International Journal of Computer Network and Information Security(IJCNIS)

ISSN: 2074-9090 (Print), ISSN: 2074-9104 (Online)

Published By: MECS Press

IJCNIS Vol.14, No.3, Jun. 2022

DDoS Attacks Detection in the Application Layer Using Three Level Machine Learning Classification Architecture

Full Text (PDF, 753KB), PP.33-46

Views:6   Downloads:0


Bassam M. Kanber, Naglaa F. Noaman, Amr M. H. Saeed, Mansoor Malas

Index Terms



Distributed Denial of Service (DDoS) is an ever-changing type of attack in cybersecurity, especially with the growing demand for cloud and web services raising a never-ending challenge in the lucrative business. DDoS attacks disrupt users' access to the targeted online services leading to significant business loss. This article presents a three-level architecture for detecting DDoS attacks at the application layer. The first level is responsible for selecting the best features of the samples and classifying the traffic into either benign or malicious, then the second level consists of a hard voting classifier to identify the type of the DDoS source: UDP, TCP, or Mixed-based. Finally, the last level aligns the attack to the appropriate DDoS type. This approach is validated using the CIC-DDoS2019 dataset, and the time, accuracy score, and precision are used as the model performance metrics. Compared to the existing machine learning (ML) approaches, the proposed architecture reveals substantial improvements in both binary and multiclass classification of application-layer DDoS attacks.

Cite This Paper

Bassam M. Kanber, Naglaa F. Noaman, Amr M. H. Saeed, Mansoor Malas, "DDoS Attacks Detection in the Application Layer Using Three Level Machine Learning Classification Architecture", International Journal of Computer Network and Information Security(IJCNIS), Vol.14, No.3, pp.33-46, 2022. DOI: 10.5815/ijcnis.2022.03.03


[1]Salim, M. M., Rathore, S. and Park, J. H. Distributed denial of service attacks and its defenses in IoT: a survey. The Journal of Supercomputing, 76, 7 (2020), 5320-5363.

[2]Center, C. The 42nd Statistical Report on Internet Development in China. Internet World, 7 (2018).

[3]Palmer, D. DDoS attacks that come combined with extortion demands are on the rise. ZDNet. . City, 2022.

[4]Gutnikov, A. DDoS attacks in Q3 2021. Yandex and Qrator Labs. . City, 2021.

[5]Gutnikov, A. DDoS attacks in Q3 2021. DDoS Attacks in Q3 2021. . City, 2021.

[6]Thangavel, M., Nithya, S. and Sindhuja, R. Denial of Service (DoS) Attacks Over Cloud Environment: A Literature Survey. Research Anthology on Combating Denial-of-Service Attacks (2021), 491-521.

[7]Gopal, S., Poongodi, C., Nanthiya, D., Priya, R. S., Saran, G. and Priya, M. S. Mitigating DoS attacks in IoT using Supervised and Unsupervised Algorithms‚ÄďA Survey. IOP Publishing, City, 2021.

[8]Cao, Y., Gao, Y., Tan, R., Han, Q. and Liu, Z. Understanding internet DDoS mitigation from academic and industrial perspectives. IEEE Access, 6 (2018), 66641-66648.

[9]contributors, W. Denial-of-service attack. City, 2021.

[10]Nicholson, P. Five Most Famous DDoS Attacks and Then Some. City, 2021.

[11]Aamir, M. and Zaidi, S. M. A. Clustering based semi-supervised machine learning for DDoS attack classification. Journal of King Saud University-Computer and Information Sciences, 33, 4 (2021), 436-446.

[12]Elsayed, M. S., Le-Khac, N.-A., Dev, S. and Jurcut, A. D. Ddosnet: A deep-learning model for detecting network attacks. IEEE, City, 2020.

[13]Kaushik Sekaran, G.Raja Vikram, B.V. Chowdary, "Design of Effective Security Architecture for Mobile Cloud Computing to Prevent DDoS Attacks ", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.9, No.1, pp. 43-51, 2019.DOI: 10.5815/ijwmt.2019.01.05

[14]Kumar, A., Glisson, W. and Cho, H. Network attack detection using an unsupervised machine learning algorithm (2020).

[15]Sreeram, I. and Vuppala, V. P. K. HTTP flood attack detection in application layer using machine learning metrics and bio inspired bat algorithm. Applied computing and informatics, 15, 1 (2019), 59-66.

[16]Behal, S., Kumar, K. and Sachdeva, M. D-FACE: An anomaly based distributed approach for early detection of DDoS attacks and flash events. Journal of Network and Computer Applications, 111 (2018), 49-63.

[17]Hoque, N., Kashyap, H. and Bhattacharyya, D. K. Real-time DDoS attack detection using FPGA. Computer Communications, 110 (2017), 48-58.

[18]Hameed, S. and Ali, U. HADEC: Hadoop-based live DDoS detection framework. EURASIP Journal on Information Security, 2018, 1 (2018), 1-19.

[19]Jazi, H. H., Gonzalez, H., Stakhanova, N. and Ghorbani, A. A. Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling. Computer Networks, 121 (2017), 25-36.

[20]Chen, Y., Hwang, K. and Ku, W.-S. Collaborative detection of DDoS attacks over multiple network domains. IEEE Transactions on Parallel and Distributed Systems, 18, 12 (2007), 1649-1662.

[21]Singh, K. J. and De, T. MLP-GA based algorithm to detect application layer DDoS attack. Journal of information security and applications, 36 (2017), 145-153.

[22]Singh, K., Singh, P. and Kumar, K. User behavior analytics-based classification of application layer HTTP-GET flood attacks. Journal of Network and Computer Applications, 112 (2018), 97-114.

[23]Liu, Z., Cao, Y., Zhu, M. and Ge, W. Umbrella: Enabling ISPs to offer readily deployable and privacy-preserving DDoS prevention services. IEEE Transactions on Information Forensics and Security, 14, 4 (2018), 1098-1108.

[24]Wang, C., Miu, T. T., Luo, X. and Wang, J. SkyShield: A sketch-based defense system against application layer DDoS attacks. IEEE Transactions on Information Forensics and Security, 13, 3 (2017), 559-573.

[25]Sokolov, M. and Herndon, N. Predicting Malware Attacks using Machine Learning and AutoAI. City, 2021.

[26]Rai, M. and Mandoria, H. L. Network Intrusion Detection: A comparative study using state-of-the-art machine learning methods. IEEE, City, 2019.

[27]Osman, M., He, J., Mokbal, F. M. M., Zhu, N. and Qureshi, S. ML-LGBM: A Machine Learning Model based on Light Gradient Boosting Machine for the Detection of Version Number Attacks in RPL-Based Networks. IEEE Access, 9 (2021), 83654-83665.

[28]Bakhareva, N., Shukhman, A., Matveev, A., Polezhaev, P., Ushakov, Y. and Legashev, L. Attack detection in enterprise networks by machine learning methods. IEEE, City, 2019.

[29]Sanjeetha, R., Raj, A., Saivenu, K., Ahmed, M. I., Sathvik, B. and Kanavalli, A. Detection and mitigation of botnet based DDoS attacks using catboost machine learning algorithm in SDN environment. International Journal of Advanced Technology and Engineering Exploration, 8, 76 (2021), 445.

[30]Sharafaldin, I., Lashkari, A. H., Hakak, S. and Ghorbani, A. A. Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy. IEEE, City, 2019.

[31]Draper-Gil, G., Lashkari, A. H., Mamun, M. S. I. and Ghorbani, A. A. Characterization of encrypted and vpn traffic using time-related. sn, City, 2016.

[32]Ahlashkari GitHub - ahlashkari/CICFlowMeter: CICFlowmeter-V4.0 (formerly known as ISCXFlowMeter) is an Ethernet traffic Bi-flow generator and analyzer for anomaly detection that has been used in many Cybersecurity datsets such as Android Adware-General Malware dataset (CICAAGM2017), IPS/IDS dataset (CICIDS2017), Android Malware dataset (CICAndMal2017) and Distributed Denial of Service (CICDDoS2019). City, 2017.