International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 4, Volume 2 (March - April 2014)

ISSN: 2250-1797

Detection of Distributed Denial of Service Attacks Using Decision

Tree Algorithm
Mrs. G. Shoba, Rajeswari. M, Kalaitchelvi. S
#1 Senior Asst.Prof (CSE Dept), Christ College of Engineering and Technology, Affiliated
to Pondicherry University, Puducherry-605010.
#2 Final Year M.Tech Student (CSE dept), Christ College of Engineering and Technology,
Affiliated to Pondicherry University, Puducherry-605010.
#3 Final Year M.Tech Student (CSE dept), Christ College of Engineering and Technology,
Affiliated to Pondicherry University, Puducherry-605010.
ABSTRACT
A Denial of Service (DoS) attack is an attempt to prevent genuine users of a service or
network resource from accessing that service or resource. DoS attacks usually make use of
software bugs to collapse or freeze up a service or network resource, or bandwidth
restrictions by making use of a torrent attack to drench all bandwidth. A Distributed Denial
of Service (DDoS) attack is a type of DoS attack in which many computers are used to ruin
a web page, website or web based service. It launches indirectly the DoS attacks through
many compromised computers. A typical DDoS attack consists of master, slave, and victim
master being the attacker, slave being the compromised systems and victim of course being
the attackers target. As the damage by DDoS attack increase, many research for detection
mechanisms have performed. In this paper, we address the problem of DDoS attacks AND
how to detect those attacks using a data mining algorithm such as decision tree and Neural
network algorithm. This approach uses the automatic feature selection mechanism for
selecting the important attributes.
Keywords-DoS attacks,DDoS Attacks,Data Mining,Decision Tree Algorithm,Neural
Network Algorithm.
1. INTRODUCTION
DDoS attacks are a major threat to the stability of the internet. With Distributed
Denial of Service, every member of the attack generates relatively small amounts of traffic.
The combined result overwhelms the remote system. Distributed Denial of Service makes a
server suffer in having slow responses to clients or when refusing their accesses, may be
exploited by ones business competitors expecting to gain an edge in the market. A
Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated
DoS attack against one or more targets. Using client/server technology, the perpetrator is able
to multiply the effectiveness of the Denial of Service significantly by harnessing the
resources of multiple unwitting accomplice computers which serve as attack platforms.
Typically a DDoS master program is installed on one computer using a stolen account. The
master program, at a designated time, then communicates to any number of "agent"
programs, installed on computers anywhere on the internet. The agents, when they receive the
command, initiate the attack. Using client/server technology, the master program can initiate
hundreds or even thousands of agent programs within seconds.
R S. Publication (rspublication.com), rspublicationhouse@gmail.com

Page 44

International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 4, Volume 2 (March - April 2014)

ISSN: 2250-1797

Figure 1. DDoS Attack

Figure 1 shows the attack remained fairly complicated and required a good knowledge
on the part of attackers, but they were then developed tools to organize and implement the
attack. Thus the search process of secondary hosts has been automated. It generally seeks
common vulnerabilities on many machines on the Internet and the attacker eventually
becomes the master (gets Administrator access) to see hundreds of thousands of machines are
not protected. He then installs the client side for the attack and also trying to cover and
surface up his back tracking (corruption of log files, installing root kits).It is interesting to
note that victims in such attacks are not just those who suffer denial of service, all secondary
hosts are also compromised machines to the highest level (root access), as the master host.
1.1 DDOS ATTACKS IN DIFFERENT LAYERS
Distributed Denial-of-Service (DDoS) attack is the one in which the victims network
elements are bombarded with high volume of fictitious attacking packets that originate
from a large number of machines .A successful attack allows the attacker to gain access to
the victims machine, allowing stealing of sensitive internal data and possibly cause
disruption and denial of service (DoS) in some cases. The DDoS attack in different layers
such as network layer and application layer.
1.1.1 NETWORK Layer DDoS Attacks
The various network layer DDoS attacks are SYN flooding Ping of death Smurf is
much easier to be detected and defended against.

SYN Flood
It occurs when a host sends a flood of TCP/SYN packets, often with a forged
sender address. Each of these packets is handled like a connection request, causing the
server to spawn a half open connection, by sending back a TCP/SYN-AUL packet, and
waiting for a packet in response from the sender address. Moreover, because the sender
address is forged, the response never comes. These half open connections saturate the
number of available connections the server is able to make, keeping it from responding to
legitimate requests until the after the attack ends.
R S. Publication (rspublication.com), rspublicationhouse@gmail.com

Page 45

International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 4, Volume 2 (March - April 2014)

ISSN: 2250-1797

Ping of Death
It is based on sending the victim a malformed ping packet, which might lead to a
system crash. On the Internet, ping of death is a denial of service (Dos) attack caused by
an attacker deliberately sending an IP packet larger than the 65,536 bytes allowed by the
IP protocol. One of the features of TCP/IP is fragmentation; it allows a single IP packet to
be broken down into smaller segments. In 1996, attackers began to take advantage of that
feature when they found that a packet broken down into fragments could add up to more
than the allowed 65,536 bytes. Many operating systems didn't know what to do when they
received an oversized packet, so they froze, crashed, or rebooted.
Ping of death attacks were particularly nasty because the identity of the attacker
sending the oversized packet could be easily spoofed and because the attacker didn't need
to know anything about the machine they were attacking except for its IP address. By the
end of 1997, operating system vendors had made patches available to avoid the ping of
death. Still, many Web sites continue to block Internet Control Message Protocol (ICMP)
ping messages at their firewalls to prevent any future variations of this kind of denial of
service attack.

Smurf Attack
One particular variant of a flooding DoS attack on the public internet. It relies on
misconfigured network devices that allow packets on a particular network via the
broadcast address of the network, rather than a specific machine.
1.1.2 APPLICATION LAYER DDoS ATTACKS
The various application layer attacks are Session flooding attack, Request flooding
attack Asymmetric attack.

Session flooding attack:

It sends session connection requests at a rate higher than legitimate users. Attackers
attack server through a series of sessions. A session has four basic steps:
Step 1: Set up connection
Step 2: Send request messages
Step 3: Send response messages
Step 4: Close connection.
As all accesses to layer-7s service (e.g., HTTP, FTP, and TELNET) need the first
and last steps and the difference of them is times of the second and third steps, we describe
one such process as a session with one or more requests. Sends session connection request at
a rate higher than legitimate users. Each zombie computer sends sessions at a higher rate than
normal users and the rate may change randomly.

Request Flooding attack

Each attack session sends requests at a higher rate than normal sessions and the rate
may change randomly. The first characteristic of App-DDoS attacks is that the applicationlayer requests originating from the compromised hosts are indistinguishable from those
R S. Publication (rspublication.com), rspublicationhouse@gmail.com

Page 46

International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 4, Volume 2 (March - April 2014)

ISSN: 2250-1797

generated by legitimate users. Unlike the Net-DDoS attacks, App-DDoS attacks do not
necessarily rely on inadequacies in the underlying protocols or operating systems; they can be
mounted with legitimate requests from legitimately connected network machines. Usually,
AppDDoS attacks utilize the weakness enabled by the standard practice of opening services
such as HTTP and HTTPS (TCP port 80and 443) through most firewalls to launch the attack.
Many protocols and applications, both legitimate and illegitimate, can use these
openings to tunnel through firewalls by connecting over a standard TCP port 80 (e.g., Code
Red virus) or encapsulating in SSL tunnels (HTTPS).Attack requests aimed at these services
may pass through the firewall without being denied. Furthermore; attackers may request
services to the point where other clients are unable to complete their transactions or are
inconvenienced to the point where they give up trying.

Asymmetric attack
This attack sends sessions with more high-workload requests. Each attack session
sends a higher proportion of requests, each of which has a higher value of Workload.
Asymmetric attacks that send high-workload request types in sessions. Attackers may use one
or any combination of them. Asymmetric attack sends sessions with higher workload
requests.
An asymmetric attack overwhelms the server resources, by increasing the response
time of legitimate clients from 0.1 seconds to10 Seconds. Under the same attack scenario,
HMM model limits the effects of false negative sand false-positives and improves the
Victims performance to 0.8 seconds.
2. DATA MINING
Data mining is, at its core, pattern finding. Data miners are proficient at using specialized
software to find regularity in large & complex data sets. Data mining applications are
computer software programs or packages that enable the extraction and identification of
patterns from stored data. A data mining application is typically a software interface which
interacts with a large database containing Network traffic parameters or other important data.
Data mining is widely used by companies and public bodies for marketing, detection of
fraudulent activities such as DDoS attacks.
2.1 VARIOUS APPLICATION AREAS OF DATA MINING IN DDOSATTACK
Recently, data mining has become an important component for DDoS attack
prevention. Different data mining approaches like classification, association rule,
clustering, and outlier detection are the few techniques frequently used to analyze
network traffic or data to gain knowledge that helps in controlling intrusion. Various
applications where data mining approach can be used in prevention and detection of DDoS
attacks are discuss below:
2.1.1 INTRUSION DETECTION
Intrusion detection is the process of observing the events occurring in a computer
system or network and analyzing them for instances which violates related security policies
or practices. Intrusion detection techniques can be classified as misuse detection and
R S. Publication (rspublication.com), rspublicationhouse@gmail.com

Page 47

International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 4, Volume 2 (March - April 2014)

ISSN: 2250-1797

anomaly detection. Misuse detection systems, e.g., IDIOT and STAT , use patterns of
well-known attacks or weak spots of the system to match and identify known
intrusions.
Anomaly detection systems, e.g., IDES flag observed activities that deviate significantly
from the established normal usage profiles as anomalies, i.e., possible intrusions. Today the
main reason of using Data Mining for intrusion detection systems is the enormous volume of
existing and newly appearing network data that requires processing. Literature also provides
evidence where data mining techniques are used for intrusion detection.
2.1.2 IP TRACEBACK
DDoS is rapidly growing problem. IP Traceback is the ability to trace IP packets from source
to destination. This is a significant step towards identifying and thus stopping
attackers. The IP Traceback is an important mechanism in defending against DDoS attacks.
Lot of techniques and methodologies are used to trace the DDoS attacks.
3. PROPOSED DATA MINING ALGORITHMS
As the enhanced approach, we propose the data mining algorithms such as decision tree
algorithm and Neural network algorithm. It uses the automatic feature selection mechanism
and builds the classifier by the neural network technology with the automatic selected
attributes. For the selection of the important attributes, heuristic method cant prove that the
choice is the best, and the many trials and the many processing time are required. So, we
propose the decision tree algorithm, one of the data mining technologies, as the automatic
feature selection mechanism. It can output the best attributes set for the candidate attributes
and their priority, using the entropy or the chi-square theory. This algorithm theoretically
provides insight into the patterns that may be exhibited in the data. Such mapping approach
between decision tree and neural network was proposed for the goal to accurately specify the
number of units, layers, connection and initial setting of parameters of neural network.

Netflow Data
in the Normal
attack

Decision Tree
Algorithm

Detection of
DDoS Attack

Neural Network
Figure 2: Architecture forAlgorithm
detection of DDoS attack

4. CONCLUSIONS
In this paper, we have proposed a data mining algorithm for the DDoS attack detection of the
various types that is composed of the automatic feature selection module by decision tree
algorithm. These two algorithms are mounted which the most powerful DDoS attack is
R S. Publication (rspublication.com), rspublicationhouse@gmail.com

Page 48

International Journal of Computer Application

Available online on http://www.rspublication.com/ijca/ijca_index.htm

Issue 4, Volume 2 (March - April 2014)

ISSN: 2250-1797

changing attack types, so we could get the attack traffic of various types. The future works
include the comparative experiments using various data mining technologies, and
comparative experiments between the data mining approach and the pure statistic approach.
REFERENCES
[1] Mihui Kim, et al.: A Combined Data Mining Approach for DDoS Attack Detection.Proc.
of ICOI(2004)
[2] Wenke Lee, Salvatore J. Stolfo: Data Mining Approaches for Intrusion Detection.Proc.
of the 7th USENIX Security Symposium (1998)
[3] Hyunjung Na, et al.: Distributed Denial of Service Attack Detection using Netflow
Traffic. Proc. of the Korea Information Processing Society (2003)
[4] LI Aijun, LIU Yunhui and LUO Siwei: Mapping a Decision Tree for Classification into
A Neural Network. Proc. of the 6th International Conference on Computational
Intelligence & Natural Computing.

R S. Publication (rspublication.com), rspublicationhouse@gmail.com

Page 49