Integrated Hidden Markov Model and Bayes Packet Classifier for effective Mitigation of Application DDoS attacks

Resisting distributed denial of service (DDoS) attacks become more challenging with the availability of resources and techniques to attackers. The application-layer-based DDoS attacks utilize legitimate HTTP requests to overwhelm victim resources are more undetectable and are protocol compliant and non-intrusive. Focusing on the detection for application layer DDoS attacks, the existing scheme provide an access matrix which capture the spatial-temporal patterns of a normal flash crowd on non stationary object. The access matrix captures the spatial-temporal patterns of the normal flash crowd and the anomaly detector based on hidden Markov model (HMM) described the dynamics of Access Matrix (AM) to detect the application DDoS attacks. However current application layer attacks have high influence on the stationary object as well. In addition the detection threshold for non stationary object should be reevaluated to improve the performance of false positive rate and detection rate of the DDoS attacks. The integrated HMM and Bayes packet classifier with Gaussian distribution factor introduced in this paper, improves the resistance scheme to have better detection rate even for stationary object in the application DDoS attacks. Hidden Markov model is improvised to adapt the detection threshold for stationary objects in the popular website attacks. Bayes packet classifier reduces DDoS attacks and outperforms existing method in terms of collateral damage. Rule sets are used to resist an attack which is pre calculated before an attack takes place. Experimental simulations are conducted on ISP network traffic data to demonstrate the effectiveness of the false positive rate with NS-2. Numerical results based on real Web traffic data shows that the effectiveness of minimizing asymmetric attack on the server resources. Integrated HMM and Bayes Classifier Model (IHBCM) improves the attack resistance rate of legitimate clients against application DDoS attack to 26% compared to that of simple HMM model. In addition IHBCM increases the throughput of the legal users of the ISP network data to nearly 18% referring to simple HMM model.