A Machine Learning-Based Packet Sniffer for Detection and Classification of the Denial-Of-Service Attack Packets at the Network Layer

Abstract

Cyber threats attacks have continued to evolve in complexity and sophistication, posing significant risks to an organization’s network infrastructure and sensitive data's availability, confidentiality, and integrity. Therefore, there is a great need to create a defense mechanism to counteract this problem. This study therefore was focused on modeling a packet sniffer utilizing machine learning techniques to identify denial of service (DOS) attack packets at the network layer of the OSI model. The overall purpose of the study was to capture and interpret packets transmitted over a local area network to detect and capture the DOS threats within the Open Systems Interconnection Model (OSI) network layer. This layer is prone to several attacks for instance, denial-of-service, routing protocol attacks, Port scanning and enumeration, and fragmentation-based attacks. This study, delved into detecting and capturing the denial of service threats at the third layer of the OSI model in a local area network. Some examples of DOS attacks are UDP flood which sends a significant quantity UDP (User Datagram Protocol) packets to the targeted systems and thereby exhausting network resources, ICMP flood which transmits a significant quantity of Internet Control Message Protocol (ICMP) packets to overwhelm network devices, SYN flood which takes advantage of the TCP three-way hand-shake procedure by sending a lot of SYN requests without carrying out the necessary handshake, using server resources and blocking valid connections. Essential components extracted from Ethernet frames comprise TCP segments, ICMP packets, IPv4 packets, and associated flags. Although antivirus programs, intrusion detection systems, and firewalls are crucial barriers against malicious attacks, they frequently fall short in detecting and halting more crafty attacks that evade their protection. The study sought to bridge this gap by providing an automated machine learning-based packet sniffer that can identify and categorize network risks. The LightGBM model was successfully trained and implemented for the task of detecting DoS attacks. CICIDS2018 dataset was used, which provided labeled network traffic data containing both normal and attack (DoS) instances. The model was trained to classify traffic as either normal or a DoS attack based on various network features. The model's performance was evaluated using several metrics to demonstrate its ability to accurately detect threats at the network layer in a local area network including sensitivity, specificity, and accuracy. The AUC (Area Under the Curve) was particularly high, which indicated that the model was able to effectively differentiate between normal traffic and DoS attacks. Additionally, the F1-score, precision, and recall were balanced, suggesting that the model was capable of identifying attacks while minimizing false positives and false negatives. The model was successful in meeting its primary objective of detecting DoS attacks from network traffic. The performance metrics indicated that LightGBM is a strong candidate for the task, achieving a high AUC and a well-balanced F1-score. This showed that the model achieved good generalization capabilities, and it can effectively distinguish between normal traffic and DoS attack traffic in most cases. The main contribution of this work is the development of a LightGBMbased machine learning model for detecting DoS attacks using the CICIDS2018 dataset. The model’s ability to classify network traffic as normal or malicious will aid in enhancing network security by automating the detection of such attacks in LANs. The model will henceforth serve as a foundational step for building more advanced intrusion detection systems, especially for environments where DoS attacks are prevalent.