Anti-DoS Solution: Hybrid Intrusion Detection System

A comprehensive host-based Intrusion Detection System (IDS) designed to detect and prevent Distributed Denial of Service (DoS) attacks using both signature-based and anomaly-based detection methods.

---

HTTP.Flood.mp4

---

Overview

This framework provides real-time detection and prevention of various DDoS attack types through a dual-layered approach:

• Signature-Based Detection: Identifies known attack patterns using rule-based algorithms
• Anomaly-Based Detection: Detects unknown or zero-day attacks using machine learning models trained on the CIC-IDS2017 dataset (DoS attack data from Wednesday, July 5, 2017)

The system features a web interface for monitoring network traffic, visualizing detected attacks, and managing firewall rules to block malicious IP addresses.

Key Features

Detection Capabilities

• HTTP Flood Detection: Identifies rapid HTTP GET/POST requests
• SYN Flood Detection: Detects TCP SYN flag flooding
• UDP Flood Detection: Monitors excessive UDP traffic
• Ping of Death: Identifies oversized ICMP packets
• Smurf Attack Detection: Detects ICMP broadcast attacks
• DNS Flood Detection: Identifies DNS amplification attacks
• HULK DoS Detection: Recognizes HULK DoS attack patterns
• Slowloris Detection: Detects slow HTTP attacks (via ML)
• SlowPost Detection: Identifies slow POST attacks (via ML)

System Features

• Real-time packet capture and analysis
• Dual detection engines (signature + anomaly)
• Web-based monitoring dashboard
• Live network activity visualization
• IP blocking/unblocking via iptables
• Automated attack statistics and reporting
• CSV export of attack data

---

Installation

Clone the Repository

git clone https://github.com/yourusername/anti-ddos-ids.git
cd anti-ddos-ids

Run Installation Script

chmod +x install.sh
./install.sh

🔧 Configuration

NTLFlowLyzer Configuration

Edit Final-Anomaly-Based/NTLFlowLyzer/config.json to customize flow analysis parameters:

• Time window for flow aggregation
• Feature extraction settings
• Output directory

Detection Thresholds

Modify detection sensitivity in Detector.py:

• threshold variables for each attack type
• Time window parameters
• Packet frequency thresholds

Output Files

Attack Statistics

• attack_counts_1.csv: Signature-based detections with IP, attack type, and count
• attack_counts_2.csv: Anomaly-based detections with IP, attack type, and count

Detailed Logs

• captured_packets.csv: All captured network packets with full headers
• attacker-details.csv: Detailed information about detected attacks
• anomaly_packets.csv: Anomalous packets identified by ML model

🛡️ Firewall Integration

The system integrates with iptables for automated IP blocking:

# Block IP (executed automatically)
sudo iptables -A INPUT -s  -j DROP

# Unblock IP (executed automatically)
sudo iptables -D INPUT -s  -j DROP

Note: Ensure your user has sudo privileges without password for iptables commands, or modify the implementation to handle authentication.

Detection Algorithms

Signature-Based Detection

Each attack type has specific detection criteria:

• HTTP Flood: Detects when >90% of packets arrive within 100ms intervals
• SYN Flood: Identifies rapid SYN packets without ACK responses
• Ping of Death: Monitors ICMP packets >1064 bytes
• DNS Flood: Counts excessive DNS queries (>100) for same domain
• UDP Flood: Detects rapid UDP packets within 10ms intervals

Anomaly-Based Detection

Uses a pre-trained machine learning model to identify abnormal network behavior:

• Feature extraction via NTLFlowLyzer
• Classification using saved Random Forest/SVM model
• Real-time prediction on network flows