Application layer DDoS attack detection in the presence of flash crowd
Abstract
Application layer DDoS attacks are growing at an alarming rate in terms of attack intensity and number of attacks. Attackers target websites of government agencies as well as private business for different motives. In some situations, application layer DDoS attacks occur together with characteristically analogous flash crowds. This paper focuses on distinguishing application layer DDoS attacks from flash crowds. Both flash crowd and application layer DDoS attack cause denial of service. Flash crowds come from sudden surge in traffic of legitimate requests. Whereas, application layer DDoS attacks are intentionally generated by attackers to cause denial of service. Distinguishing between application layer DDoS attack and flash crowd is important because the response taken for the case of flash crowd is different from response taken for application layer DDoS attack. Flash crowds are legitimate requests which should be serviced. Application layer DDoS attacks, on the other hand, are malicious requests that should not be serviced. In this research, supervised machine learning based application layer DDoS detection approach is proposed to distinguish between application layer DDoS attack and flash crowd. Features that help distinguish application layer DDoS attacks from legitimate flash crowds were identified. Six supervised classifiers were evaluated using World Cup 98 flash crowd dataset and experimentally generated application layer DDoS attack dataset. The results show that decision tree outperformed other classifiers considering combination of classification time, F1-score and FPR. Decision tree has F1-score of 99.45% and false positive rate of 0.47%.