Efficient Based on Improved Random Forest Defense System Against Application-Layer DDoS Attacks

Abstract

Application-layer distributed denial of service (DDoS) attacks have become the main threat to Web server security. Because application-layer DDoS attacks have strong concealability and high authenticity, intrusion detection technologies that rely solely on judging client authenticity cannot accurately detect such attacks. In addition, application-layer DDoS attacks are periodic and repetitive, and attack targets suddenly in a short period. In this study, we propose an efficient application-layer DDoS detection system based on improved random forest. Firstly, the Web logs are preprocessed to extract the user session characteristics. Subsequently, we propose a Session Identification based on Separation and Aggregation (SISA) method to accurately capture user sessions. Lastly, we propose an improved random forest classification algorithm based on feature weighting to address the issue of an increasing number of features leading to prolonged calculation times in the random forest algorithm, and as the feature dimension increases, there might be instances where no subfeature is related to the category to be classified. More importantly, we compare the request source IP with the malicious IP in the threat intelligence library to deal with the periodicity and repetition of application-layer DDoS attacks. We conducted a comprehensive experiment on the publicly available Web log dataset and the threat intelligence database of the laboratory as well as the simulated generated attack log dataset in the laboratory environment. The experimental results show that the proposed detection system can control the false alarm rate and false alarm rate within a reasonable range, improving the detection efficiency further, the detection rate is 99.85%. In secondary attack detection experiments, our proposed detection method achieves a higher detection rate in a shorter time.