A Machine Learning-Based Packet Sniffer for Detection And Classification of The Denial of Service Attack Packets at The Network Layer

Abstract

The research study was on modelling a packet sniffer utilizing machine learning techniques to identify denial of service (DOS) attack packets at the network layer of the OSI model. Cyber threats and attacks have continued to evolve in complexity and sophistication, posing significant risks to the network infrastructure and sensitive data's availability, confidentiality, and integrity. The overall purpose of the research study was to capture and interpret packets transmitted over a local area network to detect and capture the DOS threats within the Open Systems Interconnection Model (OSI) network layer. This layer is prone to several attacks for instance, denial-of-service, routing protocol attacks, Port scanning and enumeration, and fragmentation-based attacks. However, this study delved into detecting and capturing the denial of service threats at the network layer. Some examples of DOS attacks are UDP flood which sends a significant quantity UDP (User Datagram Protocol) packets to the targeted systems and thereby exhausting network resources, ICMP flood which transmits a significant quantity of Internet Control Message Protocol (ICMP) packets to overwhelm network devices, SYN flood which takes advantage of the TCP three-way hand-shake procedure by sending a lot of SYN requests without carrying out the necessary handshake, using server resources and blocking valid connections. Essential components extracted from Ethernet frames comprise TCP segments, ICMP packets, IPv4 packets, and associated flags. IPv4, a crucial protocol in Internet communication, enables routing and logical addressing, forming the Internet's backbone. The Internet Control Message Protocol (ICMP) facilitates error reporting and the interchange of operational information inside the Internet Protocol suite. Even though internet-based data transmission protocols have expanded, traditional network security measures are frequently insufficient to combat the dynamic environment of cyber threats that target networks used for data transfer. The LightGBM model was successfully trained and implemented for the task of detecting DoS attacks. The study used the CICIDS2018 dataset, which provided labeled network traffic data containing both normal and attack (DoS) instances. The model was trained to classify traffic as either normal or a DoS attack based on various network features. The model's performance was evaluated using several metrics to demonstrate its ability to accurately detect threats at the network layer in a local area network including sensitivity, specificity, and accuracy. The AUC (Area Under the Curve) was particularly high, which indicated that the model was able to effectively differentiate between normal traffic and DoS attacks. Additionally, the F1- score, precision, and recall were balanced, suggesting that the model was capable of identifying attacks while minimizing false positives and false negatives. The model was successful in meeting its primary objective of detecting DoS attacks from network traffic. The performance metrics

indicate that LightGBM is a strong candidate for the task, achieving a high AUC and a well- balanced F1-score. This suggested the model achieved good generalization capabilities, and it can

effectively distinguish between normal traffic and DoS attack traffic. The main contribution of this work was the development of a LightGBM-based machine learning model for detecting DoS attacks using the CICIDS2018 dataset.