Detection of DDoS Attack Traffic on Web Servers

Abstract

The paper addresses the problem of detecting DDoS (Distributed Denial of Service) attacks based on Flood traffic, including SYN-Flood, UDP-Flood, and HTTP-Flood types, which aim to overload and disable web resources. It is established that efficient DDoS detection can be achieved through continuous traffic monitoring and anomaly analysis caused by malicious flows. A novel approach is proposed for detecting harmful Flood traffic using spline approximation based on cubic spline functions, followed by the classification of legitimate and malicious traffic via the k-nearest neighbors (k-NN) machine learning algorithm. This method allows accurate detection of the onset of DDoS attacks and supports timely decision-making to modify network traffic control strategies during an attack.

The study analyzes HTTP(S) GET-Flood attacks at the application (L7) layer, which overwhelm web servers with numerous HTTP requests, making them unable to process legitimate user connections. Using cubic spline interpolation, traffic anomalies are detected through intensity spikes within specific time intervals. The proposed spline-based approximation identifies abrupt traffic surges corresponding to the start of DDoS activity. The subsequent classification stage, implemented in the Weka 3.8.6 environment using k-NN, achieves a correlation coefficient of 0.88, with mean absolute and root mean square errors confirming high detection accuracy.

Experimental results show that the mean absolute error (MSE) of classification equals 21.7% for legitimate traffic and 14.7% for malicious HTTP GET requests, proving the efficiency of the proposed two-stage detection model. The spline-based DDoS detection combined with k-NN classification provides an effective and computationally efficient mechanism for real-time recognition of Flood-based cyberattacks and enhances network resilience by supporting adaptive traffic management strategies.