Applying Hoeffding Tree Algorithms for Effective Stream Learning in IoT DDoS Detection

The constant evolution of botnets to cause DDoS and the non-existence of storage devices in IoT environments with high capacity to save the packets traveling on the network claim an IDS capable of constantly learning about new attacks without the need to save all the IoT traffic. A good solution to this scenario is to use stream learning, but it is important to guarantee that the learning model will be adaptable to concept drift. In this sense, Hoeffding Trees can be employed as the core of an IDS. This paper evaluates the effectiveness of using different Hoeffding Tree algorithms to detect DDoS against IoT devices. The work advances the state of the art by comparing different algorithms, adapting the basic algorithm to the considered scenario, evaluating a recently created dataset, and showing how the algorithms react to concept drift. Results show that the basic Hoeffding Tree algorithm is the most effective option when compared against the Hoeffding Adaptive Tree and ensembles of these trees (0.96/0.12 of average/standard deviation F1-Score vs. 0.90/0.26 and 0.91/0.24 respectively). As an additional contribution, all the code and data produced in the investigation are shared as open-source software and open data. (AU)