Detection of Slowloris Attacks Using Netflow Traffic  
Author Chad Calvert


Co-Author(s) Taghi M. Khoshgoftaar; Clifford Kemp; Maryam M. Najafabadi


Abstract Computer network security is consistently a major concern, and the continued use of Distributed Denial of Service (DDoS) attacks places exorbitant strain on web servers. Although mitigation techniques are continuously being implemented to defend against DDoS attacks, such attacks are also becoming more sophisticated and harder to prevent. One particular DDoS variant of concern is Slowloris. In this work, we implement several machine learning algorithms with the intent of early Slowloris attack detection. We enact several variations of Slowloris attacks to represent different attack rates ranging from low-connection (stealthy) to high-connection (non-stealthy) variants. As web logs do not typically provide enough data for early detection regarding Slowloris attacks, our algorithms are applied using network flow (Netflow) data collected in a live network environment. By utilizing Netflow data, we present a more scalable option for data collection that provides near real time network monitoring. Also, by performing our collection in a real production environment, our traffic is more representative of real-world data. We implemented six machine learning classifiers within our experiments to build our detection mechanism. Our results demonstrate that many of our classifiers were able to successfully identify Slowloris attacks with high performance and relatively low false alarm rates. This demonstrates that the use of Netflow features works well for the detection of Slowloris attacks.


Keywords Application Layer DDoS Attacks, Netflow, Slowloris
    Article #:  24191
Proceedings ISSAT International Conference on Reliability and Quality in Design 2018
August 2-4, 2018 - Toronto, Ontario, Canada