A Flow-Based Anomaly Detection System for Slow DDoS Attack on HTTP

This chapter describes an anomaly detection system for slow Hyper Text Transfer Protocol distributed Denial of Service (DDoS) using network flow data. The slow DDoS attacks generally target the application layer in which the attacker sends bogus requests to the server impersonating as a legitimate request. The high-volume DDoS sends a huge number of requests to the victim. Usually, the attack traffics are generated using network and transport layer protocols. In amplification attack, the attacker crafts a request to generate a larger response. To generate very high rate of attack traffic, combination of reflectors and amplification techniques are used by the attacker. In slowloris attack, the attacker sends multiple partial requests to the server. Kemp et al. used netflow-based machine learning techniques to detect slow read attack on web servers at the application layer. The flow extractor component takes network packets as the inputs and groups them into network flow data.