Predicting Application Layer DDoS Attacks Using Machine Learning Algorithms

A Distributed Denial of Service (DDoS) attack is a major threat to cyber security. It originates from the network layer or the application layer of compromised/attacker systems which are connected to the network. The impact of this attack ranges from the simple inconvenience to use a particular service to causing major failures at the targeted server. When there is heavy traffic flow to a target server, it is necessary to classify the legitimate access and attacks. In this paper, a novel method is proposed to detect DDoS attacks from the traces of traffic flow. An access matrix is created from the traces. As the access matrix is multi dimensional, Principle Component Analysis (PCA) is used to reduce the attributes used for detection. Two classifiers Naive Bayes and K-Nearest neighborhood are used to classify the traffic as normal or abnormal. The performance of the classifier with PCA selected attributes and actual attributes of access matrix is compared by the detection rate and False Positive Rate (FPR). Keywords—Distributed Denial of Service (DDoS) attack, Application layer DDoS, DDoS Detection, KNearest neighborhood classifier, Naive Bayes Classifier, Principle Component Analysis.

[1]  A. Piskozub Denial of service and distributed denial of service attacks , 2002, Modern Problems of Radio Engineering, Telecommunications and Computer Science (IEEE Cat. No.02EX542).

[2]  R. Asokan,et al.  Distributed Denial of Service (DDoS) Attacks Detection Mechanism , 2012, ArXiv.

[3]  Qijun Gu,et al.  Analysis of area-congestion-based DDoS attacks in ad hoc networks , 2007, Ad Hoc Networks.

[4]  Wei Jiang,et al.  Botnet: Survey and Case Study , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[5]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[6]  Lindsay I. Smith,et al.  A tutorial on Principal Components Analysis , 2002 .

[7]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[8]  Jugal K. Kalita,et al.  Detecting Distributed Denial of Service Attacks: Methods, Tools and Future Directions , 2014, Comput. J..

[9]  Nathalie Weiler,et al.  Honeypots for distributed denial-of-service attacks , 2002, Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[10]  Jose Nazario,et al.  Politically Motivated Denial of Service Attacks , 2009 .

[11]  Esraa Alomari,et al.  Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art , 2012, ArXiv.

[12]  Sven Dietrich,et al.  Analyzing Distributed Denial of Service Tools: The Shaft Case , 2000, LISA.

[13]  Marina Papatriantafilou,et al.  Mitigating Distributed Denial of Service Attacks in Multiparty Applications in the Presence of Clock Drifts , 2012, IEEE Trans. Dependable Secur. Comput..

[14]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[15]  Qijun Gu,et al.  Denial of Service Attacks , 2012 .

[16]  Shibiao Lin Tzi-cker Chiueh A Survey on Solutions to Distributed Denial of Service Attacks , 2006 .

[17]  Laurianne McLaughlin,et al.  Bot software spreads, causes new worries , 2004, IEEE Distributed Systems Online.

[18]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[19]  Vrizlynn L. L. Thing,et al.  A Survey of Bots Used for Distributed Denial of Service Attacks , 2007, SEC.

[20]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[21]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[22]  Jelena Mirkovic,et al.  Distributed Defense Against DDoS Attacks , 2004 .