Feature extraction and construction of application layer DDoS attack based on user behavior

Distributed Denial of Service (DDoS) has been one of the greatest threats to network security for years. In recent years, DDoS attackers turn to application layer, which makes DDoS attack detection systems based on net layer and transport layer lost their performance. In this layer, Web service is the most vulnerable application. The study in this paper analyzed the differentiation between user behavior based on web log, as we proposed a series of features based on user behavior to represent characteristics of user behavior, and then, transformed web logs which contain authentic legal users´ records and attackers´ records to an 14 dimensional feature space. In particular, through the transformation, our work aims to obtain a better representation for users´ behaviors, as well as to investigate the relative differences and/or similarities between DDoS attackers and normal users. Finally, we simulated four kinds of prevalent application layer DDoS attack and conducted experiments using three classical data mining classification algorithms to certify the effectiveness of our method. Experimental results show that proposed features are good to distinguish legal users and attackers in application layer.