City Research Online

ForChaosLR: A Lightweight Multi-Layer IDS to detect application layer DDoS attacks in the smart home-smart grid network

Procopiou, A. (2021). ForChaosLR: A Lightweight Multi-Layer IDS to detect application layer DDoS attacks in the smart home-smart grid network. (Unpublished Doctoral thesis, City, University of London)


Worldwide issues such as overpopulation, environmental pollution, emissions exhaustion, global warming, energy waste, health problems, public transport congestion and overcrowding, the concept of a smart city has emerged. A smart city’s main objective is to improve the life quality of its citizens, promote sunstainability and protect the envrionment. For the realisation of this vision, a set of different technologies are adopted that can tranform the city’s components into "smart entities". The most catalytic technology for this is the integration of the Internet of Things (IoT). Through IoT mechanical/electrical entities are able to communicate with each other directly and exchange useful data to their functioning, are connected to the Internet and can be controlled remotely and collect data from the environment they are deployed at.

Their multiple benefits are hihglighted through a plethora of different networks and systems, with a notable example being the smart home-smart grid network. This interaction between the two networks is one of the most beneficial to the smart city as it helps residential owners in their tasks and improves their quality of life. Furthermore, the two-way communication between the smart home and the smart grid offers the smart city citizens the opportunity to manage their electricty consumption efficiently and in an envrionmentally friendly way, decrease their electricity bill, be part of energy saving up reward programmes, have their smart appliances and intelligent devices being monitored and maintened remotely by relevant third-party services and even exchange energy to the smart grid, provided they
have energy distributed services installed in their premises.

This tight and high inter-connectivity between the two networks can be maliciosuly used to perform cross-network attacks, especially from being initiated from the smart home side where the security measures might be weak or non-existant. In the past, there have been numerous security incidents where IoT devices have been easily compromised due to their lack of proper security solutions deployed. Notable examples of such incidents are the Mirai botnet Aidra, Bashlite and IRCTelnet.

One of the most popular attacks which is likely to cause the most immediate effect is a Distributed Denial of Service (DDoS) attack. Of particular interest are application layer DDoS attacks, specifically flooding and slow-rate, as they can cause more damage to the target. They require less resources and are much steathier and similar to legitimat traffic. Therefore, such attacks are harder to be detected by an intrusion detection system (IDS).

For the detection of such attacks, multiple IDSs have been proposed, most of them consisting machine learning algorithms. Although the proposed systems achieved remarkable results they are high in computational complexity and resources, such as training time, memory usage, CPU power and training data. As a result, they can cause computational burden and exhaust the resources of IoT devices. Therefore, a proposed IDS solution must be as lightweight as possible so it does not cause any computational burden. The majority of lightweight approaches consist of constructing a baseline approach, based on legitimate behaviour observed, and flagging anything that falls out of this baseline. Such an
approach could potentially raise a high number of false alarms. Therefore, there should be an additional layer that cooperates with the lightweight detection layer in regulating the false alarms but not to an extent it increases the complexity significantly. It is important to define an effective trade-off between overall accuracy and resource constraints as many of the IoT devices deployed in the smart home-smart grid network so the IDS is accurate in classifying incoming traffic correctly but also not exhausting the resources of the device.

The thesis proposes a novel multi-layer IDS system for application layer flooding and slow-rate DDoS attacks in the smart home-smart grid network that aims to accurately detect such attacks, achieve a low false positive rate and maintain its low complexity in computational resources. On the first layer we implemented a combination of simple exponential smoothing forecasting algorithm with lyapunov exponents measuring chaotic behaviour mechanism. This combination is lightweight in resources, training time and size and has been proved to be effective against such attacks. On the second layer we deployed logistic regression which is more sophisticated, especially in regulating false positives, but still lighter than heavier machine learning algorithms such as neural networks, random forest, Bayesian networks and support vector machines.

We implemented a simulation of a smart home-smart grid network in NS-3 network simulator and generated enough data to construct a dataset. Our proposed system, ForChaosLR multi-layer IDS, was evaluated using the dataset constructed and compared to other notable and popular machine learning algorithms. Furthermore, we evaluated ForChaosLR compared to the chosen set of machine learning algorithms using other real-world datasets to evaluate its effectiveness in further.

Proceeding, we evaluated its accuracy in classifying incoming malicious traffic to a specific attack category and monitored its computational resources (memory usage, CPU power and training/testing time) using a Raspberry Pi 3 model B+. Once again, ForChaosLR’s results were compared to the equivalent results achieved from the machine learning algorithms chosen.

Through the different sets of experiments conducted, we demonstrated that ForChaosLR multi-layer IDS is a suitable lightweight IDS system for a resource-constrained network, such as the smart home-smart grid, that is accurate in detecting the application layer flooding and slow-rate DDoS attacks without overstressing the Raspberry Pi 3 model B+ and its resources, specifically memory, CPU power. ForChaosLR is also successful in classifying application layer DDoS attacks to their respective categories and attack types.

Publication Type: Thesis (Doctoral)
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments: Doctoral Theses
School of Mathematics, Computer Science & Engineering
School of Mathematics, Computer Science & Engineering > Computer Science
[img] Text - Accepted Version
This document is not freely accessible until 31 January 2025 due to copyright restrictions.

To request a copy, please use the button below.

Request a copy



Downloads per month over past year

View more statistics

Actions (login required)

Admin Login Admin Login