Predicting Application Layer DDoS Attacks Using Machine Learning Algorithms

A Distributed Denial of Service (DDoS) attack is a
major threat to cyber security. It originates from the network layer or
the application layer of compromised/attacker systems which are
connected to the network. The impact of this attack ranges from the
simple inconvenience to use a particular service to causing major
failures at the targeted server. When there is heavy traffic flow to a
target server, it is necessary to classify the legitimate access and
attacks. In this paper, a novel method is proposed to detect DDoS
attacks from the traces of traffic flow. An access matrix is created
from the traces. As the access matrix is multi dimensional, Principle
Component Analysis (PCA) is used to reduce the attributes used for
detection. Two classifiers Naive Bayes and K-Nearest neighborhood
are used to classify the traffic as normal or abnormal. The
performance of the classifier with PCA selected attributes and actual
attributes of access matrix is compared by the detection rate and
False Positive Rate (FPR).

• S. Umarani
• D. Sharmila

• Distributed Denial of Service (DDoS) attack
• Application layer DDoS
• DDoS Detection
• K- Nearest neighborhood classifier
• Naive Bayes Classifier
• Principle Component Analysis.

[1] Mirkovic, Jelena, and Peter Reiher. "A taxonomy of DDoS attack and
DDoS defense mechanisms." ACM SIGCOMM Computer
Communication Review 34.2 2004, 39-53.
[2] Dietrich, Sven, Neil Long, and David Dittrich. "Analyzing Distributed
Denial of Service Tools: The Shaft Case." LISA. 2000, pp. 329-339.
[3] Arbor Networks, "Worldwide ISP Security Report", Sept. 2005, pp. 1-
23.
[4] Lee, Wenke, and Salvatore J. Stolfo. "Data mining approaches for
intrusion detection." Usenix Security. 1998, pp. 1-10.
[5] Gu, Qijun, Peng Liu, and Chao-Hsien Chu. "Analysis of areacongestion-
based DDoS attacks in ad hoc networks." Ad Hoc Networks
5.5, 2007, 613-625.
[6] Li, Chao, Wei Jiang, and Xin Zou. "Botnet: Survey and case study."
Innovative Computing, Information and Control (ICICIC), 2009 Fourth
International Conference on. IEEE, 2009, pp. 1-20.
[7] McLaughlin, Laurianne. "Bot software spreads, causes new worries."
Distributed Systems Online, IEEE 5.6 (2004): pp. 1-5.
[8] Thing, Vrizlynn L., Morris Sloman, and Naranker Dulay. "A survey of
bots used for distributed denial of service attacks." New Approaches for
Security, Privacy and Trust in Complex Environments. Springer US,
2007, pp. 229-240.
[9] Nazario, Jose. "Politically motivated denial of service attacks." The
Virtual Battlefield: Perspectives on Cyber Warfare (2009): pp. 163-181.
[10] Alomari, Esraa, et al. "Botnet-based distributed denial of service (DDoS)
attacks on web servers: classification and art." arXiv preprint
arXiv:1208.0403 2012, pp. 24-32 .
[11] Kumarasamy, S., & Asokan, R. (2012). Distributed Denial of Service
(DDoS) Attacks Detection Mechanism. arXiv preprint arXiv:1201.2007,
pp. 41-49.
[12] Bhuyan, Monowar H., et al. "Detecting Distributed Denial of Service
Attacks: Methods, Tools and Future Directions." The Computer Journal
2013, pp. 1-20.
[13] Gu, Q., & Liu, P. Denial of service attacks. Handbook of Computer
Networks: Distributed Networks, Network Planning, Control,
Management, and New Trends and Applications, Volume 3, 2007, pp.
454-468.
[14] Fu, Z., Papatriantafilou, M., & Tsigas, P. (2008, October). Mitigating
distributed denial of service attacks in multiparty applications in the
presence of clock drifts. In Reliable Distributed Systems, 2008.
SRDS'08 pp. 63-72.
[15] Zargar, Saman Taghavi, James Joshi, and David Tipper. "A survey of
defense mechanisms against distributed denial of service (DDoS)
flooding attacks." Communications Surveys & Tutorials, IEEE 15.4
2013, pp. 2046-2069.
[16] Yau, David KY, et al. "Defending against distributed denial-of-service
attacks with max-min fair server-centric router throttles." IEEE/ACM
Transactions on Networking (TON) 13.1 2005, pp. 29-42.
[17] Chiueh, Shibiao Lin Tzi-cker. "A Survey on Solutions to Distributed
Denial of Service Attacks." Department of Computer Science Stony
Brook University 2006, pp. 1-38.
[18] Mirkovic, Jelena, et al. "Distributed defense against DDOS attacks."
University of Delaware CIS Department Technical Report CIS-TR-
2005-02, 2005, pp. 1-12.
[19] Moore, David, et al. "Inferring internet denial-of-service activity." ACM
Transactions on Computer Systems (TOCS) 24.2, 2006, pp. 115-139.
[20] Weiler, Nathalie. "Honeypots for distributed denial-of-service attacks."
Enabling Technologies: Infrastructure for Collaborative Enterprises,
2002. WET ICE 2002. Proceedings. Eleventh IEEE International
Workshops on. IEEE, 2002, pp. 109-114.
[21] (Online). Available: http://ita.ee.lbl.gov/html/traces.html.
[22] Xie, Yi, and Shun-Zheng Yu. "Monitoring the application-layer DDoS
attacks for popular websites." Networking, IEEE/AcM Transactions on
17.1, 2009, pp. 15-25.
[23] L. I. Smith, A Tutorial On Principal Components Analysis (EB/OL),
2003 (Online). Available: http://www.snl.salk.edu/~shlens/pub/ notes/
pca.pdf.
[24] Jiawei Han and MichelineKamber, “Data Mining Concepts and
Techniques”, Second Edition, Elsevier, 2006, pp 512-513.
[25] Zhu, Xiaojin, and Andrew B. Goldberg. "Introduction to semisupervised
learning." Synthesis lectures on artificial intelligence and
machine learning 3.1, 2009, pp. 1-130.