Data Mining Approach for Detection of DDoS Attacks Utilizing SSL/TLS Protocol

  • Mikhail ZolotukhinEmail author
  • Timo Hämäläinen
  • Tero Kokkonen
  • Antti Niemelä
  • Jarmo Siltanen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9247)


Denial of Service attacks remain one of the most serious threats to the Internet nowadays. In this study, we propose an algorithm for detection of Denial of Service attacks that utilize SSL/TLS protocol. These protocols encrypt the data of network connections on the application layer which makes it impossible to detect attackers activity based on the analysis of packet payload. For this reason, we concentrate on statistics that can be extracted from packet headers. Based on these statistics, we build a model of normal user behavior by using several data mining algorithms. Once the model has been built, it is used to detect DoS attacks. The proposed framework is tested on the data obtained with the help of a realistic cyber environment that enables one to construct real attack vectors. The simulations show that the proposed method results in a higher accuracy rate when compared to other intrusion detection techniques.


Network security Intrusion detection DoS attack Data mining Anomaly detection 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Durcekova, V., Schwartz, L., Shahmehri, N.: Sophisticated denial of service attacks aimed at application layer. In: ELEKTRO, pp. 55–60 (2012)Google Scholar
  2. 2.
    Gu, Q., Liu, P.: Denial of Service Attacks. Handbook of Computer Networks: Distributed Networks, Network Planning, Control, Management, and New Trends and Applications, vol. 3. John Wiley & Sons (2008)Google Scholar
  3. 3.
    Peng, T., Leckie, K.R.M.C.: Protection from distributed denial of service attacks using history-based IP filtering. In: Proc. of IEEE International Conference on Communications, vol. 1, pp. 482–486 (2003)Google Scholar
  4. 4.
    Limwiwatkul, L., Rungsawangr, A.: Distributed denial of service detection using TCP/IP header and traffic measurement analysis. In: Proc. of IEEE International Symposium on Communications and Information Technology, vol. 1, pp. 605–610 (2004)Google Scholar
  5. 5.
    Yuan, J., Mills, K.: Monitoring the macroscopic effect of DDoS flooding attacks. IEEE Tran. Dependable and Secure Computing 2(4), 324–335 (2005)CrossRefGoogle Scholar
  6. 6.
    Chen, R., Wei, J.-Y., Yu, H.: An improved grey self-organizing map based dos detection. In: Proc. of IEEE Conference on Cybernetics and Intelligent Systems, pp. 497–502 (2008)Google Scholar
  7. 7.
    Ke-Xin, Y., Jian-Qi, Z.: A novel DoS detection mechanism. In: Proc. of International Conference on Mechatronic Science, Electric Engineering and Computer (MEC), pp. 296–298 (2011)Google Scholar
  8. 8.
    Xie, Y., Yu, S.-Z.: Monitoring the Application-Layer DDoS Attacks for Popular Websites. IEEE/ACM Transactions on Networking 17(1), 15–25 (2008)CrossRefGoogle Scholar
  9. 9.
    Zhang, J., Qin, Z., Ou, L., Jiang, P., Liu, J., Liu, A.: An advanced entropy-based DDOS detection scheme. In: Proc. of International Conference on Information Networking and Automation (ICINA), vol. 2, pp. 67–71 (2010)Google Scholar
  10. 10.
    Aiello, M., Cambiaso, E., Mongelli, M., Papaleo, G.: An on-line intrusion detection approach to identify low-rate DoS attacks. In: Proc. of International Carnahan Conference on Security Technology (ICCST), pp. 1–6 (2014)Google Scholar
  11. 11.
    Xu, C., Zhao, G., Xie, G., Yu, S.: Detection on application layer DDoS using random walk model. In: Proc. of IEEE International Conference on Communications (ICC), pp. 707–712 (2014)Google Scholar
  12. 12.
    Chwalinski, P., Belavkin, R., Cheng, X.: Detection of application layer DDoS Attacks with clustering and bayes factors. In: Proc. of IEEE International Conference on Systems, Man, and Cybernetics (SMC), pp. 156–161 (2013)Google Scholar
  13. 13.
    Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol. IETF RFC 4346 (2006)Google Scholar
  14. 14.
    Gollmann, D.: Computer Security, 2nd edn. Wiley (2006)Google Scholar
  15. 15.
    Ye, N., Borror, C.M., Parmar, D.: Scalable Chi-Squae Distance versus Conventional Statistical Distance for Process Monotoring with Uncorrelated Data Variables. Quality and Reliability Engineering International 19(6), 505–515 (2003)CrossRefGoogle Scholar
  16. 16.
    Muraleedharan, N., Parmar, A., Kumar, M.: A flow based anomaly detection system using chi-square technique. In: Proc. of the 2nd IEEE International Advance Computing Conference (IACC), pp. 285–289 (2010)Google Scholar
  17. 17.
    Corona, I., Giacinto, G.: Detection of server-side web attacks. In: Proc of JMLR: Workshop on Applications of Pattern Analysis, pp. 160–166 (2010)Google Scholar
  18. 18.
    Johnson, R., Wichern, D.: Applied Multivariate Statistical Analysis. Prentice-Hall, Upper Saddle River (1998)Google Scholar
  19. 19.
    Saranya, C., Manikandan, G.: A Study on Normalization Techniques for Privacy Preserving Data Mining. International Journal of Engineering and Technology (IJET) 5(3), 2701–2704 (2013)Google Scholar
  20. 20.
    Ester, M., Kriegel, H., Jörg, S., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise, pp. 226–231. AAAI Press (1996)Google Scholar
  21. 21.
    Kim, J.: The anomaly detection by using DBSCAN clustering with multiple parameters. In: Proc. of the ICISA, pp. 1–5 (2011)Google Scholar
  22. 22.
    Smiti, A.: DBSCAN-GM: an improved clustering method based on gaussian means and DBSCAN techniques. In: Proc. of the IEEE 16th International Conference on Intelligent Engineering Systems (INES), pp. 573–578 (2012)Google Scholar
  23. 23.
    Jyvsectec-rgce - homepage.
  24. 24.
    Zolotukhin, M., Hämäläinen, T., Kokkonen, T., Siltanen, J.: Analysis, of http requests for anomaly detection of web attacks. In: Proc. of the 12th IEEE International Conference on Dependable, Autonomic and Secure Computing, pp. 406–411 (2014)Google Scholar
  25. 25.
    WireShark Wiki, Libpcap File Format.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Mikhail Zolotukhin
    • 1
    Email author
  • Timo Hämäläinen
    • 1
  • Tero Kokkonen
    • 2
  • Antti Niemelä
    • 2
  • Jarmo Siltanen
    • 2
  1. 1.Department of Mathematical Information TechnologyUniversity of JyväskyläJyväskyläFinland
  2. 2.JAMK University of Applied SciencesJyväskyläFinland

Personalised recommendations