Enhancing intrusion detection against denial of service and distributed denial of service attacks: Leveraging extended Berkeley packet filter and machine learning algorithms

Abstract

As organizations increasingly rely on network services, the prevalence and severity of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks have emerged as significant threats. The cornerstone of effectively addressing these challenges lies in the timely and precise detection capabilities offered by advanced intrusion detection systems (IDS). Hence, an innovative IDS framework is introduced that seamlessly integrates the extended Berkeley Packet Filter (eBPF) with powerful machine learning algorithms—specifically Decision Tree (DT), Random Forest (RF), Support Vector Machine (SVM), and TwinSVM—enabling unparalleled real-time detection of DDoS attacks. This cutting-edge solution provides a robust and scalable IDS framework to combat DoS and DDoS threats with high efficiency, leveraging eBPF's capabilities within the Linux kernel to bypass typical user space constraints. The methodology encompasses several key steps: (a) Collection of data from the renowned CIC-IDS-2017 repository; (b) Processing the raw data through a meticulous series of steps, including transmission, cleaning, reduction, and discretization; (c) Utilizing an ANOVA F-test for the extraction of critical features from the preprocessed data; (d) Application of various ML algorithms (DT, RF, SVM, and TwinSVM) to analyze the extracted features for potential intrusion; (e) Implementing an eBPF program to capture network traffic and harness trained model parameters for efficient attack detection directly within the kernel. The experimental results reveal outstanding accuracy rates of 99.38%, 99.44%, 88.73%, and 93.82% for DT, RF, SVM, and TwinSVM, respectively, alongside remarkable precision values of 99.71%, 99.65%, 84.31%, and 98.49%. This high-speed, accurate detection model is ideally suited for high-traffic environments such as data centers. Furthermore, its foundational architecture paves the way for future advancements, including the potential integration of eBPF with XDP to achieve even lower-latency packet processing. The experimental code is available at the GitHub repository link: https://github.com/NemalikantiAnand/Project.