDP-based protocols to DRDoS attacks, finding 14 protocols vulnerable, with traffic multiplied up to a factor of 4670. They further identify millions of potential amplifiers for six vulnerable protocols, and evaluate countermeasures against DRDoS attacks, showing that poorly designed rate-limiting solutions are evaded by some attacks, and packet-based filtering techniques are also evaded. They propose a threat model that analyzes P2P botnets that use amplification attacks to understand the potential severity of such attacks. The key focus is that an attacker aims to consume all available bandwidth of a victim by using systems that reflect the attack traffic to the victim. Another work allows sharing attack data and anomaly profiles with other parties without disclosing data [47][32]. Recent works have explored FL methods on the CIC-DDoS2019 [50][35] dataset, including LwResnet, FLDDoS, and FIDS. However, some solutions rely on the vanilla FEDAVG algorithm, which can increase the convergence time on unbalanced non-i.i.d. attack data and may jeopardize clients’ privacy with data-sharing mechanisms [47][32]. In response to these challenges, the authors suggest an adaptive Federated Learning (FL) approach named FLAD. FLAD facilitates the collaborative training of deep learning models using distributed profiles of cyber threats while preserving the confidentiality of training data. The proposed solution manages the FL process by dynamically allocating additional computation resources to members with more intricate attack profiles, all without the need to share test data. The study showcases that FLAD surpasses the performance of the original FL algorithm in terms of convergence time and accuracy across various unbalanced datasets featuring heterogeneous Distributed Denial of Service (DDoS) attacks. Meanwhile, other approaches aim to more closely fingerprint at the packet level [48][33]. The authors use an approach to classify traffic patterns based on their statistical properties, including packet length, packet inter-arrival time, and time-to-live. The proposed system generates application fingerprints based on transport layer packet-level and flow-level features. These fingerprints identify Distributed Denial of Service (DDoS) attacks by analyzing statistical information collected at the flow level. Paper [49][34] discusses how easily DoS attacks can be launched, but detection and response are often manual and slow. Present methods relying on packet headers are also vulnerable to spoofing. The framework relies on header content, transient ramp-up behavior, and spectral analysis, making it more challenging to spoof. By evaluating a regional Internet Service Provider (ISP)’s access links, they could detect 80 live attacks. The framework has several applications, including aiding in the rapid response to attacks, developing realistic models of DoS traffic, and estimating the level of DoS activity on the Internet.

4. Automated Attack Classification and Intrusion Detection

Several studies have been conducted on classifying and detecting network attacks using machine learning algorithms. The following papers [51,52,53,54,55,56,57][36][37][38][39][40][41][42] all have similarities in their methodology, but differ in which dataset and problem they tackle. Bayu Adhi et al. discuss using deep neural networks (DNNs) for classifying attacks in the transportation layer of Internet of Things (IoT) networks in their paper [51][36]. They discuss how anomaly detection is considered one of the most demanding tasks in intrusion detection systems (IDSs), and the authors propose a robust DNN classifier model that can intelligently detect different kinds of attacks. The proposed method is evaluated on three benchmark datasets (UNSW-NB15, CIDDS-001, and GPRS) in wired and wireless network environments. The authors use a grid search strategy to obtain the best parameter settings for each dataset, and their experimental results show that the DNN approach is practical regarding accuracy, precision, recall, and false alarm rate. Another recent paper looked into preventing and detecting cyber attacks on IoT devices [52][37]. They evaluate various machine learning techniques, including k-nearest neighbor, support vector machine, decision tree, naive Bayes, random forest, artificial neural network, and logistic regression, for both binary and multi-class classification. The authors use the Bot-IoT dataset to compare and evaluate the algorithms based on accuracy, precision, recall, accuracy, and log loss metrics. Their results demonstrate that random forest outperforms other algorithms compared to binary classification, while k-nearest neighbor (kNN) performs best in multi-class classification. The paper also provides an overview of the increasing number of IoT devices, the associated risks of cyber-attacks, and the limitations of traditional intrusion detection systems in detecting these attacks. The authors of [53][38] provide a method of identifying DDoS attacks using a semi-supervised machine learning approach. The approach involves obtaining clusters of network traffic data using unsupervised methods and then labeling them through a voting method to mark normal, DDoS, and suspicious traffic. The dataset used consists of three features extracted using Principal Component Analysis (PCA), and three machine learning algorithms are applied—kNN, Support Vector Machine (SVM), and Random Forest (RF)—to classify the labeled traffic data. The emergence of Software-Defined Networking (SDN) has given rise to a new form of networking, bringing about new types of attacks [54][39]. Ahuja et al. propose a machine learning-based solution to classify benign traffic from DDoS attack traffic by using novel features for DDoS attack detection. They create a dataset of SDN traffic logs and use a hybrid machine learning model of Support Vector Classifier with Random Forest (SVC-RF) to classify traffic. The authors highlight the security issues of SDN and explain how DDoS attacks can occur at different architectural planes. To achieve this, the authors create a dataset of SDN traffic logs with novel features for DDoS detection, using a hybrid machine learning model to classify traffic and evaluate the model’s accuracy. The authors used a hybrid model of Support Vector Classifier with Random Forest (SVC-RF) to classify the SDN traffic logs. Regarding threat classification, two papers provide an excellent framework [56,57][41][42]. The two papers use a similar approach of proposing a new method to detect anomalies. The [56][41] paper proposes an algorithm that involves three steps: identifying related packets/flow records, deriving metrics related to the anomaly, and classifying the anomaly using a signature-based approach. In contrast, ref. [57][42] proposes developing machine-learning models to classify HyperText Transfer Protocol (HTTP) requests as normal or malicious to detect web application attacks. They both validate their proposed methods on datasets while highlighting the importance of automated classification.

5. DNS-Based Botnet Detection

There have also been many studies in the field of Domain Name System (DNS) botnet detection. Singh et al. discuss the limitations of existing surveys, which either need more in-depth comparisons or cover the full spectrum of DNS-based botnet detection techniques. This work aims to tackle this problem; the research focuses on botnet detection methods, specifically those using the DNS Protocol. The contributions of the study include categorizing DNS-based botnet detection techniques, providing an analysis of each technique within these categories, and proposing essential attributes for an innovative DNS-based botnet detection system [6,7][6][7]. Similarly, in a related context, the following work discusses a proposed system called “Notos” for dynamic DNS reputation scoring, which has shown promise in identifying malicious domains with high accuracy and low false positives in an extensive ISP’s network [23]. Another more active approach was introduced by Ma et al., who proposed an active probing approach by looking at DNS query characteristics, such as leveraging the Time to live (TTL)-based caching mechanism of R-DNS servers. By probing the cache of these servers, the monitoring system can observe cache behavior and, in turn, estimate DNS query activities. This approach significantly reduces management costs and privacy concerns [24]. Other research also leverages DNS query data to detect malicious DNS traffic [6,58,59,60][6][43][44][45]. Another study has adopted a comparable methodology in a published paper, employing Genetic Algorithms (GA) to enhance the feature selection capabilities of an Intrusion Detection System (IDS). This approach aims to optimize the system’s performance within resource-constrained environments such as the Internet of Things (IoT) [42][46].  The collective body of research in DNS botnet detection highlights the diverse strategies employed to address this critical cybersecurity concern, from passive monitoring to active probing, all with the common aim of enhancing network security and safeguarding against malicious DNS traffic.

6. Feature Selection Approaches: Recursive Feature Elimination (RFE) and Autoencoder Analysis

While researchers' approach only covers using Genetic Algorithms (GA) to find the most prominent features in packet header data, there are other approaches which aim to do the same thing. Such approaches are Recursive Feature Selection (RFE) and Autoencoders. There have been studies which focus on using Recursive Feature Selection (RFE) to perform intrusion detection [35,40,61][47][48][49]. The Recursive Feature Elimination (RFE) algorithm systematically removes features, initially evaluating classifier performance with the entire feature set and progressively generating subsets by eliminating features. This iterative process determines the most effective subset [35][47]. Awad et al. combine cross-validation with feature elimination, further refining the feature count and enhancing model performance [40][48]. Similarly other methodologies such as Autoencoders are also viable for feature selection. The authors from [62][50] introduce a novel approach leveraging Autoencoder (AE) technology to discern behavioral patterns in IoT attacks. Their method innovatively constructs features by autonomously learning semantic similarities between command-derived data, providing improved clustering and a deeper understanding of attack behavioral patterns compared to traditional approaches. Another approach looks specifically at SQL injection attacks. Thalji et al. proposed leveraging an Autoencoder network (AE-Net) to automatically engineer features for detecting SQL injection attacks. By extracting deep features from SQL textual data, the AE-Net facilitates the creation of a more efficient data representation. Their method, integrated with the extreme gradient boosting classifier, achieved a k-fold accuracy score of 0.99, surpassing existing approaches. Employing techniques like hyperparameter tuning and validation via k-fold cross-validation ensured robust performance evaluation [38][51].

References

  1. Huang, H.; Ahmed, N.; Karthik, P. On a New Type of Denial of Service Attack in Wireless Networks: The Distributed Jammer Network. IEEE Trans. Wirel. Commun. 2011, 10, 2316–2324.
  2. Palmieri, F.; Ricciardi, S.; Fiore, U.; Ficco, M.; Castiglione, A. Energy-oriented denial of service attacks: An emerging menace for large cloud infrastructures. J. Supercomput. 2015, 71, 1620–1641.
  3. Xu, Y.; Deng, G.; Zhang, T.; Qiu, H.; Bao, Y. Novel denial-of-service attacks against cloud-based multi-robot systems. Inf. Sci. 2021, 576, 329–344.
  4. Asri, S.; Pranggono, B. Impact of distributed denial-of-service attack on advanced metering infrastructure. Wirel. Pers. Commun. 2015, 83, 2211–2223.
  5. Hagos, D.H.; Yazidi, A.; Kure, O.; Engelstad, P.E. A Machine-Learning-Based Tool for Passive OS Fingerprinting with TCP Variant as a Novel Feature. IEEE Internet Things J. 2021, 8, 3534–3553.
  6. Singh, M.; Singh, M.; Kaur, S. Issues and challenges in DNS based botnet detection: A survey. Comput. Secur. 2019, 86, 28–52.
  7. Alieyan, K.; ALmomani, A.; Manasrah, A.; Kadhum, M.M. A survey of botnet detection based on DNS. Neural Comput. Appl. 2017, 28, 1541–1558.
  8. Shorey, T.; Subbaiah, D.; Goyal, A.; Sakxena, A.; Mishra, A.K. Performance Comparison and Analysis of Slowloris, GoldenEye and Xerxes DDoS Attack Tools. In Proceedings of the 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Bangalore, India, 19–22 September 2018; pp. 318–322.
  9. Cameron, C.; Patsios, C.; Taylor, P.C.; Pourmirza, Z. Using Self-Organizing Architectures to Mitigate the Impacts of Denial-of-Service Attacks on Voltage Control Schemes. IEEE Trans. Smart Grid 2019, 10, 3010–3019.
  10. Chahal, J.K.; Bhandari, A.; Behal, S. Distributed Denial of Service Attacks: A Threat or Challenge. New Rev. Inf. Netw. 2019, 24, 31–103.
  11. Albanese, M.; Battista, E.; Jajodia, S. A deception based approach for defeating OS and service fingerprinting. In Proceedings of the 2015 IEEE Conference on Communications and Network Security (CNS), Florence, Italy, 28–30 September 2015; pp. 317–325.
  12. Liao, S.; Zhou, C.; Zhao, Y.; Zhang, Z.; Zhang, C.; Gao, Y.; Zhong, G. A Comprehensive Detection Approach of Nmap: Principles, Rules and Experiments. In Proceedings of the 2020 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), Chongqing, China, 29–30 October 2020; pp. 64–71.
  13. Li, R.; Sosnowski, M.; Sattler, P. An overview of os fingerprinting tools on the internet. Network 2020, 73, 73–77.
  14. Acosta, J.C.; Basak, A.; Kiekintveld, C.; Kamhoua, C. Lightweight On-Demand Honeypot Deployment for Cyber Deception. In Digital Forensics and Cyber Crime; Gladyshev, P., Goel, S., James, J., Markowsky, G., Johnson, D., Eds.; Springer: Cham, Switzerland, 2022; pp. 294–312.
  15. Khera, Y.; Kumar, D.; Sujay; Garg, N. Analysis and Impact of Vulnerability Assessment and Penetration Testing. In Proceedings of the 2019 International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), Faridabad, India, 14–16 February 2019; pp. 525–530.
  16. Brooks, R.R.; Yu, L.; Ozcelik, I.; Oakley, J.; Tusing, N. Distributed Denial of Service (DDoS): A History. IEEE Ann. Hist. Comput. 2022, 44, 44–54.
  17. Khalaf, B.A.; Mostafa, S.A.; Mustapha, A.; Mohammed, M.A.; Abduallah, W.M. Comprehensive Review of Artificial Intelligence and Statistical Approaches in Distributed Denial of Service Attack and Defense Methods. IEEE Access 2019, 7, 51691–51713.
  18. Mahjabin, S. Implementation of DoS and DDoS attacks on cloud servers. Period. Eng. Nat. Sci. 2018, 6, 148–158.
  19. Catillo, M.; Pecchia, A.; Villano, U. No more DoS? An empirical study on defense techniques for web server Denial of Service mitigation. J. Netw. Comput. Appl. 2022, 202, 103363.
  20. Nayyar, S.; Arora, S.; Singh, M. Recurrent Neural Network Based Intrusion Detection System. In Proceedings of the 2020 International Conference on Communication and Signal Processing (ICCSP), Chennai, India, 28–30 July 2020; pp. 136–140.
  21. Gokul Pran, S.; Raja, S. An efficient feature selection and classification approach for an intrusion detection system using Optimal Neural Network. J. Intell. Fuzzy Syst. 2023, 44, 8561–8571.
  22. Kshirsagar, D.; Shaikh, J.M. Intrusion detection using rule-based machine learning algorithms. In Proceedings of the 2019 5th International Conference on Computing, Communication, Control and Automation (ICCUBEA), Pune, India, 19–21 September 2019; pp. 1–4.
  23. Antonakakis, M.; Perdisci, R.; Dagon, D.; Lee, W.; Feamster, N. Building a dynamic reputation system for . In Proceedings of the 19th USENIX Security Symposium (USENIX Security 10), Washington, DC, USA, 11–13 August 2010.
  24. Ma, X.; Zhang, J.; Li, Z.; Li, J.; Tao, J.; Guan, X.; Lui, J.C.; Towsley, D. Accurate DNS query characteristics estimation via active probing. J. Netw. Comput. Appl. 2015, 47, 72–84.
  25. Vargas, L.; Blue, L.; Frost, V.; Patton, C.; Scaife, N.; Butler, K.R.; Traynor, P. Digital Healthcare-Associated Infection: A Case Study on the Security of a Major Multi-Campus Hospital System. In Proceedings of the NDSS, San Diego, CA, USA, 24–27 February 2019.
  26. Ghafir, I.; Prenosil, V.; Hammoudeh, M.; Baker, T.; Jabbar, S.; Khalid, S.; Jaf, S. BotDet: A System for Real Time Botnet Command and Control Traffic Detection. IEEE Access 2018, 6, 38947–38958.
  27. Kumar, A.; Sharma, I. Augmenting IoT Healthcare Security and Reliability with Early Detection of IoT Botnet Attacks. In Proceedings of the 2023 4th International Conference for Emerging Technology (INCET), Belgaum, India, 26–28 May 2023; pp. 1–6.
  28. Quamara, M.; Gupta, B.B.; Yamaguchi, S. An End-to-End Security Framework for Smart Healthcare Information Sharing against Botnet-based Cyber-Attacks. In Proceedings of the 2021 IEEE International Conference on Consumer Electronics (ICCE), Las Vegas, NV, USA, 10–12 January 2021; pp. 1–4.
  29. Tyagi, R.; Paul, T.; Manoj, B.; Thanudas, B. Packet Inspection for Unauthorized OS Detection in Enterprises. IEEE Secur. Priv. 2015, 13, 60–65.
  30. Nuiaa, R.R.; Manickam, S.; Alsaeedi, A.H. Distributed reflection denial of service attack: A critical review. Int. J. Electr. Comput. Eng. 2021, 11, 5327.
  31. Rossow, C. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In Proceedings of the NDSS, San Diego, CA, USA, 23–26 February 2014; pp. 1–15.
  32. Doriguzzi-Corin, R.; Siracusa, D. FLAD: Adaptive Federated Learning for DDoS Attack Detection. arXiv 2022, arXiv:2205.06661. Available online: http://arxiv.org/abs/2205.06661 (accessed on 5 January 2024).
  33. Ahmed, M.E.; Ullah, S.; Kim, H. Statistical application fingerprinting for DDoS attack mitigation. IEEE Trans. Inf. Forensics Secur. 2018, 14, 1471–1484.
  34. Hussain, A.; Heidemann, J.; Papadopoulos, C. A framework for classifying denial of service attacks. In Proceedings of the 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Karlsruhe, Germany, 25–29 August 2003; pp. 99–110.
  35. Sharafaldin, I.; Lashkari, A.H.; Hakak, S.; Ghorbani, A.A. Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. In Proceedings of the 2019 International Carnahan Conference on Security Technology (ICCST), Chennai, India, 1–3 October 2019; pp. 1–8.
  36. Tama, B.A.; Rhee, K.H. Attack classification analysis of IoT network via deep learning approach. Res. Briefs Inf. Commun. Technol. Evol. (ReBICTE) 2017, 3, 1–9.
  37. Churcher, A.; Ullah, R.; Ahmad, J.; Ur Rehman, S.; Masood, F.; Gogate, M.; Alqahtani, F.; Nour, B.; Buchanan, W.J. An experimental analysis of attack classification using machine learning in IoT networks. Sensors 2021, 21, 446.
  38. Aamir, M.; Zaidi, S.M.A. Clustering based semi-supervised machine learning for DDoS attack classification. J. King Saud-Univ.-Comput. Inf. Sci. 2021, 33, 436–446.
  39. Ahuja, N.; Singal, G.; Mukhopadhyay, D.; Kumar, N. Automated DDOS attack detection in software defined networking. J. Netw. Comput. Appl. 2021, 187, 103108.
  40. Ayoade, G.; Chandra, S.; Khan, L.; Hamlen, K.; Thuraisingham, B. Automated threat report classification over multi-source data. In Proceedings of the 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC), Philadelphia, PA, USA, 18–20 October 2018; pp. 236–245.
  41. Fernandes, G.; Owezarski, P. Automated classification of network traffic anomalies. In Proceedings of the Security and Privacy in Communication Networks: 5th International ICST Conference, SecureComm 2009, Athens, Greece, 14–18 September 2009; Revised Selected Papers 5. Springer: Berlin/Heidelberg, Germany, 2009; pp. 91–100.
  42. Bhagwani, H.; Negi, R.; Dutta, A.K.; Handa, A.; Kumar, N.; Shukla, S.K. Automated classification of web-application attacks for intrusion detection. In Proceedings of the Security, Privacy, and Applied Cryptography Engineering: 9th International Conference, SPACE 2019, Gandhinagar, India, 3–7 December 2019; Proceedings 9. Springer: Berlin/Heidelberg, Germany, 2019; pp. 123–141.
  43. Hoang, X.D.; Nguyen, Q.C. Botnet detection based on machine learning techniques using DNS query data. Future Internet 2018, 10, 43.
  44. Jin, Y.; Ichise, H.; Iida, K. Design of Detecting Botnet Communication by Monitoring Direct Outbound DNS Queries. In Proceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing, New York, NY, USA, 3–5 November 2015; pp. 37–41.
  45. Alieyan, K.; Almomani, A.; Anbar, M.; Alauthman, M.; Abdullah, R.; Gupta, B.B. DNS rule-based schema to botnet detection. Enterp. Inf. Syst. 2021, 15, 545–564.
  46. Liu, X.; Du, Y. Towards Effective Feature Selection for IoT Botnet Attack Detection Using a Genetic Algorithm. Electronics 2023, 12, 1260.
  47. Ustebay, S.; Turgut, Z.; Aydin, M.A. Intrusion Detection System with Recursive Feature Elimination by Using Random Forest and Deep Learning Classifier. In Proceedings of the 2018 International Congress on Big Data, Deep Learning and Fighting Cyber Terrorism (IBIGDELFT), Ankara, Turkey, 3–4 December 2018; pp. 71–76.
  48. Awad, M.; Fraihat, S. Recursive Feature Elimination with Cross-Validation with Decision Tree: Feature Selection Method for Machine Learning-Based Intrusion Detection Systems. J. Sens. Actuator Netw. 2023, 12, 67.
  49. Kannari, P.R.; Chowdary, N.S.; Laxmikanth Biradar, R. An anomaly-based intrusion detection system using recursive feature elimination technique for improved attack detection. Theor. Comput. Sci. 2022, 931, 56–64.
  50. Haseeb, J.; Mansoori, M.; Hirose, Y.; Al-Sahaf, H.; Welch, I. Autoencoder-based feature construction for IoT attacks clustering. Future Gener. Comput. Syst. 2022, 127, 487–502.
  51. Thalji, N.; Raza, A.; Islam, M.S.; Samee, N.A.; Jamjoom, M.M. AE-Net: Novel Autoencoder-Based Deep Features for SQL Injection Attack Detection. IEEE Access 2023, 11, 135507–135516.
More
ScholarVision Creations