Feature Selection using Information Gain Method for Building Classification Model DDoS Attack at Application Layer

Abstract

Distributed Denial of Services (DDoS) is one of the digital attacks that often occurred, the record for DDoS attacks in the second quartal of 2018 reaches 5.7Gbps. The application layer becomes one of the targets for this attack type; this type of DDoS attack always mimicks the user's request, making it harder to detect than DDoS attack at the network and transport layer. The classification has been offered as one method to overcome this problem. Before classification, the selection feature becomes important due to some features that lead to error classification and make the process classification longer. This research uses information gain as a selection feature method and using CICIDS 2017 as the dataset. The CICIDS2017 has 692.704 records consist of 78 features and five classes. The result of feature selection using the information gain method reduces the numbers of features from 78 to 5. To prove that these five features can classify DDoS attacks correctly, we use a randomForest method as a classification method. The randomForest was used to classify the data into five classes: normal, DDoS Goldeneye, DDoS Hulk, DDoS Slowhttptest, and DDoS Slowloris. The result of performance for accuracy is 99.43%, for recall of each class are 99.48%, 99.81%, 99.41%, 96.01%, 99.97% respectively. Besides the result of performance for precision each class are 99.65%, 96.04%, 99.90%, 98.63%, 71.37%, respectively. The results of performance for classification time using five features are decreasing execution time 3.1 seconds.