DDoS Attacks Detection in the Application Layer Using Three Level Machine Learning Classification Architecture

Abstract

Distributed Denial of Service (DDoS) is an ever-changing type of attack in cybersecurity, especially with the growing demand for cloud and web services raising a never-ending challenge in the lucrative business. DDoS attacks disrupt users' access to the targeted online services leading to significant business loss. This article presents a three-level architecture for detecting DDoS attacks at the application layer. The first level is responsible for selecting the best features of the samples and classifying the traffic into either benign or malicious, then the second level consists of a hard voting classifier to identify the type of the DDoS source: UDP, TCP, or Mixed-based. Finally, the last level aligns the attack to the appropriate DDoS type. This approach is validated using the CIC-DDoS2019 dataset, and the time, accuracy score, and precision are used as the model performance metrics. Compared to the existing machine learning (ML) approaches, the proposed architecture reveals substantial improvements in both binary and multiclass classification of application-layer DDoS attacks.