Investigation of Application Layer DDoS Attacks Using Clustering Techniques

Full Text (PDF, 452KB), PP.1-13

Views: 0 Downloads: 0


T. Raja Sree 1 S. Mary Saira Bhanu 1

1. Department of Computer Science and Engineering, National Institute of Technology, Tiruchirappalli - 629501, India.

* Corresponding author.


Received: 1 Mar. 2017 / Revised: 14 Jun. 2017 / Accepted: 4 Sep. 2017 / Published: 8 May 2018

Index Terms

Self Organizing Map, k-means, Genetic Algorithm k-means, DDoS attack


The exponential usage of internet attracts cyber criminals to commit crimes and attacks in the network. The forensic investigator investigates the crimes by determining the series of actions performed by an attacker. Digital forensic investigation can be performed by isolating the hard disk, RAM images, log files etc. It is hard to identify the trace of an attack by collecting the evidences from network since the attacker deletes all possible traces. Therefore, the possible way to identify the attack is from the access log traces located in the server. Clustering plays a vital role in identifying attack patterns from the network traffic. In this paper, the performance of clustering techniques such as k-means, GA k-means and Self Organizing Map (SOM) are compared to identify the source of an application layer DDoS attack. These methods are evaluated using web server log files of an apache server and the results demonstrate that the SOM based method achieves high detection rate than k-means and GA k-means with less false positives.

Cite This Paper

T. Raja Sree, S. Mary Saira Bhanu," Investigation of Application Layer DDoS Attacks Using Clustering Techniques", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.8, No.3, pp. 1-13, 2018. DOI: 10.5815/ijwmt.2018.03.01


[1]Scarfone, K., Mell, P.: Guide to intrusion detection and prevention systems (IDPS) NIST Special Publications 800-94,1–127 (2007).

[2]Kaspersky Labs, Global it security risks survey 2014 Distributed Denial of Service (DDoS) attacks, 2014,

[3]DDoS attack, (Accessed on 25/11/2015).

[4]W. Lee, S. J. Stolfo, “Data mining approaches for intrusion detection,” Columbia University, New York dept. of computer science, 2000.

[5]Zhang, Z., Li, J., Manikopoulos, C., Jorgenson, J., Ucles, J.: HIDE: a Hierarchical Network Intrusion Detection System using statistical preprocessing and Neural Network classification, In: Proceedings of IEEE Workshop on Information Assurance and Security, pp. 85–90, (2001).

[6]Govindarajan, M., Chandrasekaran, R.: Intrusion Detection using neural based hybrid classification methods, J. Comput. Netw., vol. 55, 1662–1671, (2011). 

[7]Hu, W., Liao, Y., Vemuri, V. R.: Robust anomaly detection using Support Vector Machines, In: Proceedings of International Conference on Machine Learning, pp. 592–597, (2003).

[8]Adrian T.N. Palmer, Computer Forensics, The six steps, US-CERT, (2008).

[9]Liao, N., Tian, S., Wang, T.: Network forensics based on fuzzy logic and expert system, J. Computer Communications, vol. 32, 1881—1892, (2009).

[10]Carrier, B.: File System Forensic Analysis, Addison-Wesley Professional, (2005).

[11]Liao, H. J., Lin, C.-H.R., Lin Y.C., Tung, K.Y.: Intrusion Detection System: a comprehensive review, J. Netw. Comput. Appl., vol. 36, 16–24, (2013).

[12]A. A. Sebyala, T. Olukemi, L. Sacks, and D. L. Sacks, “Active platform security through intrusion detection using naive bayesian network for anomaly detection,” In London Communications Symposium, pp.1-5, 2002.

[13]S. S. Kim, A. L. N. Reddy, M. Vannucci, “Detecting traffic anomalies at the source through aggregate analysis of packet header data,” Springer Verilog, pp.1-13, 2004.

[14]M. H. Bhuyan, D. K. Bhattacharyya, and J. K. Kalita, ”An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection,” Pattern Recognition Letters, vol: 51, pp. 1-7, 2015.

[15]T. Yatagai, T. Isohara and I. Sasase, “Detection of HTTP-GET flood attack based on analysis of page access behavior,” In Communications, Computers and Signal Processing, IEEE Pacific Rim Conference, pp. 232-235, 2007.

[16]K. Lee, J. Kim, K. H. Kwon, Y. Han and S. Kim, “DDoS attack detection method using cluster analysis,” Expert Systems with Applications, vol. 34, No. 3, pp. 1659-1665, 2008.

[17]H. Oh and K. Chae, “Real-Time Intrusion Detection System Based on Self- Organized Maps and Feature Correlations,” In Convergence and Hybrid Information Technology, 3rd IEEE International Conference on ICCIT’08, vol. 2, pp. 1154-1158, 2008.

[18]A. Konar and R. C. Joshi, ”An Efficient Intrusion Detection System Using Clustering Combined with Fuzzy Logic,” Contemporary Computing, Springer Berlin Heidelberg, pp. 218-228, 2010. 

[19]Sree TR, Bhanu SM. Identifying HTTP DDoS Attacks Using Self Organizing Map and Fuzzy Logic in Internet Based Environments. In Proceedings of 3rd International Conference on Advanced Computing, Networking and Informatics 2016 (pp. 259-269). Springer, India.

[20]Kruegel, C., Vigna, G.: Anomaly detection of web based attacks. In: Proceedings of the 10th ACM conference on communications security, pp. 251–261, ACM, (2003).

[21]M. Zolotukhin and T.Hamalainen, ”Detection of anomalous http requests based on advanced n-gram model and clustering techniques,” Internet of Things, Smart Spaces, and Next Generation Networking, Springer Berlin Heidelberg, 371-382, 2013.

[22]Bhuyan MH, Bhattacharyya DK, Kalita JK. An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recognition Letters. 2015 Jan 1;51:1-7.

[23]Maggi, F., Robertson, W., Kruegel, C., Vigna, G.: Protecting a moving target: Addressing web application concept drift. In: Kirda, E., Jha, S., Balzarotti, D., (eds.), Recent Advances in Intrusion Detection 2009. LNCS, vol. 5758, pp. 21–40. Springer, Berlin Heidelberg (2009).

[24]Chwalinski P, Belavkin R, Cheng X. Detection of HTTP-GET attack with clustering and information theoretic measurements. In: Foundations and Practice of Security. Springer; 2013. p. 45-61.

[25]Z. Pabarskaite, “Enhancements of preprocessing, analysis and preparation techniques in web log mining,” Vilnius Technikes, 2009.

[26]D. E. Golberg,”Genetic algorithms in search, optimization, and machine learning,” Addison Wesley, 1999. 

[27]P. G. Kumar and D. Devaraj, ”Improved genetic algorithm for optimal design of fuzzy classifier,” International Journal of Computer Applications in Technology, vol. 35. No. 2, pp.97- 103, 2009.

[28]T. Kohonen, ”Self-organized formation of topologically correct feature maps,” Biological cybernetics, vol. 43 No. 1, pp. 59-69, 1982. 

[29]SOM Toolbox for Matlab,

[30]HULK attack,

[31]OWASP HTTP DdoS attack, 

[32]HOIC attack tool,