Predicting Application Layer DDoS Attacks Using Machine Learning Algorithms
Authors: S. Umarani, D. Sharmila
Abstract:
A Distributed Denial of Service (DDoS) attack is a major threat to cyber security. It originates from the network layer or the application layer of compromised/attacker systems which are connected to the network. The impact of this attack ranges from the simple inconvenience to use a particular service to causing major failures at the targeted server. When there is heavy traffic flow to a target server, it is necessary to classify the legitimate access and attacks. In this paper, a novel method is proposed to detect DDoS attacks from the traces of traffic flow. An access matrix is created from the traces. As the access matrix is multi dimensional, Principle Component Analysis (PCA) is used to reduce the attributes used for detection. Two classifiers Naive Bayes and K-Nearest neighborhood are used to classify the traffic as normal or abnormal. The performance of the classifier with PCA selected attributes and actual attributes of access matrix is compared by the detection rate and False Positive Rate (FPR).
Keywords: Distributed Denial of Service (DDoS) attack, Application layer DDoS, DDoS Detection, K- Nearest neighborhood classifier, Naive Bayes Classifier, Principle Component Analysis.
Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1099004
Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 5285References:
[1] Mirkovic, Jelena, and Peter Reiher. "A taxonomy of DDoS attack and DDoS defense mechanisms." ACM SIGCOMM Computer Communication Review 34.2 2004, 39-53.
[2] Dietrich, Sven, Neil Long, and David Dittrich. "Analyzing Distributed Denial of Service Tools: The Shaft Case." LISA. 2000, pp. 329-339.
[3] Arbor Networks, "Worldwide ISP Security Report", Sept. 2005, pp. 1- 23.
[4] Lee, Wenke, and Salvatore J. Stolfo. "Data mining approaches for intrusion detection." Usenix Security. 1998, pp. 1-10.
[5] Gu, Qijun, Peng Liu, and Chao-Hsien Chu. "Analysis of areacongestion- based DDoS attacks in ad hoc networks." Ad Hoc Networks 5.5, 2007, 613-625.
[6] Li, Chao, Wei Jiang, and Xin Zou. "Botnet: Survey and case study." Innovative Computing, Information and Control (ICICIC), 2009 Fourth International Conference on. IEEE, 2009, pp. 1-20.
[7] McLaughlin, Laurianne. "Bot software spreads, causes new worries." Distributed Systems Online, IEEE 5.6 (2004): pp. 1-5.
[8] Thing, Vrizlynn L., Morris Sloman, and Naranker Dulay. "A survey of bots used for distributed denial of service attacks." New Approaches for Security, Privacy and Trust in Complex Environments. Springer US, 2007, pp. 229-240.
[9] Nazario, Jose. "Politically motivated denial of service attacks." The Virtual Battlefield: Perspectives on Cyber Warfare (2009): pp. 163-181.
[10] Alomari, Esraa, et al. "Botnet-based distributed denial of service (DDoS) attacks on web servers: classification and art." arXiv preprint arXiv:1208.0403 2012, pp. 24-32 .
[11] Kumarasamy, S., & Asokan, R. (2012). Distributed Denial of Service (DDoS) Attacks Detection Mechanism. arXiv preprint arXiv:1201.2007, pp. 41-49.
[12] Bhuyan, Monowar H., et al. "Detecting Distributed Denial of Service Attacks: Methods, Tools and Future Directions." The Computer Journal 2013, pp. 1-20.
[13] Gu, Q., & Liu, P. Denial of service attacks. Handbook of Computer Networks: Distributed Networks, Network Planning, Control, Management, and New Trends and Applications, Volume 3, 2007, pp. 454-468.
[14] Fu, Z., Papatriantafilou, M., & Tsigas, P. (2008, October). Mitigating distributed denial of service attacks in multiparty applications in the presence of clock drifts. In Reliable Distributed Systems, 2008. SRDS'08 pp. 63-72.
[15] Zargar, Saman Taghavi, James Joshi, and David Tipper. "A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks." Communications Surveys & Tutorials, IEEE 15.4 2013, pp. 2046-2069.
[16] Yau, David KY, et al. "Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles." IEEE/ACM Transactions on Networking (TON) 13.1 2005, pp. 29-42.
[17] Chiueh, Shibiao Lin Tzi-cker. "A Survey on Solutions to Distributed Denial of Service Attacks." Department of Computer Science Stony Brook University 2006, pp. 1-38.
[18] Mirkovic, Jelena, et al. "Distributed defense against DDOS attacks." University of Delaware CIS Department Technical Report CIS-TR- 2005-02, 2005, pp. 1-12.
[19] Moore, David, et al. "Inferring internet denial-of-service activity." ACM Transactions on Computer Systems (TOCS) 24.2, 2006, pp. 115-139.
[20] Weiler, Nathalie. "Honeypots for distributed denial-of-service attacks." Enabling Technologies: Infrastructure for Collaborative Enterprises, 2002. WET ICE 2002. Proceedings. Eleventh IEEE International Workshops on. IEEE, 2002, pp. 109-114.
[21] (Online). Available: http://ita.ee.lbl.gov/html/traces.html.
[22] Xie, Yi, and Shun-Zheng Yu. "Monitoring the application-layer DDoS attacks for popular websites." Networking, IEEE/AcM Transactions on 17.1, 2009, pp. 15-25.
[23] L. I. Smith, A Tutorial On Principal Components Analysis (EB/OL), 2003 (Online). Available: http://www.snl.salk.edu/~shlens/pub/ notes/ pca.pdf.
[24] Jiawei Han and MichelineKamber, “Data Mining Concepts and Techniques”, Second Edition, Elsevier, 2006, pp 512-513.
[25] Zhu, Xiaojin, and Andrew B. Goldberg. "Introduction to semisupervised learning." Synthesis lectures on artificial intelligence and machine learning 3.1, 2009, pp. 1-130.