Application Layer DDoS Attack Detection In The Presence Of Flash Crowds
No Thumbnail Available
Date
2017-09
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Addis Ababa University
Abstract
Application layer DDoS attacks are growing at alarming rate in terms of attack
intensity and number of attack. Attackers target websites of government
agencies as well as private business for different motives. One particular research
problem is distinguishing Application layer DDoS attacks from flash
crowds. Both flash crowds and application layer DDoS attack cause denial of
service. Flash crowds come from sudden surge in traffic of legitimate requests.
Whereas, application layer DDoS attacks are intentionally generated by attackers
to cause denial of service. Distinguishing between Application layer
DDoS attacks and flash crowd is important because the action taken to address
both problems is different. Flash crowds are legitimate requests which
should be serviced. Whereas, Application layer DDoS attacks are malicious
requests that should not be serviced. Furthermore, the source of application
layer DDoS attacks should be blocked from making further requests. In this
research, supervised machine learning based application layer DDoS detection
approach was proposed to distinguish between application layer DDoS
attack and flash crowd. Features that help distinguish application layer DDoS
attacks from legitimate flash crowds were identified. Six supervised classifiers
were evaluated using World cup 98 flash crowd dataset and experimentally
generated application layer DDoS attack dataset. We have selected decision
tree as supervised classifier in our detection system based on evaluation result.
Decision tree had F1 score of 99.45% and False positive rate of 0.47%.
Description
Keywords
APP-DDoS attack, application layer, decision tree classifier, flash crowd, layer7 attacks, supervised machine learning