A Holistic Approach for Detecting DDoS Attacks by Using Ensemble Unsupervised Machine Learning Saikat Das 1 , Deepak Venugopal 1 and Sajjan Shiva 1 1 The University of Memphis, Memphis, TN 38152, USA {sdas1, dvngopal, sshiva}@memphis.edu Abstract. Distributed Denial of Service (DDoS) has been the most prominent attack in cyber-physical system over the last decade. Defending against DDoS attack is not only challenging but also strategic. Tons of new strategies and approaches have been proposed to defend against different types of DDoS attacks. The ongoing battle between the attackers and defenders is full-fledged due to its newest strategies and techniques. Machine learning (ML) has promising outcomes in different research fields including cybersecurity. In this paper, ensemble unsupervised ML approach is used to implement an intrusion detection system which has the noteworthy accuracy to detect DDoS attacks. The goal of this research is to increase the DDoS attack detection accuracy while decreasing the false positive rate. The NSL-KDD dataset and twelve feature sets from existing research are used for experimentation to compare our ensemble results with those of our individual and other existing models. Keywords: Unsupervised Machine Learning Ensemble, Novelty and Outlier Detection, DDoS Detection, Accuracy, IDS, and False Positive Rate. 1 Introduction From the beginning of the architectural evolution of the Internet, the proper way to transmit a packet, and process reduction were the major concerns. Cyber attackers easily exploit the existing limitations of the Internet protocols (TCP, UDP, etc.) and the readily available attack tools. A Distributed Denial of Service (DDoS) attack is mostly a network attack that causes bandwidth overloading due to the use of immense inbound or outbound traffic over the network, resulting in disruption of the normal operation. The first well-documented DDoS attack appears to have occurred on August 1999, when a DDoS tool called ‘Trinoo’ was deployed in at least 227 systems, to flood a single University of Minnesota computer, which was knocked down for more than 2 days. In recent years, attacks on financial systems, broadcast systems, and Internet- based services have grown exponentially [1]. Moreover, those attacks are devastating, wide-ranging, easy to implement, and difficult to detect and defend, posing a major threat to Internet privacy and security. Today’s Internet is badly plagued by DDoS attack and the attack has been escalated drastically over the last decade. In the last couple of years, the giants such as GitHub, Amazon, Cloudflare, Facebook, Instagram,