This project focuses on classifying SYN flood attacks from normal network traffic using various machine learning (ML) and deep learning (DL) techniques. Our goal is to create efficient, real-time capable models that can distinguish SYN flood patterns from benign traffic behavior.
We use the CIC-DDoS2019 dataset provided by the Canadian Institute for Cybersecurity (CIC).
Key Points about the Dataset:
- Simulates real-world DDoS attacks in a realistic network environment.
- Traffic generated from diverse attack types, including SYN Flood, UDP Flood, and HTTP Flood.
- Covers different attack scenarios across multiple days.
- Contains detailed flow-level features (over 85 per flow) extracted using CICFlowMeter.
- Includes timestamps, flow duration, packet sizes, and flag counts.
For this project, we specifically extract SYN flood attack samples and benign traffic for a targeted binary classification task.
Can we classify SYN flood attacks from normal network traffic using various ML and DL methods?
Given the large size and complexity of the original dataset, we performed focused preprocessing steps to prepare the data for efficient real-time prediction:
-
Feature Selection: We selected 13 features highly relevant to SYN flood detection, balancing informativeness and computational efficiency:
- SYN Flag Count: Identifies SYN packets, critical to this attack type.
- Total Fwd Packets: High counts can indicate flooding attempts.
- Total Backward Packets: Low response suggests incomplete handshakes.
- Flow Duration: Short flows are typical of SYN floods.
- Flow Packets/s: Rapid packet rates can signal an attack.
- Flow Bytes/s: Highlights volume and pattern of transmitted data.
- Fwd Packet Length Mean: Uniform packet sizes are common in SYN floods.
- Bwd Packet Length Mean: Few or no backward packets suggest missing responses.
- Bwd IAT Mean: Irregular reply intervals may indicate an attack.
- ACK Flag Count: Low ACK counts imply incomplete TCP handshakes.
- Active Mean: Short active times are characteristic of flooding.
- Inbound: Directionality helps identify the attack target.
- Label: Specifies whether the flow is benign or SYN attack.
-
Sampling: We randomly selected 5,000 SYN attack instances and 5,000 benign instances, creating a balanced and manageable 10,000-row dataset.
-
Cleaning: We removed rows containing null (NA) or infinite (Inf) values to ensure reliable and error-free model training.
This structured preprocessing ensures a clean, efficient, and representative dataset ready for training robust ML and DL models for SYN flood detection.