Bots usually vary from their other malicious counter parts by periodically reporting to the botmaster through regular exchange of messages. Our experiments on bot attack generation showed a continuous exchange of packets with similar content between the botmaster and the zombie machine at various time intervals. Though there were also genuine packets with similar content being sent out of the victim machine challenge was to differentiate between the two and pass only the genuine ones. In this paper, an algorithm namely Auto-Pattern Programmable Kernel Filter (Auto-PPKF), for automatic detection of patterns from packet payload for filtering out malicious packets generated by bots is proposed. The significant feature of our proposed Auto-PPKF algorithm is that, the malicious pattern is deduced at kernel level on the fly from packet payload. Traditional algorithms such as Boyer Moore, Knuth Morris Patt, and Naive Pattern search algorithms require the pattern to be identified available a priori. Currently, Longest Common Subsequence (LCS) algorithm stands as the most preferred algorithm for pattern matching. But the disadvantage is that common sequences can also exist in many genuine packets. Hence, the challenge lies in automatic detection of malicious patterns and filtering of the packets having such malicious patterns. This would not only put off the communication between the Botmaster and Zombie machine, but will also thus prevent user information from being sent to the botmaster.

HTTP flooding attack has a unique feature of interrupting application level services rather than depleting the network resources as in any other flooding attacks. Bombarding of HTTP GET requests to a target results in Denial of Service (DoS) of the web server. Usage of shortened Uniform Resource Locator (URL) is one of the best ways to unknowingly trap users for their participation in HTTP GET flooding attack. The existing solutions for HTTP attacks are based on browser level cache maintenance, CAPTCHA technique, and usage of Access Control Lists (ACL). Such techniques fail to prevent dynamic URL based HTTP attacks. To come up with a solution for the prevention of such kind of HTTP flooding attack, a real time HTTP GET flooding attack was generated using d0z-me, a malicious URL shortener tool. When user clicked the shortened URL, it was found that the user intended web page was displayed in the web browser. But simultaneously, an avalanche of HTTP GET requests were generated at the backdrop to the web server based on the scripts downloaded from the attacker. Since HTTP GET request traffic are part of any genuine internet traffic, it becomes difficult for the firewall to detect such kind of attacks. This motivated us to propose a Threshold Based Kernel Level HTTP Filter (TBHF), which would prevent internet users from taking part in such kind of Distributed Denial of Service (DDoS) attacks unknowingly. Windows Filtering Platform (WFP), which is an Application Programming Interface (API), was used to develop TBHF. The proposed solution was tested by installing TBHF on a victim machine and generating the DDoS attack. It was observed that the TBHF completely prevented the user from participating in DDoS attack by filtering out the malicious HTTP GET requests while allowing other genuine HTTP GET requests generated from that system.

High rate flooding attacks such as SYN flood, UDP flood, and HTTP flood have been posing a perilous threat to Web servers, DNS servers, Mail servers, VoIP servers, etc. These high rate flooding attacks deplete the limited capacity of the server resources. Hence, there is a need for the protection of these critical resources from high rate flooding attacks. Existing detection techniques used in Firewalls, IPS, IDS, etc., fail to identify the illegitimate traffic due to its self-similarity nature of legitimate traffic and suffer from low detection accuracy and high false alarms. Also, very few in the literature have focused on identifying the type of attack. This paper focuses on the identification of type of high rate flooding attack with High detection accuracy and fewer false alarms. The attack type identification is achieved by training the classifiers with different feature subsets. Therefore, each trained classifier is an expert in different feature space. High detection accuracy is achieved by creating a mixture of expert classifiers and the ensemble output decisions are identified by our proposed Preferential Agreement (PA) rule. Our proposed classification algorithm, M2KMix (mixture of two Multi Layer Perceptron and one K-Nearest Neighbor models) differs from the existing solutions in feature selection, error cost reduction, and attack type identification. M2KMix was trained and tested with our own SSE Lab 2011 dataset and CAIDA dataset. Detection accuracy and False Alarms are the two metrics used to analyze the performance of the proposed M2KMix algorithm with the existing output combination methods such as mean, maximum, minimum, and product. From the simulation results, it is evident that M2KMix algorithm achieves high detection accuracy (97.8%) with fewer false alarms than the existing output combination methods. M2KMix identifies three types of flooding attacks, viz., the SYN Flood, UDP flood, and HTTP Flood, effectively with detection accuracy of 100%, 93.75%, and 97.5%, respectively.