This project explores the use of Machine Learning (ML) techniues to detect SYN FLood attacks, a type of Denial-of-Service (DoS) attack. By leveraging data collected from network traffic under both normal and attack scenarios, the project aims to train and evaluate ML models (including anomaly detection algorithms) to determine which algorithms are best suited for detecting such attacks.
-
Front-End for Data Collection:
- Created 4 VMs each of which has a role. The 3 VMs which run Linux OS will act as the normal user at one instance and malicious user at another instance and the 4th VM will be the main server as shown in the diagram below:
- Developed a simple interface for collecting network traffic (index.html) by creating a form asking for user name, email and message. This form has been created on an Apache server.
- Created 4 VMs each of which has a role. The 3 VMs which run Linux OS will act as the normal user at one instance and malicious user at another instance and the 4th VM will be the main server as shown in the diagram below:
-
Dataset Creation:
- In order to generate normal traffic macros was used which helped automate the process of filling forms by giving sufficient gap between each time the form was filled to mimic normal user activity.
- In order to generate a SYN Flood attack hping3 cmd was used from one VM targetting the other in order to mimic a typical SYN Flood attack.
-
Machine Learning Model Training:
- Trained multiple ML models using the datasets, including:
- Supervised learning algorithms like Decision Trees, Random Forests, and Support Vector Machines (SVM).
- Deeep Learning models for more compplex pattern recognition.
- Evaluated ML models based on accuracy, precision, recall, and F1-score to identify the best performing approach.
- Trained multiple ML models using the datasets, including:
-
Model Evaluation and Comparison:
- Compared the effectiveness of the trained modelsin detecting SYN Flood Attacks Analysed strengths and weaknesses of each model to provide insights into their suitability for real-world deployment.
- Virtual Machines: Set up using VMware
- Frontend development: Built using HTML, CSS, iMacros extension
- Networking Tools: Wireshark, tcpdump
- Machine Learning Frameworks:
- Python libraries such as Scikit-learn
- Data Processing: Pandas, NumPy, for preprocessing and feature extraction
- Virtualization Software (e.g., VMware, VirtualBox)
- Python 3.8+ and relevant libraries
- iMacros pluggin for a web browser. For the purposes of this experiment ran it on Mozilla Firefox.
- Basic understanding of TCP/IP networking and ML algorithms.
-
Clone the repository:
git clone https://github.com/ferrindsouza/SYN_Flood_Detection.git``` -
Set up the VMs ( make sure they're on the same network) and install required tools for network monitoring
-
Install the Pythton dependencies
pip install -r requirements.txt``` -
Install and start Apache to act as web server using the following command:
sudo apt update sudo apt install apache2 sudo service apache2 start```
- Followed the steps mentioned in Dataset Creation
- Monitored the traffic on wireshare and saved it in an .cap file fir further analysis.
- Preprocess the collected data to extract relevant features
- Train the ML models using various ML algorithms
- Evaluate the models and generate reports
- MLP has been shown to be the most effective algorithm in detecting SYN Flood based on this experiment. THis shows anomaly detection algorithms are most suitable to detect SYN FLood Attacks.
- Insights into feature importance and challenges in distinguishing normal and attack traffic.
- Extend the detection system to other types of DoS/DDoS attacks.
- Implementing real-time detection using trained models.
Ferrin Dsouza