Detection and differentiation of application layer DDoS attack from flash events using fuzzy-GA computation

Detection and differentiation of application layer DDoS attack from flash events using fuzzy-GA computation

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Distributed Denial-of-Service (DDoS) attacks are serious threats in the data center application, mainly affecting the web server. Even though there are various techniques to detect and mitigate such attacks so far they fail to meet in the case of application layer attack and Flash Events (FE). In the paper, we aim at detecting application layer DDoS attacks and distinguish it from FE. We have considered a DDoS attack model and selected the parameters in the incoming packets that correspond in causing the attack. Based on the attack model we have analysed the statistical parameters of the incoming packets such as inter-arrival time, the probability of uniqueness of an IP address in given time frame and the unavailability of HTTP (Hyper Text Transfer Protocol) GET acknowledgment bit in the header field. These parameters are the input to the Fuzzy classification model. We have used Genetic Algorithm (GA) to provide an optimised value range for the input parameters. The optimised values are now applied to Fuzzy logic to identify whether the web accessing clients shows the behavior of attack, normal or FE. The experimental results show that Fuzzy-GA model provides an accuracy of 98.4% in detecting DDoS attack and 97.3% in detecting FE..


    1. 1)
      • 1. ‘Stop hacking from your drupal application’. Available at, accessed May 2015.
    2. 2)
      • 2. Zargar, S.T., Joshi, J., Tipper, D.: ‘A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks’, IEEE Commun. Surv. Tutorials, 2013, 15, (4), pp. 20462069.
    3. 3)
      • 3. McGregory, S.: ‘Preparing for the next DDoS attack’, Netw. Secur., 2013, (5), pp. 56.
    4. 4)
      • 4. Silva, S.S.C., Silva, R.M.P., Pinto, R.C.G., et al: ‘Botnets: a survey’, Comput. Netw., 2013, 57, (2), pp. 378403.
    5. 5)
      • 5. Beitollahi, H., Deconinck, G.: ‘Tackling application-layer DDoS attacks’, Procedia Comput. Sci., 2012, 10, pp. 432441.
    6. 6)
      • 6. Thapngam, T., Yu, S., Zhou, W., et al: ‘Discriminating DDoS attack traffic from flash crowd through packet arrival patterns’. Proc. Int. Conf. on Computer Communications Workshops (INFOCOM WKSHPS), Shanghai, China, April 2011, pp. 952957.
    7. 7)
      • 7. Oikonomou, G., Mirkovic, J.: ‘Modeling human behavior for defense against flash-crowd attacks’. Proc. Int. Conf. on Communications, Dresden, Germany, June 2009, pp. 16.
    8. 8)
      • 8. Tongguang, N., Xiaoqing, G., Wang, H., et al: ‘Real-time detection of application-layer DDoS attack using time series analysis’, J. Control Sci. Eng., 2013, (5), pp. 16.
    9. 9)
      • 9. Akilandeswari, V., Shalinie, M.S.: ‘Probabilistic neural network based attack traffic classification’. Proc. Int. Conf. on Advanced Computing, Chennai, India, December 2012, pp. 18.
    10. 10)
      • 10. DDoS Attack 2007 Dataset: The CAIDA UCSD. Available at xml. Accessed April 2015.
    11. 11)
      • 11. EPA-HTTP – a day of HTTP logs from a busy WWW server (1995). Available at, accessed April 2015.
    12. 12)
      • 12. Arlitt, M., Jin, T.: ‘1998 world cup web site access logs’. Available at, accessed June 2015.
    13. 13)
      • 13. Lee, S.M., Kim, D.S., Lee, J.H., et al: ‘Detection of DDoS attacks using optimized traffic matrix’, Comput. Math. Appl., 2012, 63, (2), pp. 501510.
    14. 14)
      • 14. Niandong, L., Shengfeng, T., Wang, T.: ‘Network forensics based on fuzzy logic and expert system’, Comput. Commun., 2009, 32, (17), pp. 18811892.
    15. 15)
      • 15. Sivabalan, S., Radcliffe, P.J.: ‘A novel framework to detect and block DDoS attack at the application layer’. Proc. Int. Conf. TENCON Spring, Sydney, Australia, April 2013, pp. 578582.
    16. 16)
      • 16. Yuan, J., Yuan, R., Chen, X.: ‘Network anomaly detection based on multi-scale dynamic characteristics of traffic’, Int. J. Comput. Commun. Control, 2014, 9, (1), pp. 101112.
    17. 17)
      • 17. Saied, A., Overill, R.E., Radzik, T.: ‘Detection of known and unknown DDoS attacks using artificial neural networks’, Neurocomputing, 2016, 172, pp. 385393.
    18. 18)
      • 18. Pandey, S.K., Mehtre, B.M.: ‘Performance of malware detection tools: A comparison’. Proc. Int. Conf. on Advanced Communication Control and Computing Technologies, Ramanathapuram, India, May 2014, pp. 18111817.
    19. 19)
      • 19. Zhou, W., Jia, W., Wen, S., et al: ‘Detection and defense of application-layer DDoS attacks in backbone web traffic’, Future Gener. Comput. Syst., 2014, 38, pp. 3646.
    20. 20)
      • 20. Sachdeva, M.S., Krishan, K., Gurvinder, S.: ‘A comprehensive approach to discriminate DDoS attacks from flash events’, J. Inf. Secur. Appl., 2016, 26, pp. 822.
    21. 21)
      • 21. Yihua, L., Vemuri, R.V.: ‘Use of K-nearest neighbor classifier for intrusion detection’, Comput. Secur., 2002, 21, (5), pp. 439448.
    22. 22)
      • 22. Kalkan, K., Alagoz, F.: ‘A distributed filtering mechanism against DDoS attacks: ScoreForCore’, Comput. Netw., 2016, 108, pp. 199209.
    23. 23)
      • 23. Ramanauskaitė, S., Čenys, A.: ‘Composite Dos attack model’, Science – Future of Lithuania, 2012, 4, (1), pp. 2026.
    24. 24)
      • 24. Ramanauskaitė, S.: ‘Modeling of SYN flooding attacks’, Jaunųjų mokslininkų darbai, 2010, 26, (1), pp. 331335.
    25. 25)
      • 25. Specht, S.M., Lee, R.B.: ‘Distributed denial of service: taxonomies of attacks, tools and countermeasures’. Proc. Int. Conf. of Parallel and Distributed Computing Dydtems, San Francisco, 2004, pp. 1517.
    26. 26)
      • 26. Dabir, A., Matrawy, A.: ‘Bottleneck analysis of traffic monitoring using wireshark’. Proc. Int. Conf. on Innovations in Information Technology, IIT ‘07, Dubai, 2007.
    27. 27)
      • 27. MIT Lincoln Laboratory Datasets, MIT LLSDDOS0.2.2, Massachusetts Institute of Technology, Cambridge, MA, 2000. Accessed 13 April 2015.
    28. 28)
      • 28. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: ‘An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection’, Pattern Recognit. Lett., 2015, 51, pp. 17.
    29. 29)
      • 29. Dantas, Y.G., Nigam, V., Fonseca, I.E.: ‘A selective defense for application layer DDoS attacks’. Proc. Conf. on Joint Intelligence and Security Informatics Conf., The Hague, Netherland, September 2014, pp. 7582.
    30. 30)
      • 30. Jin, Z., Bose, B.K.: ‘Evaluation of membership functions for fuzzy logic controlled induction motor drive’. Proc. Annual Conf. of the Industrial Electronics Society, Sevilla, Spain, November 2002, pp. 229234.
    31. 31)
      • 31. Jongsuebsuk, P., Wattanapongsakorn, N., Charnsripinyo, C.: ‘Network intrusion detection with fuzzy genetic algorithm for unknown attacks’. Proc. Int. Conf. on Information Networking, Bangkok, June 2013, pp. 15.
    32. 32)
      • 32. Saboori, E., Parsazad, S., Sanatkhani, Y.: ‘Automatic firewall rules generator for anomaly detection systems with apriori algorithm’. Proc. Int. Conf. on Advanced Computer Theory and Engineering, Chengdu, China, August 2010, pp. 5760.
    33. 33)
      • 33. NSL-KDD dataset. Available at Accessed January 2016.
    34. 34)
      • 34. Passive Measurement and Analysis (PMA) Project ‘Auckland-VIII’, The National Laboratory for Applied Network Research (NLANR), December 2003. Available at Accessed June 2016.

Related content

This is a required field
Please enter a valid email address