A collaborative prediction approach to defend against amplified reflection and exploitation attacks

: An amplified reflection and exploitation-based distributed denial of service (DDoS) attack allows an attacker to launch a volumetric attack on the target server or network. These attacks exploit network protocols to generate amplified service responses through spoofed requests. Spoofing the source addresses allows attackers to redirect all of the service responses to the victim’s device, overwhelming it and rendering it unresponsive to legitimate users.


Introduction
Communication protocols allow computer networks to serve requests from prolific clients over diverse network topologies.While low-security measures in communication protocols can enhance data communication efficiency and facilitate the smooth operation of computer networks, they also introduce significant vulnerabilities.Malicious actors can exploit these vulnerabilities to compromise the security and stability of communication systems.The reflection and exploitation attack is a significant cyberattack method that cybercriminals employ to exploit vulnerabilities in network protocols and systems to generate massive traffic volumes.This flood of malicious traffic is designed to overwhelm the target server or network, leading to various adverse effects on its stability, availability and security.These attacks can cause disruptions in online services, financial losses, reputation damage and potential data breaches.As a result, defending against such attacks and maintaining a robust cybersecurity posture is crucial for organizations to ensure the continued functioning of their digital infrastructure and protect their valuable assets.
In reflection attacks, the attacker sends requests to servers or devices configured to respond to certain types of queries or requests.These servers are often legitimate and publicly accessible.This is achieved by manipulating the packet headers to forge the source IP address.The attacker spoofs the source IP address in the requests, making it appear as if they originate from the target victim's IP address.Assuming the requests are legitimate, the servers send their responses to the victim's IP address, resulting in a flood of traffic directed at the victim.Attackers amplify the attack intensity by smartly selecting those reflector servers that can reply with a large packet size compared to the request packet [1].
In exploitation attacks, an attacker exploits the vulnerability of a network protocol to launch a high-volume attack on the victim server [2].The attacker leverages the characteristics of the targeted network protocols or services to achieve amplification.Certain protocols, such as the domain name system (DNS) protocol, Network Time Protocol (NTP), Simple Network Management Protocol (SNMP) and others, can generate significantly larger responses than the initial request size.By exploiting these protocols' features, the attacker can amplify the volume of traffic directed at the victim.This amplification effect allows the attacker to overwhelm the victim's network infrastructure, consuming its resources and making it inaccessible to legitimate users.
The combination of reflection and exploitation techniques enables cybercriminals to launch devastating distributed denial of service (DDoS) attacks that can disrupt online services, cause financial losses and impact targeted organizations' reputations.These attacks can be challenging to mitigate due to the widespread availability of vulnerable servers and the ease of spoofing IP addresses.These attacks are generally carried out by exploiting network protocols, such as the Simple Service Discovery Protocol (SSDP), DNS protocol, Lightweight Directory Access Protocol (LDAP), Network Basic Input/Output System (NetBIOS) protocol, Simple Network Management Protocol (SNMP), Microsoft SQL Server Resolution (MCSQLR) protocol, synchronized (SYN) flood attack protocol, User Datagram Protocol (UDP) and Trivial File Transfer Protocol (TFTP).
SSDP enables devices to communicate and share information and helps the user to discover plug and play devices in the network [3].The proliferation of Internet of Things (IoT) devices in the home or small networks has increased SSDP reflection attacks.Cybercriminals exploit the fragility of the SSDP to generate a high volume of network traffic using IoT devices, such as cameras, smart TVs, smart cars and smart fridges, to launch amplified reflection attacks [4].DNS servers provide the IP address of the corresponding domain name.In a DNS amplification attack, an attacker spoofs the IP with the victim's IP.Attackers craft millions of such packets and send them to the DNS reflectors; DNS reflectors send back the reply to the victim instead of the attacker [5], allowing an attacker to launch a DNS amplification attack on the victim.Cybercriminals exploit LDAP servers to launch amplified reflection attacks on the victim server.First, they send a query to an LDAP server in a way that the server sends a large response.Then, the attacker spoofs the request query, making the LDAP server send the reply to the victim [6].The NetBIOS helps to establish communication between applications in a small network to make an application share their resources.Attackers use the IP spoofing technique to send many requests for name lookup to the NetBIOS name server.Although the request query made by the attacker is small, the server's response is detailed information about the current network and hostname configuration, which is much larger than the request query [7].The SNMP defines a set of rules for management stations to monitor and control the network devices for the smooth execution of the network management functions requested by the network management stations [8].
Attackers send numerous spoofed queries with a forged IP of the victim to the network devices running the SNMP.The network devices send SNMP responses to the forged address i.e., the victim, in a larger volume to jam the victim's device and network.Attackers exploit the MC-SQLR protocol to launch a volumetric reflection attack.The MC-SQLR is designed to send information about all of the database instances on a Microsoft SQL Server to the clients requesting information about a Microsoft SQL (MSSQL) server database instance.Usually, portmap querying port mapper is a small request, but the reply is multiple times that of the request packet.An attacker takes advantage of it to launch an amplified portmap reflection attack.The remote procedure call (RPC) portmap helps to map the RPC service number with the network port number.The attacker makes continuous spoofed portmapper service requests using the victim's source IP.A Syn flood attack is a Transmission Control Protocol (TCP)-based exploitation attack.
An attacker exploits the TCP three-way handshake vulnerability by continuously send Syn requests to the victim server but does not acknowledge back to any Syn request.It creates a huge number of half-open connections on the server [9].Half-open connections cause the servers to be inundated and unresponsive to legitimate traffic.Attackers send a huge number of User Datagram Protocol (UDP) packets to the random ports of the victim server.The bombardment of such a flood consumes all of the server's resources [10].Therefore, the absence of an initial handshake in the UDP packet makes it more attractive to the attacker and enables them to launch an attack in high volume using limited resources.The TFTP enables the transference, downloading or uploading of a file without authentication [11].The stateless nature, easy implementation and fast transmission rate help to boot diskless workstations, install an operating system or transfer large files.However, the nature of having no authentication and less security is exploited by cybercriminals to launch TFTP amplification volumetric attacks [12].Cybercriminals send a request to download a file from the TFTP server and, while sending it, they spoof the source IP address with a victim IP address.In this way, all of the TFTP server replies are directed to the victim server.The above-discussed attacks are categorized and illustrated in Figure 1.The exploitation of the above-discussed protocols is difficult to detect by traditional methods.The possibility of implementing complex security on these protocols is also low, as it can affect the performance of the device implementing the protocol.Therefore, fixing the vulnerabilities in these protocols or developing a modern solution is prone to be overlooked entirely.In recent years, machine learning has evolved as one of the promising solutions for analyzing a tremendous amount of network data to detect sophisticated attacks on the network and network devices.Many researchers have employed machine learning to build powerful techniques to defend against cyberattacks [13][14][15][16][17][18].This work uses a collaborative prediction approach to detect and defect amplified reflection and exploitation attacks.The following are key contributions.
• It presents details of the network protocols an attacker exploits for reflection and exploitation attacks.proposed approach.Then, the experimental result is presented in Section 4 and the discussion is presented in Section 5. Finally, Section 6 concludes the proposed work.

Related works
Cyberattacks exploiting network protocols have always been a major concern for researchers and industries.Over the period, many security mechanisms have been developed to ensure the security of the network protocols.The section below discusses existing studies that propose defense mechanisms against reflection and exploitation attacks using machine learning techniques.
Thorat et al. [19] proposed TaxoDaCmachine learning, a taxonomy based on the divide and conquer approach that uses a machine learning technique to detects DDoS attacks targeted on transport layer protocol.Dividing bigger classification problems into smaller sub-problems helps the approach to perform efficiently.TaxoDaCmachine learning gives the flexibility to choose different feature sets and various machine learning classifiers to perform the classification.The extensive work on data cleaning and feature selection improves the performance of the proposed approach.Various machine learning classifiers, such as k-nearest neighbor (KNN), decision tree (DT), random forest (RF) and artificial neural network (ANN) algorithms are used at various levels to improve classification accuracy.TaxoDaCmachine learning achieved 99.9% detection accuracy when applied to the CICDDoS2019 dataset.The technique performs classification by using minimum computational cost and time.Ahmed et al. [20] implemented a machine learning technique to detect and mitigate DNS query-based DDoS attacks in software defined networking (SDN).This technique is more suitable for networks, such as military networks, that need high security.In the proposed technique, the SDN controller periodically accesses and analyzes network traffic to find the network traffic features.As a result, Dirichlet process mixture model (DPMM) outperformed the mean shift clustering method in terms of the detection accuracy of network traffic flows and hypertext transfer protocol (HTTP) and file transfer protocol (FTP) traffic flows.
Sreeram and Vuppala [21] proposed a bio-inspired bat algorithm to detect DDoS attacks based on application layer protocols, such as HTTP, DNS, VoIP or SMTP attacks.Unfortunately, DDoS attacks based on application layer protocols follow all of the communication protocols, which makes them difficult to detect.The bio-inspired proposed technique helped to achieve higher accuracy with minimal computational complexity.When experimented on the CAIDA 2007 dataset, it achieved 94.5% precision, 94% recall and 94.8% accuracy.Salman et al. [22] proposed a framework for identifying IoT devices and detecting malicious network traffic.The proposed framework has modules, such as a feature extractor to record the features of active network flow, a module to identify IoT devices to classify the devices based on statistical features of network flows, a traffic-type identification module to classify the generated traffic and an intrusion detection module to profile the normal device behavior to detect abnormal activity.During the experiment, various machine learning classifiers were employed, where RF achieved the highest accuracy, with 94.5% for device-type identification and 93.5% for traffic-type classification.The authors of [23] proposed BLCD, a broad learning-based extensive defense strategy for detecting DDoS attacks based on the SSDP.BLCD incorporates broad learning and a collection of defense strategies to detect malicious traffic, and it reduces the incoming and outgoing network traffic from a device.The defense strategies are deployed on multiple zones, such as senders, routers, service providers, victims, amplifiers and bots.The proposed technique achieved 99.99% accuracy in detecting malicious traffic.
Ismail et al. [24] presented the weighted score selector (WSS), a lightweight ensemble machine learning approach for detecting cyberattacks in wireless sensor networks (WSNs).WSS implements MI and Kendall's correlation coefficient for identicality reduction and the extraction of an optimal subset of features.The authors employed seven conventional machine learning classifiers to create a pool and experimented with them on the WSN-DS dataset.The approach divided the original dataset into multiple balanced sub-datasets reducing the computational overhead and making the approach suitable for imbalanced datasets.Further, the most effective classifier is selected after analyzing the performance of each classifier from the pool.Kshirsagar and Kumar [25] proposed a machine learningempowered security framework against DDoS attacks by exploiting TCP and UDP protocols.The thresholds 0.5, 0.25 and 0 were applied in IG and CR-based techniques to get reduced feature sets CRFS-1, CRFS-2 and CRFS-3.Further, CRFS-1 and CRFS-2 were combined to get a new feature set that enhanced the classification performance of the J48 classifier.Mishra et al. [26] proposed a multi-classifier algorithm-based defensive mechanism against different DDoS threats.The authors employed six machine learning classifiers on the CICDoS2019 dataset to detect DDoS attacks.The low variance features with less than a predetermined threshold were removed.Further, the tree-based feature selection approach eliminated unnecessary features and finally selected the top 25 features.The AdaBoost achieved the highest classification accuracy, while a naive bayes algorithm achieved the highest performance speed.
In summary, the existing studies have significantly contributed to the development of defense mechanisms against amplified reflection and exploitation attacks using machine learning techniques.These studies contribute valuable insights and techniques for addressing network security challenges posed by reflection and exploitation attacks, showcasing the potential of machine learning in to enhance defense mechanisms.
While existing studies have made notable advancements, it is clear that improvements are still needed in the following areas: • Accuracy improvement: While the existing studies achieved high detection accuracy in many cases, there is still room for improvement.Future research should focus on developing more accurate models to minimize false positives and false negatives.attacks.By addressing these critical gaps, the research contributes to the evolution of more robust and impactful solutions in this domain.

Methodology
The proposed amplified reflection and exploitation attack detection method is a machine learningbased technique.It has following stages.
Dataset enhancement: Most of the data have multiple missing values, such as null, NaN and NA.This subsection discusses the dataset used in this study and the steps involved in improving the dataset quality.
Feature selection techniques: The technique employs three different feature ranking techniques to identify the most useful features for attack detection.These techniques include the following: • CIF: This method assesses the relevance and importance of each feature based on its proximity to the target variable or attack label.• Pearson Correlation Coefficient-based ranking: Features are ranked based on correlation between independent and dependent features.• MI-based ranking: MI measures the dependency between each feature and the attack label, with higher MI values indicating greater relevance.
Collaborative prediction using VotingClassifier: The selected features are input for three different machine learning classifiers: AdaBoostClassifier, LogisticRegression and BaggingClassifier.A VotingClassifier is employed to make the final prediction.This ensemble technique combines the predictions from the individual classifiers (AdaBoostClassifier, LogisticRegression and BaggingClassifier) and aggregates them by using a majority voting scheme.The VotingClassifier leverages the diversity of the individual classifiers to improve the overall predictive performance.By implementing this approach, the proposed technique aims to enhance the detection of amplified reflection and exploitation attacks.
The following subsection discusses each stage of the proposed technique in detail and the workflow is presented in Figure 2.

Dataset enhancement
It is crucial to evaluate machine learning models on modern, realistic and large datasets to ensure their real-world performance, generalizability, robustness, scalability and ethical considerations.Considering this view, the proposed approach has been evaluated on the CICDDoS2019 [27] DDoS attack dataset.It includes various modern and realistic DDoS attack traffic profiles.The CICDDoS2019 dataset has a huge amount of network traffic collected from a comprehensive testbed that combines a highly secured victim network and an attack network separated from the victim network.Therefore, the ratio of attack records is very high in each dataset compared to the ratio of benign records, which gives a realistic scenario of a high-volume DDoS attack.In most cases, attack records are more than 99.9% of total records.All datasets have a total of 88 features.Many   All datasets have a significant amount of missing and infinite values.These values were imputed with zero.Deleting these values can cause a significant amount of data loss.The missing value imputation can also be done by predicting these values using machine learning models.Machine learning models can capture complex relationships between variables, allowing for more accurate imputations.Although it will improve the dataset, it can extra overload on model.Details of the missing and infinite values are given in Figure 3.  Having three different feature ranking techniques in the feature selection process offers several advantages.It allows the model to comprehensively evaluate the relevance of features from various perspectives, capture both linear and nonlinear relationships between features and the target variable, reduce the bias introduced by any single method, handle diverse data types effectively, increase robustness against noise in the data and strike a balance between feature interpretability and predictive performance.
CIF-based ranking: The CIF is determined by calculating the mean value of a feature and subtracting it from each value of that feature.The absolute value of the subtraction is divided by the mean value of the same feature.This process repeats for each feature value and a total is calculated.This total value indicates the closeness of each value of a feature to the mean value of that feature.The equation for calculating the CIF for all features is given by Eq (3.1).
where p is the total number of features in the dataset q is the total number of records in i th feature F represents all features in the dataset The CIF values calculated for each feature of the Syn flood attack dataset is shown in Figure 4.
The CIF offers insights into feature distribution and variability, benefiting decision-making and increasing data comprehension.The CIF provides a quantifiable measure of how closely individual feature values cluster around their respective means.It can help to evaluate the importance and relevance of features within a dataset.They might indicate the presence of outliers or extreme values that deviate significantly from the mean.Identifying and investigating these features could be crucial to obtaining an understanding of data quality issues or anomalies.
Pearson correlation coefficient-based ranking: The Pearson correlation coefficient is a statistical measure that quantifies the linear relationship between each feature (independent variable) and the target variable (dependent variable).Features with a higher absolute value the correlation coefficient (closer to 1 or -1) are considered as more strongly correlated with the target variable and are potentially more informative for predictive modeling tasks.On the other hand, features with correlation coefficients close to 0 are less likely to have a strong linear relationship with the target and may be less useful for prediction.
Equation (3.2) is used to calculate Pearson's correlation coefficient between independent feature I and dependent feature D.  The correlation values calculated between each independent feature and dependent feature of the Syn flood attack dataset is shown in Figure 5.

MI-based ranking:
The MI between two features shows how much information one feature has about another.For example, the amount of information feature F carries to correctly classify the target label L (benign or attack) is calculated by using Eq (3.3).A higher MI (F, L) value indicates higher importance of the feature [28].Conversely, when the value of MI (F, L) is zero, feature F now has information about target feature L, which can be removed from the final feature set.

MI(F, L)
where F represents all of the features in the dataset L is the label of a record (benign or attack) i and j are used to iterate all of the features in the dataset Then, the MI value is calculated for each feature, which helps in the ranking of features based on the amount of information they have about the target feature.Subsequently, an i th feature is selected from each group to create a feature subset.The MI value calculated for each feature of the Syn flood attack dataset is shown in Figure 6.Final high ranked feature identification: After ranking features using the CIF, LASSO and MI techniques, a loop is used to iterate from i=0 to the length of features.The 0 th feature denotes the highest-ranked feature.At each i th step, the i th feature is extracted from the CIF, LASSO and MI
feature sets and all unique values are added to the feature set.AdaBoostClassifier is implemented to find the classification accuracy of the feature set at each i th step.The current classification accuracy is compared with the previous classification accuracy.At the first iteration, the current classification accuracy is compared with 0. If the current classification accuracy is higher than the previous accuracy, then all of the unique i th features are included in the final feature set.This way, a final feature set is identified for all of the datasets used in the experiment.
Reduced feature set construction: Once the final feature set is identified for all datasets, the researcher can calculate the occurrence of each feature based on all the final feature sets.A feature with the highest number of occurrences shows the highest importance of that feature for most of the dataset.Features are again ranked based on their occurrence count in descending order.A loop is used to iterate from 1 to n, where n is the total number of features.It creates an (n-1) number of final reduced feature sets.At each i th step, all of the features from the 0 th to i th position are included in the i th reduced feature set.
This way, multiple reduced feature sets are constructed and experimented via the proposed collaborative prediction technique.The best-performing reduced feature set is finally selected for the proposed reflection and exploitation attack detection technique.
This approach yields reduced feature sets that might not exhibit the best performance during a particular attack, but they ensure optimal performance for all types of reflection and exploitation attacks, such as SSDP, DNS, LDAP, NetBIOS, SNMP, NTP, MSSQL, Portmap, Syn and UDP attacks.
The rankings of features can differ across techniques, with some methods assigning higher importance to certain features and lower importance to others.Relying solely on one ranking technique risks missing crucial features.To address this, the proposed feature selection technique utilizes three distinct ranking methods, reducing the chance of losing vital features and providing a more comprehensive assessment of feature importance.By combining these approaches, a more robust feature selection process is achieved, ensuring that key features are retained for subsequent analysis and modeling.

The collaborative prediction technique
The proposed collaborative prediction approach implements machine learning techniques to classify network traffic and detects reflection and exploitation attacks.Machine learning has emerged as a widely explored area in recent years.The extensive training of the machine learning model on diverse sets of network traffic allows it to detect malicious behavior of the network [29,30].The proposed technique implements a voting classifier to improve attack detection capabilities.The voting classifier combines various base machine learning classifiers, such as AdaBoostClassifier, LogisticRegression and BaggingClassifier to build a robust ensemble model that can achieve a higher classification accuracy on diverse datasets.
The three selected classifiers belong to different classifier types, providing diversity in the voting classifier.AdaBoostClassifier is an ensemble method that combines multiple weak learners to create a strong learner; LogisticRegression is a linear model for binary classification and BaggingClassifier is another ensemble method that uses bootstrap aggregation.By including classifiers from different types, the potential strengths across the ensemble can be captured.Each classifier may have its own strengths and weaknesses.
By combining AdaBoostClassifier, LogisticRegression and BaggingClassifier, their individual strengths can be leveraged to improve overall performance.For example, AdaBoostClassifier is known for its ability to handle complex relationships and outliers, LogisticRegression can work well with linearly separable data and BaggingClassifier can reduce variance and improve stability.The combination of these classifiers potentially allows us to benefit from their complementary strengths.
Ensemble methods, such as AdaBoostClassifier and BaggingClassifier, are known for their ability to reduce overfitting and improve generalization.They achieve this by aggregating predictions from multiple models.Including ensemble methods in the voting classifier increases the likelihood of obtaining more robust and generalizable predictions.LogisticRegression is a widely used classifier known for its interpretability and simplicity.It provides coefficients that indicate the impact of each feature on the target variable, making it easier to interpret and understand the model.Incorporating LogisticRegression into the voting classifier allows us to benefit from its simplicity and interpretability.
In recent years, various researchers have extensively experimented with these base machine learning classifiers to detect network attacks [31][32][33][34].A voting classifier was constructed by implementing both 'hard' and 'soft' voting.Voting 'hard' entails opting for the prediction yielded by the maximum base classifiers, whereas 'soft' voting makes predictions based on the sum of the prediction probabilities by base classifiers.The algorithm is applied to all reduced feature sets identified during feature selection.The pseudo-code to detect amplified reflection and exploitation attacks is given in Algorithm 1. S tore ⇐ accuracy, precision, recall, F1score end for 17: end for

Results
This section describes the proposed feature selection technique and collaborative prediction technique that were applied to CICDDoS2019's SSDP, DNS, LDAP, NetBIOS, SNMP, NTP, MSSQL, Portmap, Syn and UDP datasets to evaluate their performance.The most important feature of all of the individual datasets of CICDDoS2019's dataset was initially identified.The identified features are shown in Table 2.  Once the best-performing feature was identified for all datasets, the total occurrence of an individual feature across all datasets was calculated.Based on the total occurrence, a ranking of the feature was assigned.Once ranked, multiple feature subsets were created by including each lower-ranked feature.This way, the final reduced feature sets were created, which are given in Table 3.
After identifying the reduced feature sets, i.e., Set1, Set2, Set3 and Set4, an experiment was conducted by using a voting classifier that implemented voting hard and soft.The voting classifier combined AdaBoostClassifier, LogisticRegression and BaggingClassifier as the base classifier.Each dataset was split into training and test data at a 70:30 ratio, where 70% of the dataset was used to train the model and 30% was used to test the model.
Evaluation metrics, such as accuracy, precision, sensitivity, F1 score and MCC were used to evaluate model performance.These evaluation indicators are commonly used to evaluate machine learning classifiers.Evaluating a model based on these performance indicators is essential.They provide a quantitative assessment of machine learning model performance, enabling the comparison, selection and monitoring of models.They play a crucial role in guiding the development and deployment of effective machine learning systems.Evaluation metrics help one to compare and choose the best model among multiple machine learning classifiers.Different models may perform differently based on the chosen metric, so these metrics provide a basis for model selection.It allows us to monitor the model's performance over time.It is important to ensure that the model maintains its effectiveness as new data become available.At the same time, these evaluation metrics help assess the real-world impact of deploying a model.For example, precision and sensitivity metrics can help to estimate the cost and benefits of implementing a model in a specific application domain.
where T p represents a benign record correctly classified as benign T n represents an attack record correctly classified as attack F p represents a benign record incorrectly classified as attack F n represents an attack record incorrectly classified as benign Based on the above-discussed evaluation metrics, accuracy, precision, sensitivity and F1 score can be calculated.
Table 4 shows the voting hard and soft model's average performance on CICDDoS2019's SSDP, DNS, LDAP, NetBIOS, SNMP, NTP, MSSQL, Portmap, Syn and UDP datasets.The same result is depicted in Figure 7.  From Figure 7, it is clear that the reduced feature set Set4 outperformed all of other feature sets.Feature set Set4 combines all of the features identified as reduced feature sets on all individual datasets.Selecting all of these features helped to the model improve classification performance across all datasets.Although the accuracy is similar for all feature sets, there is a huge difference in Recall and F1 score.An adequately built machine learning model is supposed to perform well for all evaluation metrics and selecting feature set Set4 helps to achieve this.
When comparing the hard and soft voting of the voting classifier using the best-performing feature set Set4, it was identified that voting hard achieved better performance than voting soft.Moreover, the majority voting-based voting hard technique performed better than the probability value-based voting soft technique.The results in Figure 8 also depicts this tendency.The average time that the voting classifier (hard and soft voting classifier) took on all of the datasets was calculated.Then, the ratio of the time taken by both voting hard and voting soft was calculated and, based on that, the graph in Figure 9 was plotted.Figure 9 shows that the times taken by the two algorithms were almost similar.The experimental results demonstrated that, voting hard took less detection time on some datasets; in some cases, it was equal to that of the soft voting algorithm.However, voting soft took less detection time, in many cases, than the voting hard algorithm.AUC-ROC curve analysis: All sub-datasets of the CICIDS2019 dataset are class-imbalanced datasets.Averaging revealed that 99.79% of the records are malicious and only 0.21% are benign, as shown in Table 1.Any machine learning model, even achieving an accuracy of 99%, cannot be concluded as an effective model.The AUC-ROC curve analysis measures the performance of a machine-learning model [35] and it confirmed that the model was performing as expected, even on class-imbalanced datasets.AUC-ROC evaluates how well the model performs on both classes, not favoring the majority class.In class-imbalanced datasets, one class (majority class) has significantly more samples than the other class (minority class).While accuracy can be misleading in class-imbalanced scenarios, AUC-ROC curve analysis offers a more robust and informative way to assess the performance of machine learning models.It ensures that the imbalanced nature of the data does not skew the model's performance and provides a clearer picture of a model's ability to handle such challenges.
The AUC-ROC graph in Figure 10 was calculated and plotted to evaluate the model's effectiveness.During the experiment, the model achieved higher AUC-ROC on all of the feature sets except for
feature set Set1.MCC analysis: The MCC is a dependable and elegant way to assess the classification performance of a machine learning model [36].The calculation is based on all four values in the confusion matrix: true positive, true negative, false positive and false negative.Achieving higher values for accuracy, precision, recall or the F1 score on balanced datasets does not always guarantee the machine learning model's efficiency, especially on imbalanced datasets.It is particularly useful for imbalanced datasets and provides a balanced measure of the model's performance.
The MCC ranges from -1 to +1, where +1 indicates a perfect prediction, 0 represents a random prediction and -1 denotes a complete disagreement between the prediction and the true labels.In all of the experiments conducted, regardless of using hard or soft voting models, the classification performance was consistently superior when using feature set Set4 compared to Sets 1, 2, or 3.The AUC-ROC curve and MCC analysis also confirmed that Set4 had a significant role in improving the performance of both algorithms.Furthermore, the highest classification accuracy overall was achieved when the voting classifier was implemented with a hard-voting technique using reduced feature set Set4, as shown in Table 5.

Discussion
The results of comparative analysis of the proposed approach with state-of-the-art techniques is given in Table 6.It shows that the proposed approach achieved high accuracy compared to most studies.The extensive work on feature selection significantly promoted the selection of only those features that contributed to the machine learning model to improve the classification accuracy.Reducing the feature size improved the computational efficiency, making the model perform the detection at high speed.Detection speed plays a major role, especially when the model is dedicated to defending against cyberattacks in high-speed networks with the possibility of volumetric attacks.In various studies [37,38], authors have experimentally shown that ensemble classifiers perform better than base classifiers.One machine learning classifier achieving significant classification accuracy on a dataset cannot guarantee that the same classifier will achieve the same accuracy on any dataset.The experiments have shown that combining boosting, bagging and base classifiers in the voting classifier improved the collaborative predictive model.The proposed collaborative approach ensures that, even if one machine learning classifier performs poorly, the other two classifiers will not significantly degrade the final prediction.
The AUC-ROC curve analysis in Figure 10 shows that the model correctly distinguished between benign and attack records when applied to the reduced feature set Set4.The higher AUC-ROC curve analysis graph in Figure 10 shows the predictive power of the classifier.In the case of the reduced feature set Set4, the significantly high MCC values on all datasets, as shown in Figure 11, confirm the prediction capability of the proposed approach on all datasets.It shows the model's effectiveness on diverse datasets, including imbalanced datasets where records from a particular class are numerous.

Electronic Research Archive
Volume 31, Issue 10, 6045-6070.This research article addressed the critical issue of amplified reflection and exploitation attacks, which pose significant threats to network security.By exploiting network protocols and reflector servers, these attacks can lead to severe disruptions and downtime, rendering the network unresponsive to legitimate users.
To counter these sophisticated attacks, a novel machine learning-based approach was developed by leveraging the CIF technique for feature selection, effectively filtering out less important features and identifying reduced feature sets.Combined with a collaborative prediction approach using a voting classifier, we were able to predict network traffic and detect potential attacks accurately.Additionally, the proposed collaborative prediction approach, implemented using a voting classifier, harnesses the diverse strengths of AdaBoostClassifier, LogisticRegression and BaggingClassifier algorithms, resulting in improved detection accuracy and reliability.The experimental evaluations conducted on the CICDDoS2019 datasets showcased impressive results, with the average values of the accuracy, precision, recall and F1 score exceeding 99%.Furthermore, the use of AUC-ROC curve analysis and MCC statistical rate demonstrated the superiority of the approach, surpassing the performance of existing methods, particularly on class-imbalanced datasets.These findings solidify the efficacy and reliability of the machine learning-based solution in terms of defending against amplified reflection and exploitation attacks.
The key contributions of this research lie in the introduction of the CIF technique for feature selection, which effectively filters out less important features and ranks them to identify the reduced feature sets.This technique aids in improving the efficiency and effectiveness of the subsequent predictive stage.Additionally, the collaborative prediction approach, implemented using a voting classifier, harnesses the diverse strengths of AdaBoostClassifier, LogisticRegression and BaggingClassifier algorithms, resulting in improved detection accuracy and reliability.
In conclusion, the proposed research presents a comprehensive and effective machine learning- based defense mechanism for mitigating amplified reflection and exploitation attacks.The research findings provide network administrators and security practitioners with a valuable tool to safeguard critical network infrastructures, ensuring the availability and integrity of services even in the presence of sophisticated DDoS attacks.Future research endeavors should focus on optimizing the detection speed aspect while continuing to enhance the overall performance and adaptability of the proposed approach to evolving cyber threats.By continuously enhancing and evolving defense mechanisms, staying one step ahead of attackers is possible, ensuring the security and stability of networked systems in the ever-changing cybersecurity landscape.

Use of AI tools declaration
The authors declare they have not used Artificial Intelligence (AI) tools in the creation of this article.

Figure 3 .
Figure 3. Details of missing and infinite values in the dataset.

3. 2 .
Feature selection techniques Filtering out unwanted features and selecting important features can help to improve the performance of any machine learning model.These steps become essential when the dataset size is huge and the model needs to analyze these data in real time.The proposed feature selection technique combines three feature ranking techniques: CIF, Pearson correlation coefficient and MI.
I and D are two features of the dataset n is the number of records in feature I Electronic Research Archive Volume 31, Issue 10, 6045-6070.

Figure 4 .
Figure 4. CIF values for Syn flood attack dataset features.

Figure 5 .
Figure 5. Correlation values of Syn flood attack dataset features.

Figure 6 .
Figure 6.MI values for Syn flood attack dataset features.

Figure 7 .
Figure 7. Average classification performance of voting hard and voting soft model.

Figure 8 .
Figure 8.Comparison between voting hard and voting soft on feature set Set4.

Figure 9 .
Figure 9. Average detection time of voting hard and voting soft model.

Figure 10 .
Figure 10.AUC-ROC curve analysis of the proposed model.
However, a higher MCC value indicates a more informative and truthful score, and it ensures the model's superiority, especially on imbalanced datasets.The MCC value was calculated for all four reduced feature sets to analyze the model's performance.The model achieved the highest MCC value on reduced set Set4, which shows the model's effectiveness.The comparative analysis based on the MCC value is represented in Figure 11 for all four sets.

Figure 11 .
Figure 11.MCC analysis of the model.

•
Feature selection techniques: Feature selection is critical in improving the performance of machine learning models.Existing approaches may not have explored all possible relevant features or utilized advanced feature selection methods.Developing more effective feature selection techniques could enhance the overall defense mechanism.•Collaborativeprediction: Some studies have employed multiple machine learning classifiers to improve accuracy, but further exploration of collaborative predictive methods may yield better results.Ensemble methods or meta-learning techniques combine the strengths of different classifiers effectively.•Handling class imbalance data: Dealing with imbalanced datasets is a common challenge in network security.Existing approaches have addressed this to some extent, but more robust techniques are needed to handle class imbalances and avoid bias in the model.These identified limitations motivated the researchers to develop defense mechanisms that are both more resilient and efficient in the terms of countering the amplified reflection and exploitation DDoS features, such as 'Bwd PSH Flags' and 'Bwd Avg Bulk Rate' are single-value features; hence they were discarded during the experiments.The proposed technique has been applied to CICDDoS2019's SSDP, DNS, LDAP, NetBIOS, SNMP, NTP, MSSQL, Portmap, Syn and UDP datasets.An overview of the CICDDoS2019 dataset is given in Table1.Figure 2. Workflow of the proposed approach.Electronic Research ArchiveVolume 31, Issue 10, 6045-6070.

Table 2 .
List of identified features for all individual datasets.

Table 3 .
Best clusters from each subcluster.

Table 4 .
Average performance of voting hard and voting soft model.

Table 5 .
Performance of voting hard model on various datasets using feature set Set4.

Table 6 .
Comparative analysis of the proposed approach with state-of-the-art techniques.