Optimized t-Test Feature Selection for Real-Time Detection of Low and High-Rate DDoS Attacks

Abstract

Distributed Denial of Service (DDoS) attacks stand out as a serious threat, capable of disrupting online services and businesses. The main aim of Distributed Denial of Service (DDoS) attacks is to make system services unavailable to the legitimate users. To detect these attacks, intrusion detection systems (IDS) continually monitor the network traffic. During this process, the IDS system generates high false positive rates while distinguishing low-rate DDoS (LRDDoS) and high-rate DDoS (HRDDoS) attack traffic from legitimate traffic. The idea behind feature selection is that picking the right network features is a key part of interpreting the difference between normal traffic and LRDDoS or HRDDoS attack traffic. This means the IDS performance will automatically get better. In this paper, we propose a scalable feature selection method that utilizes the statistical t-test to identify an optimal feature subset from original feature set at a low computational cost. We strongly hypothesize that the proposed feature selection method yields an optimal feature subset and the machine learning classifiers trained on this feature set can effectively distinguish benign, LRDDoS, and HRDDoS network traffic. We evaluated the proposed method on the publicly available benchmark datasets CICIDS2017, CICIDS2018, and CICDDoS2019, utilizing twelve supervised machine learning classifiers. Among the twelve classifiers, the Extra Tree Classifier (EXT) demonstrated superior performance, achieving an average accuracy of 96.50%, precision of 96.58%, and an F-Score of 96.50% across the four sample test datasets (D1, D2, D3, and D4). The proposed method showed consistent and superior performance in distinguishing the LRDDoS, HRDDoS, and benign traffic to the state-of-the-art existing works over the four test datasets.