{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,16]],"date-time":"2026-02-16T03:02:24Z","timestamp":1771210944297,"version":"3.50.1"},"reference-count":51,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2019,1,11]],"date-time":"2019-01-11T00:00:00Z","timestamp":1547164800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61762033, 61702539"],"award-info":[{"award-number":["61762033, 61702539"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Natural Science Foundation of Hainan","award":["617048, 2018CXTD333"],"award-info":[{"award-number":["617048, 2018CXTD333"]}]},{"name":"Hainan University Doctor Start Fund Project","award":["kyqd1328"],"award-info":[{"award-number":["kyqd1328"]}]},{"name":"Hainan University Youth Fund Project","award":["qnjj1444"],"award-info":[{"award-number":["qnjj1444"]}]},{"name":"Social Development Project of Public Welfare Technology Application of Zhejiang Province","award":["LGF18F020019"],"award-info":[{"award-number":["LGF18F020019"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>Distributed Denial of Service (DDoS) has developed multiple variants, one of which is Distributed Reflective Denial of Service (DRDoS). With the increasing number of Internet of Things (IoT) devices, the threat of DRDoS attack is growing, and the damage of a DRDoS attack is more destructive than other types. The existing DDoS detection methods cannot be generalized in DRDoS early detection, which leads to heavy load or degradation of service when deployed at the final point. In this paper, we propose a DRDoS detection and defense method based on deep forest model (DDDF), and then we integrate differentiated service into defense model to filter out DRDoS attack flow. Firstly, from the statistics perspective on different stages of DRDoS attack flow in the big data environment, we extract a host-based DRDoS threat index (HDTI) from the network flows. Secondly, using the HDTI feature we build a DRDoS detection and defense model based on the deep forest, which consists of 1 extreme gradient boost (XGBoost) forest estimator, 2 random forest estimators, and 2 extra random forest estimators in each layer. Lastly, the differentiated service procedure applies the detection result from DDDF to drop the traffic identified in different stages and different detection points. Theoretical analysis and experiments show that the method we proposed can effectively identify DRDoS attack with higher detection rate and a lower false alarm rate, the defense model also shows distinguishing ability to effectively eliminate the DRDoS attack flows, and dramatically mitigate the damage of a DRDoS attack.<\/jats:p>","DOI":"10.3390\/sym11010078","type":"journal-article","created":{"date-parts":[[2019,1,11]],"date-time":"2019-01-11T11:36:42Z","timestamp":1547206602000},"page":"78","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["A DRDoS Detection and Defense Method Based on Deep Forest in the Big Data Environment"],"prefix":"10.3390","volume":"11","author":[{"given":"Ruomeng","family":"Xu","sequence":"first","affiliation":[{"name":"School of Information Science and Technology, Hainan University, Haikou 570228, China"}]},{"given":"Jieren","family":"Cheng","sequence":"additional","affiliation":[{"name":"School of Information Science and Technology, Hainan University, Haikou 570228, China"},{"name":"State Key Laboratory of Marine Resource Utilization in South China Sea, Haikou 570228, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8385-6901","authenticated-orcid":false,"given":"Fengkai","family":"Wang","sequence":"additional","affiliation":[{"name":"Rossier School, University of Southern California, California, CA 90089, USA"}]},{"given":"Xiangyan","family":"Tang","sequence":"additional","affiliation":[{"name":"School of Information Science and Technology, Hainan University, Haikou 570228, China"}]},{"given":"Jinying","family":"Xu","sequence":"additional","affiliation":[{"name":"Zhejiang Science and Technology Information Institute, Hangzhou 310006, China"}]}],"member":"1968","published-online":{"date-parts":[[2019,1,11]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"1500","DOI":"10.1109\/JSAC.2014.2332106","article-title":"Security of fully distributed power system state estimation: Detection and mitigation of date integrity attacks","volume":"32","author":"Vukovic","year":"2014","journal-title":"IEEE J. Sel. Areas Commun."},{"key":"ref_2","unstructured":"(2018, May 07). Cloudflare. Available online: https:\/\/blog.cloudflare.com\/the-daily-ddos-ten-days-of-massive-attacks\/."},{"key":"ref_3","unstructured":"CERT Coordination Center (1999). Results of the Distributed-Systems Intruder Tools Workshop, Software Engineering Institute."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1109\/MC.2000.839316","article-title":"Denial-of-service attacks rip the Internet","volume":"33","author":"Garber","year":"2000","journal-title":"Computer"},{"key":"ref_5","unstructured":"Kargl, F., Maier, J., and Weber, M. (2005, January 1\u20135). Protecting web servers from distributed denial of service attacks. Proceedings of the 10th international conference on World Wide Web, Hong Kong, China."},{"key":"ref_6","unstructured":"Weiler, N. (2002, January 12). Honeypots for distributed denial-of-service attacks. Proceedings of the Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, Pittsburgh, PA, USA."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Cheng, J., Yin, J., and Liu, Y. (2009, January 4\u20136). DDoS Attack Detection Using IP Address Feature Interaction. Proceedings of the International Conference on Intelligent NETWORKING and Collaborative Systems, Barcelona, Spain.","DOI":"10.1109\/INCOS.2009.34"},{"key":"ref_8","first-page":"176","article-title":"DDoS Attack Detection Using Three-State Partition Based on Flow Interaction","volume":"29","author":"Cheng","year":"2009","journal-title":"Commun. Comput. Inf. Sci."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Cheng, J., Yin, J., and Liu, Y. (2009, January 10\u201312). Detecting Distributed Denial of Service Attack Based on Multi-feature Fusion. Proceedings of the Security Technology, Proceedings of the International Conference, Jeju Island, Korea.","DOI":"10.1007\/978-3-642-10847-1_17"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Cheng, J., Tang, X., Zhu, X., and Yin, J. (2011, January 6\u20138). Distributed denial of service attack detection based on IP Flow Interaction. Proceedings of the International Conference on E-Business and E-Government (ICEE), Shanghai, China.","DOI":"10.1109\/ICEBEG.2011.5882342"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Zhu, X., Li, X., Liu, M., Zhu, E., Liu, L., Cai, Z., Yin, J., and Gao, W. (2018). Localized Incomplete Multiple Kernel k-means. IJCAI, 3271\u20133277.","DOI":"10.24963\/ijcai.2018\/454"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"198","DOI":"10.1016\/j.patcog.2017.09.012","article-title":"Hyperparameter selection of one-class support vector machine by self-adaptive data shifting","volume":"74","author":"Wang","year":"2018","journal-title":"Pattern Recognit."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"5198685","DOI":"10.1155\/2018\/5198685","article-title":"Adaptive DDoS attack detection method based on multiple-kernel learning","volume":"2018","author":"Cheng","year":"2018","journal-title":"Secur. Commun. Netw."},{"key":"ref_14","first-page":"95","article-title":"An Abnormal Network Flow Feature Sequence Prediction Approach for DDoS Attacks Detection in Big Data Environment","volume":"55","author":"Cheng","year":"2018","journal-title":"Comput. Mater. Contin."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"959","DOI":"10.1093\/comjnl\/bxy025","article-title":"A DDoS Detection Method for Socially Aware Networking Based on Forecasting Fusion Feature Sequence","volume":"61","author":"Cheng","year":"2018","journal-title":"Comput. J."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"6459326","DOI":"10.1155\/2018\/6459326","article-title":"Flow Correlation Degree Optimization Driven Random Forest for Detecting DDoS Attacks in Cloud Computing","volume":"2018","author":"Cheng","year":"2018","journal-title":"Secur. Commun. Netw."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Zhang, R., Cheng, J., Tang, X., Liu, Q., and He, X. (2018, January 8\u201310). DDoS Attack Security Situation Assessment Model Using Fusion Feature Based on Fuzzy C-Means Clustering Algorithm. Proceedings of the International Conference on Cloud Computing and Security (ICCCS), Haikou, China.","DOI":"10.1007\/978-3-030-00009-7_59"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1109\/MCOM.2002.1039860","article-title":"Network intrusion and fault detection: A statistical anomaly approach","volume":"40","author":"Manikopoulos","year":"2002","journal-title":"IEEE Commun. Mag."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1016\/j.jnca.2012.09.004","article-title":"Intrusion detection system: A comprehensive review","volume":"36","author":"Liao","year":"2013","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.cose.2008.08.003","article-title":"Anomaly-based network intrusion detection: Techniques, systems and challenges","volume":"28","year":"2009","journal-title":"Comput. Secur."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"931","DOI":"10.1016\/j.future.2017.09.017","article-title":"Internet of Things: Security and privacy in a connected world","volume":"78","author":"Li","year":"2018","journal-title":"Future Gener. Comp. Syst."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"5978636","DOI":"10.1155\/2018\/5978636","article-title":"Security and Privacy in the Medical Internet of Things: A Review","volume":"2018","author":"Sun","year":"2018","journal-title":"Secur. Commun. Netw."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Alsmadi, I.M., Karabatis, G., and Aleroud, A. (2017). Information Fusion for Cyber-Security Analytics, Springer.","DOI":"10.1007\/978-3-319-44257-0"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"563","DOI":"10.1007\/s10115-017-1027-3","article-title":"Contextual information fusion for intrusion detection: A survey and taxonomy","volume":"52","author":"Aleroud","year":"2017","journal-title":"Knowl. Inf. Syst."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"AlEroud, A., and Karabatis, G. (2016, January 4\u20138). Beyond data: Contextual information fusion for cyber security analytics. Proceedings of the 31st ACM Symposium on Applied Computing, Pisa, Italy.","DOI":"10.1145\/2851613.2851636"},{"key":"ref_26","unstructured":"Rajeev, S., Sivanandam, S.N., and Pradeep, P. (2015). Architecture for Authentication in Wireless Differentiated Services Using Distributed Substring Authentication Protocol (DSAP), Assumption University."},{"key":"ref_27","unstructured":"Black, D., and Jones, P. (2018, November 22). Differentiated Services (DiffServ) and Real-time Communication. Available online: https:\/\/buildbot.tools.ietf.org\/html\/rfc7657."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"172","DOI":"10.1109\/ICIMIA.2017.7975595","article-title":"Alleviation of DDoS attack using advance technique","volume":"Volume 1","author":"Mahale","year":"2017","journal-title":"Proceedings of the International Conference on Innovative Mechanisms for Industry Applications (ICIMIA)"},{"key":"ref_29","unstructured":"Apiecionek, L., Czerniak, M., and Dobrosielski, T. (2014, January 24\u201326). Quality of services method as a DDoS protection tool. Proceedings of the Intelligent Systems\u20192014, Proceedings of the 7th IEEE International Conference Intelligent Systems IS\u20192014, Warsaw, Poland."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Kambourakis, G., Moschos, T., Geneiatakis, D., and Gritzalis, S. (2007, January 27\u201328). A fair solution to DNS amplification attacks. Proceedings of the Second International Workshop on Digital Forensics and Incident Analysis (WDFIA 2007), Samos, Greece.","DOI":"10.1109\/WDFIA.2007.4299371"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"475","DOI":"10.1016\/j.cose.2013.10.001","article-title":"DNS amplification attack revisited","volume":"39","author":"Anagnostopoulos","year":"2013","journal-title":"Comput. Secur."},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Kramer, L., Krupp, J., and Makita, D. (2015, January 2\u20134). Amppot: Monitoring and defending against amplification ddos attacks. Proceedings of the International Workshop on Recent Advances in Intrusion Detection, Kyoto, Japan.","DOI":"10.1007\/978-3-319-26362-5_28"},{"key":"ref_33","unstructured":"Jing, L., Licheng, W., and Lihua, W. (2018). Verifiable Chebyshev Maps-Based Chaotic Encryption Schemes with Outsourcing Computations in the Cloud\/Fog Scenarios. Concurrency and Computation: Practice and Experience, Wiley Online Library."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"89","DOI":"10.1016\/j.jnca.2018.03.006","article-title":"Multi-authority fine-grained access control with accountability and its application in cloud","volume":"112","author":"Li","year":"2018","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"72","DOI":"10.1016\/j.ins.2018.02.058","article-title":"Privacy-Preserving Naive Bayes Classifiers Secure against the Substitution-then-Comparison Attack","volume":"444","author":"Gao","year":"2018","journal-title":"Inf. Sci."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1016\/j.knosys.2014.04.010","article-title":"L-EncDB: A Lightweight Framework for Privacy-Preserving Data Queries in Cloud Computing","volume":"79","author":"Li","year":"2015","journal-title":"Knowl.-Based Syst."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"89","DOI":"10.1016\/j.ins.2018.02.056","article-title":"Differentially Private Naive Bayes Learning over Multiple Data Sources","volume":"444","author":"Li","year":"2018","journal-title":"Inf. Sci."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"3224","DOI":"10.1109\/TII.2018.2799928","article-title":"GMM and CNN Hybrid Method for Short Utterance Speaker Recognition","volume":"14","author":"Liu","year":"2018","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"3216","DOI":"10.1109\/TII.2017.2789219","article-title":"Significant permission identification for machine learning based android malware detection","volume":"14","author":"Li","year":"2018","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_40","doi-asserted-by":"crossref","first-page":"51","DOI":"10.1016\/j.patcog.2017.10.015","article-title":"Distance Metric Optimization Driven Convolutional Neural Network for Age Invariant Face Recognition","volume":"75","author":"Li","year":"2018","journal-title":"Pattern Recognit."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1016\/j.jnca.2018.01.003","article-title":"Cloud-aided Lightweight Certificateless Authentication Protocol with Anonymity for Wireless Body Area Networks","volume":"106","author":"Shen","year":"2018","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Rossow, C. (2014). Amplification Hell: Revisiting Network Protocols for DDoS Abuse, NDSS.","DOI":"10.14722\/ndss.2014.23233"},{"key":"ref_43","unstructured":"Ryba, F.J., Orlinski, M., W\u00e4hlisch, M., Rossow, C., and Schmidt, T.C. (arXiv, 2015). Amplification and DRDoS Attack Defense\u2014A Survey and New Perspectives, arXiv."},{"key":"ref_44","first-page":"435","article-title":"Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks","volume":"Volume 1","author":"Czyz","year":"2014","journal-title":"Proceedings of the Conference on Internet Measurement"},{"key":"ref_45","unstructured":"Karami, M., and McCoy, D. (2013, January 12). Understanding the Emerging Threat of DDoS-as-a-Service. Proceedings of the 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET\u201913), Washington, DC, USA."},{"key":"ref_46","unstructured":"Durumeric, Z., Bailey, M., and Halderman, A. (2014, January 20\u201322). An Internet-Wide View of Internet-Wide Scanning. Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"125","DOI":"10.1108\/02640470210424455","article-title":"Security issues in online games","volume":"20","author":"Choi","year":"2002","journal-title":"Electron. Libr."},{"key":"ref_48","first-page":"52","article-title":"Cyberextortion: An overview of distributed denial of service attacks against online gaming companies","volume":"7","author":"Paulson","year":"2006","journal-title":"Issues Inf. Syst."},{"key":"ref_49","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1016\/j.comcom.2015.06.008","article-title":"SF-DRDoS: The store-and-flood distributed reflective denial of service attack","volume":"69","author":"Bingshuang","year":"2015","journal-title":"Comput. Commun."},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MC.2017.201","article-title":"DDoS in the IoT: Mirai and other botnets","volume":"50","author":"Kolias","year":"2017","journal-title":"Computer"},{"key":"ref_51","unstructured":"(2018, June 11). WRCCDC 2018. Available online: https:\/\/archive.wrccdc.org\/pcaps\/2018\/."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/11\/1\/78\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T12:25:22Z","timestamp":1760185522000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/11\/1\/78"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,1,11]]},"references-count":51,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2019,1]]}},"alternative-id":["sym11010078"],"URL":"https:\/\/doi.org\/10.3390\/sym11010078","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,1,11]]}}}