A Machine Learning-Based Packet Sniffer for Detection and Classification of the Denial of Service Attack Packets at The Network Layer

Abstract

The research study was on modelling a packet sniffer utilizing machine learning techniques to identify denial of service (DOS) attack packets at the network layer of the OSI model. Cyber threats and attacks have continued to evolve in complexity and sophistication, posing significant risks to the network infrastructure and sensitive data's availability, confidentiality, and integrity. The necessity for sophisticated methods to improve network security is highlighted by the fact that conventional methods frequently fail to identify and mitigate these attacks. The overall purpose of the research study was to capture and interpret packets transmitted over a local area network to detect and capture the DOS threats within the Open Systems Interconnection Model (OSI) network layer. This layer is prone to several attacks for instance, denial-of-service, routing protocol attacks, Port scanning and enumeration, and fragmentation-based attacks. However, in this study, we delved into detecting and capturing the denial of service threats at the third layer of the OSI model in a local area network. Some examples of DOS attacks are UDP flood which sends a significant quantity UDP (User Datagram Protocol) packets to the targeted systems and thereby exhausting network resources, ICMP flood which transmits a significant quantity of Internet Control Message Protocol (ICMP) packets to overwhelm network devices, SYN flood which takes advantage of the TCP three-way hand-shake procedure by sending a lot of SYN requests without carrying out the necessary handshake, using server resources and blocking valid connections. Essential components extracted from Ethernet frames comprise TCP segments, ICMP packets, IPv4 packets, and associated flags. IPv4, a crucial protocol in Internet communication, enables routing and logical addressing, forming the Internet's backbone. The Internet Control Message Protocol (ICMP) facilitates error reporting and the interchange of operational information inside the Internet Protocol suite. There are header and data sections in a packet. Data bytes are sent plus a header that TCP added to the data to make up a TCP segment. Even though internet-based data transmission protocols have expanded, traditional network security measures are frequently insufficient to combat the dynamic environment of cyber threats that target networks used for data transfer. This deficiency emphasizes the need for innovative technologies to improve network security. Although antivirus programs, intrusion detection systems, and firewalls are crucial barriers against malicious attacks, they frequently fall short in detecting and halting more crafty attacks that evade their protection. The study sought to bridge this gap by providing an automated machine learning-based packet sniffer that can identify and categorize network risks. To address the research objectives thoroughly, experimental research methodology was used. This study employed the CICIDS2018 dataset. The LightGBM model was successfully trained and implemented for the task of detecting DoS attacks. We used the CICIDS2018 dataset, which provided labeled network traffic data containing both normal and attack (DoS) instances. The model was trained to classify traffic as either normal or a DoS attack based on various network features. The model's performance was evaluated using several metrics to demonstrate its ability to accurately detect threats at the network layer in a local area network including sensitivity, specificity, and accuracy. The AUC (Area Under the Curve) was particularly high, which indicated that the model was able to effectively differentiate between normal traffic and DoS attacks. Additionally, the F1-score, precision, and recall were balanced, suggesting that the model was capable of identifying attacks while minimizing false positives and false negatives. The model was successful in meeting its primary objective of detecting DoS attacks from network traffic. The performance metrics indicate that LightGBM is a strong candidate for the task, achieving a high AUC and a well-balanced F1-score. This suggested the model achieved good generalization ii capabilities, and it can effectively distinguish between normal traffic and DoS attack traffic in most cases. The main contribution of this work is the development of a LightGBM-based machine learning model for detecting DoS attacks using the CICIDS2018 dataset. The model’s ability to classify network traffic as normal or malicious will aid in enhancing network security by automating the detection of such attacks in LANs. The model will henceforth serve as a foundational step for building more advanced intrusion detection systems, especially for environments where DoS attacks are prevalent