DDoS Detection Using HTTP Communication Flow Analysis


Over the past few of years, Application Layer DDoS attacks have been increasingly popular due to the minimalistic nature of application layer security. This type of attacks tries to exhaust the web servers’ vitality by overloading it with a massive amount of HTTP requests. As far as the content of the requests is in legitimate form and the request rate adheres to the protocol limits, intrusion detection system (IDS) can hardly detect such attacks. Despite that, the only factor that could distinguish attackers and legitimate users is their browsing behaviour since the attackers’ browsing behaviour will have a significant difference from that of the legitimate users’. Exploiting that factor, this research will introduce a novel approach to accurately distinguish between attackers and legitimate users. In this approach, it observes the HTTP communication flow and extract characteristics that could describe the browsing behaviour of a user (i.e. page request sequence, request rates, request and content distribution) and model them into a form that could be analysed by an machine-learning algorithm. The probabilistic model that generates from that machine-learning algorithm will be used to distinguish between attackers and legitimate users. Evaluation results based on a collected data set has demonstrated that this approach is accurate and effective in detecting Application Layer Distributed Denial of Service attacks.

Subject Descriptors:

  • 1998 ACM Computing Classification System
    1. C.2.0 Computer-Communication Networks (Security and protection)
  • 2012 ACM Computing Classification System
    1. Intrusion detection systems
    2. Denial-of-service attacks

Key Words:

  • Intrusion Detection
  • Distributed Denial of Service
  • Machine Learning
  • Random Forests
  • Complete report : (contact me)
  • Source code : github