Detection of LDDoS Attacks Based on TCP Connection Parameters
Michael Siracusano, Stavros Shiaeles, Bogdan Ghita

TL;DR
This paper presents a machine learning-based method for detecting LDDoS attacks by analyzing TCP connection features, achieving near-perfect classification accuracy with decision trees and k-NN algorithms.
Contribution
It introduces a novel detection approach using TCP flow characteristics and evaluates multiple AI algorithms, demonstrating high accuracy and low false rates.
Findings
Decision trees and k-NN classify attacks with 99.99% accuracy.
The method effectively distinguishes malicious from legitimate TCP flows.
High potential for AI-based LDDoS detection in real-world scenarios.
Abstract
Low-rate application layer distributed denial of service (LDDoS) attacks are both powerful and stealthy. They force vulnerable webservers to open all available connections to the adversary, denying resources to real users. Mitigation advice focuses on solutions that potentially degrade quality of service for legitimate connections. Furthermore, without accurate detection mechanisms, distributed attacks can bypass these defences. A methodology for detection of LDDoS attacks, based on characteristics of malicious TCP flows, is proposed within this paper. Research will be conducted using combinations of two datasets: one generated from a simulated network, the other from the publically available CIC DoS dataset. Both contain the attacks slowread, slowheaders and slowbody, alongside legitimate web browsing. TCP flow features are extracted from all connections. Experimentation was carried…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
Methodsk-Nearest Neighbors
