Low-rate application layer distributed denial of service (LDDoS) attacks are
both powerful and stealthy. They force vulnerable webservers to open all
available connections to the adversary, denying resources to real users.
Mitigation advice focuses on solutions that potentially degrade quality of
service for legitimate connections. Furthermore, without accurate detection
mechanisms, distributed attacks can bypass these defences. A methodology for
detection of LDDoS attacks, based on characteristics of malicious TCP flows, is
proposed within this paper. Research will be conducted using combinations of
two datasets: one generated from a simulated network, the other from the
publically available CIC DoS dataset. Both contain the attacks slowread,
slowheaders and slowbody, alongside legitimate web browsing. TCP flow features
are extracted from all connections. Experimentation was carried out using six
supervised AI algorithms to categorise attack from legitimate flows. Decision
trees and k-NN accurately classified up to 99.99% of flows, with exceptionally
low false positive and false negative rates, demonstrating the potential of AI
in LDDoS detection