Using a Combination of Effective Feature Selection Methods and an Entropy-based Approach to Identify DDoS Anomalies

Basheer Husham Ali; Khaled Mansour Al-Rawe; Mohammed A. Ahmed; Ali J. Askar Al-Khafaji; Nasri Sulaiman

doi:10.58564/IJSER.4.3.2025.319

Authors

Basheer Husham Ali Dept. of Electrical and Electronic Engineering, Faculty of Engineering, Universiti Putra Malaysia, 43400 Serdang, Malaysia
Khaled Mansour Al-Rawe College of Administration and Economics, Al-Iraqia University, Baghdad, Iraq
Mohammed A. Ahmed Institute of IR 4.0, Universiti Kebangsaan Malaysia, Bangi, Malaysia
Ali J. Askar Al-Khafaji Razak Faculty of Technology and Informatics Universiti Teknologi Malaysia (UTM) Kuala Lumpur, Malaysia
Nasri Sulaiman Dept. of Electrical and Electronic Engineering, Faculty of Engineering, Universiti Putra Malaysia, 43400 Serdang, Malaysia

DOI:

https://doi.org/10.58564/IJSER.4.3.2025.319

Keywords:

DDoS Attack, Entropy, Feature Selection, SPRT

Abstract

Distributed Denial of Service (DDoS) attacks are among the most dangerous types of attacks. These kinds of attacks bring targeted servers down and make their services unavailable to legal users. The first objective of this study is to identify infected Ethernet and detect various kinds of up-to-date DDoS attacks using a dynamic threshold by implementing multiple features of entropy and the Sequential Probabilities Ratio Test approach (E-SPRT). The second is to select relevant features to improve the performance of detection by implementing a new combination of machine learning techniques, which are ANOVA, Extra Trees Classifier, Random Forest, and Correlation Matrix with Pearson Correlation approaches. Canadian Institute for Cybersecurity (CIC-DDoS2019) databases were utilised to evaluate the implementation. ESPRT using a feature selection approach with five features achieved an accuracy of over 97% with an average False Positive Rate (FPR) close to 0 in identifying most different kinds of DDoS attacks.

References

[1] B. H. Ali, “Study the Effectiveness of Sequential Probability Ratio Test in detection DDoS Attacks against SDN, ” Al-Iraqia Journal for Scientific Engineering Research, vol. 0, no. 0, pp. 35–41, 2022, doi: https://doi.org/10.33193/IJSER.0.00.2021.21.

[2] H. M. Belachew, M. Y. Beyene, A. B. Desta, B. T. Alemu, S. S. Musa and A. J. Muhammed, "Design a Robust DDoS Attack Detection and Mitigation Scheme in SDN-Edge-IoT by Leveraging Machine Learning," in IEEE Access, vol. 13, pp. 10194-10214, 2025, doi: 10.1109/ACCESS.2025.3526692. DOI: https://doi.org/10.1109/ACCESS.2025.3526692

[3] B.H. Ali, N. B. Sulaiman, S. A. R. Al-Haddad, R. B. Atan, and S. L. Mohd Hassan, “DDoS Detection Using Active and Idle Features of Revised CICFlowMeter and Statistical Approaches,” IEEE conference, Zakho, Iraq, 2022, doi: https://doi.org/10.1109/ICOASE56293.2022.10075591. DOI: https://doi.org/10.1109/ICOASE56293.2022.10075591

[4] B. H. Ali, N. B. Sulaiman, S. A. R. Al-Haddad, R. B. Atan, S. L. Mohd Hassan, and M. K. Alghrairi, “Identification of distributed denial of services anomalies by using combination of entropy and sequential probabilities ratio test methods,” Sensors, vol. 21, no. 19, 2021, doi: https://doi.org/10.3390/s21196453. DOI: https://doi.org/10.3390/s21196453

[5] B. H. Ali, N. B. Sulaiman, S. A. R. Al-Haddad, R. B. Atan, and S. L. Mohd Hassan, “Detection of different Types of Distributed Denial of Service Attacks using Multiple Features of Entropy and Sequential Probabilities Ratio Test,” Journal of Engineering Science and Technology, vol. 18, no. 2, pp. 844 – 861, 2023.

[6] H. Ding, P. M. Feng, W. Chen, and H. Lin, “Identification of Bacteriophage Virion Proteins by the ANOVA Feature Selection and Analysis,” Mol Biosyst, vol. 10, no. 8, pp. 2229–2235, 2014, doi: 10.1039/C4MB00316K. DOI: https://doi.org/10.1039/C4MB00316K

[7] N. Ghalia, M. Nassereddine, and O. Al-Khatib, "Ensemble Learning for Network Intrusion Detection Based on Correlation and Embedded Feature Selection Techniques" Computers, vol.14, no. 3, 2025, doi: https://doi.org/10.3390/computers14030082. DOI: https://doi.org/10.3390/computers14030082

[8] P. Geurts, D. Ernst, and L. Wehenkel, “Extremely Randomised Trees,” Mach Learn, vol. 63, no. 1, pp. 3–42, Apr. 2006, doi: 10.1007/S10994-006-6226-1/METRICS. DOI: https://doi.org/10.1007/s10994-006-6226-1

[9] S. Jany Shabu et al., “Research on Intrusion Detection Method Based on Pearson Correlation Coefficient Feature Selection Algorithm,” in Journal of Physics: Conference Series, Volume. 1757, International Conference on Computer Big Data and Artificial Intelligence (ICCBDAI), Changsha, China: IOP Publishing, pp. 1–10, Jan. 2021, doi: 10.1088/1742-6596/1757/1/012054. DOI: https://doi.org/10.1088/1742-6596/1757/1/012054

[10] M. Nooribakhsh and M. Mollamotalebi, “A Review on Statistical Approaches for Anomaly Detection in DDoS Attacks,” Information Security Journal: A Global Perspective, vol. 29, no. 3, pp. 118–133, Feb. 2020, doi: 10.1080/19393555.2020.1717019. DOI: https://doi.org/10.1080/19393555.2020.1717019

[11] H. Kousar, M. M. Mulla, P. Shettar, and D. G. Narayan, “DDoS Attack Detection System using Apache Spark,” in International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India: IEEE, Jun. 2021, doi: 10.1109/ICCCI50826.2021.9457012. DOI: https://doi.org/10.1109/ICCCI50826.2021.9457012

[12] S. M. Mousavi and M. St-Hilaire, “Early Detection of DDoS Attacks against SDN Controllers,” in 2015 International Conference on Computing, Networking and Communications, ICNC, Garden Grove, CA, USA: IEEE, Mar. 2015, pp. 77–81, doi: 10.1109/ICCNC.2015.7069319. DOI: https://doi.org/10.1109/ICCNC.2015.7069319

[13] N. Hoque, D. K. Bhattacharyya, and J. K. Kalita, “A Novel Measure for Low-Rate and High-Rate DDoS Attack Detection using Multivariate Data Analysis,” in 8th International Conference on Communication Systems and Networks (COMSNETS), Bangalore, India: IEEE, Mar. 2016, doi: 10.1109/COMSNETS.2016.7439939. DOI: https://doi.org/10.1109/COMSNETS.2016.7439939

[14] I. Özçelik and R. R. Brooks, “Cusum - Entropy: An Efficient Method for DDoS Attack Detection,” in 4th International Istanbul Smart Grid Congress and Fair (ICSG), Istanbul, Turkey: IEEE, Jun. 2016, doi: 10.1109/SGCF.2016.7492429. DOI: https://doi.org/10.1109/SGCF.2016.7492429

[15] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, “Developing Realistic Distributed Denial of Service (DDoS) Attack Dataset and Taxonomy,” in International Carnahan Conference on Security Technology, Chennai, India: IEEE, Oct. 2019, pp. 1–8, doi: 10.1109/CCST.2019.8888419. DOI: https://doi.org/10.1109/CCST.2019.8888419

[16] V. Gaur and R. Kumar, “Analysis of Machine Learning Classifiers for Early Detection of DDoS Attacks on IoT Devices,” Arab J Sci Eng, vol. 47, no. 2, pp. 1353–1374, Feb. 2022, doi: 10.1007/S13369-021-05947-3/METRICS. DOI: https://doi.org/10.1007/s13369-021-05947-3

[17] Farhan, M., Waheed ud din, H., Ullah, S. et al. Network-based intrusion detection using deep learning technique. Sci Rep 15, 25550 (2025). https://doi.org/10.1038/s41598-025-08770-0 DOI: https://doi.org/10.1038/s41598-025-08770-0