Visible to the public Utilizing Netflow Data to Detect Slow Read Attacks

TitleUtilizing Netflow Data to Detect Slow Read Attacks
Publication TypeConference Paper
Year of Publication2018
AuthorsKemp, C., Calvert, C., Khoshgoftaar, T.
Conference Name2018 IEEE International Conference on Information Reuse and Integration (IRI)
Date Publishedjul
Keywordsapplication layer DDoS attacks, application servers, classifiers, compositionality, Computer crime, computer network security, computer networks, distributed denial of service, false alarm rate, file servers, Information Reuse and Security, Internet, invasive software, IP Flow Information Export standard, IP networks, IPFIX, IPFIX standard, learning (artificial intelligence), legitimate network requests, low volume attack methods, machine learners, Malware, memory resources, NetFlow, Netflow data, network security solutions, open systems, Protocols, pubcrawl, Resiliency, SiLK, Slow Read, slow read attack detection models, slow read DDoS attacks, Tools, Web servers
AbstractAttackers can leverage several techniques to compromise computer networks, ranging from sophisticated malware to DDoS (Distributed Denial of Service) attacks that target the application layer. Application layer DDoS attacks, such as Slow Read, are implemented with just enough traffic to tie up CPU or memory resources causing web and application servers to go offline. Such attacks can mimic legitimate network requests making them difficult to detect. They also utilize less volume than traditional DDoS attacks. These low volume attack methods can often go undetected by network security solutions until it is too late. In this paper, we explore the use of machine learners for detecting Slow Read DDoS attacks on web servers at the application layer. Our approach uses a generated dataset based upon Netflow data collected at the application layer on a live network environment. Our Netflow data uses the IP Flow Information Export (IPFIX) standard providing significant flexibility and features. These Netflow features can process and handle a growing amount of traffic and have worked well in our previous DDoS work detecting evasion techniques. Our generated dataset consists of real-world network data collected from a production network. We use eight different classifiers to build Slow Read attack detection models. Our wide selection of learners provides us with a more comprehensive analysis of Slow Read detection models. Experimental results show that the machine learners were quite successful in identifying the Slow Read attacks with a high detection and low false alarm rate. The experiment demonstrates that our chosen Netflow features are discriminative enough to detect such attacks accurately.
Citation Keykemp_utilizing_2018