Yalemzewd, Negash (PhD)Biruk, Asmare2020-07-062023-11-042020-07-062023-11-042017-09http://etd.aau.edu.et/handle/123456789/21881Application layer DDoS attacks are growing at alarming rate in terms of attack intensity and number of attack. Attackers target websites of government agencies as well as private business for different motives. One particular research problem is distinguishing Application layer DDoS attacks from flash crowds. Both flash crowds and application layer DDoS attack cause denial of service. Flash crowds come from sudden surge in traffic of legitimate requests. Whereas, application layer DDoS attacks are intentionally generated by attackers to cause denial of service. Distinguishing between Application layer DDoS attacks and flash crowd is important because the action taken to address both problems is different. Flash crowds are legitimate requests which should be serviced. Whereas, Application layer DDoS attacks are malicious requests that should not be serviced. Furthermore, the source of application layer DDoS attacks should be blocked from making further requests. In this research, supervised machine learning based application layer DDoS detection approach was proposed to distinguish between application layer DDoS attack and flash crowd. Features that help distinguish application layer DDoS attacks from legitimate flash crowds were identified. Six supervised classifiers were evaluated using World cup 98 flash crowd dataset and experimentally generated application layer DDoS attack dataset. We have selected decision tree as supervised classifier in our detection system based on evaluation result. Decision tree had F1 score of 99.45% and False positive rate of 0.47%.en-USAPP-DDoS attackapplication layerdecision tree classifierflash crowdlayer7 attackssupervised machine learningThesis