ALDD: a hybrid traffic-user behavior detection method for application layer DDoS

Distributed Denial of Service (DDoS) has been one of the most critical threats to internet applications and web services. Especially with the current advances in network technology, many attackers resort to application layer DDoS (ALDDoS) which utilizes legitimate requests to overwhelm the victim servers. Under this kind of attack, the single request content can be highly similar to normal ones, and this renders previous traffic features-based detection methods void. In this paper, we are addressing two common issues in ALDDoS detection methods: the inaccuracy of traffic feature based detecting algorithms, and the time and space complexity of user behavior-based detecting algorithms. Different from the existing detection pattern for each request, the detection pattern used in this paper is for a time window. We extract instances of traffic and user behaviors from web server logs, and propose a hybrid traffic-user behavior detection method for ALDDoS. Neutral network is adopted for further cluster analysis. Experimental results on the recent public dataset CICIDS2017 indicate that the proposed method can achieve high detection accuracy while reducing 90% of time cost.