Filtering DDoS Attacks from Unlabeled Network Traffic Data Using Online Deep Learning

DDoS attacks are simple, effective, and still pose a significant threat even after more than two decades. Given the recent success in machine learning, it is interesting to investigate how we can leverage deep learning to filter out application layer attack requests. There are challenges in adopting deep learning solutions due to the ever-changing profiles, the lack of labeled data, and constraints in the online setting. Offline unsupervised learning methods can sidestep these hurdles by learning an anomaly detector N from the normal-day traffic N. However, anomaly detection does not exploit information acquired during attacks, and their performance typically is not satisfactory. In this paper, we propose two approaches that utilize both the historic N and the mixture M traffic obtained during attacks, consisting of unlabeled requests. First, our proposed approach, inspired by statistical methods, extends an unsupervised anomaly detector N to solve the problem using estimated conditional probability distributions. We adopt transfer learning to apply N on N and M separately and efficiently, combining the results to obtain an online learner. Second, we formulate a specific loss function more suited for deep learning and use iterative training to solve it in the online setting. On publicly available datasets, such as the CICIDS2017, our online learners achieve an average of 90.6% accuracy rates compared to the baseline detection method, which achieves around 60.0% accuracy. In the offline setting, our approaches on unlabeled data achieve competitive accuracy compared to classifiers trained on labeled data.