Detecting Flooding DDoS Under Flash Crowds Based on Mondrian Forest

  • Degang Sun
  • Kun Yang
  • Zhixin Shi
  • Yan Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10251)


Flooding Distributed Denial of Service (DDoS) attacks could cause huge damages to Internet, which has much similarity with Flash Crowds (FC). Traditional Machine learning methods usually have a better performance for offline processing, however, they cannot process huge volume data which cannot be loaded in memory at one time and can’t auto-update model in time. In this paper, a streaming detection mechanism based on Online Random Forest-Mondrian Forest is proposed to solve this problem. Firstly, a deep analysis has been done on client’s characteristics of DDoS and FC to find anomaly traffic behaviors in network layer. Based on the analysis, a new feature set has been concluded to describe the client behavior of DDoS and FC. Then a streaming detecting mechanism employed with online Random Forest based on the new feature set has been proposed. To evaluate this method, a comparison with the traditional offline batch process method-Random Forest has been done on two public real-world datasets. The results show that even though this method has a bit lower accuracy around 93% on Test Data, it can be trained like a streaming way which doesn’t need load all data in memory at one time and can update itself automatically with time, which is more applicable for Big Data situations.


Flooding DDoS Flash crowds Real-time Detection Online random forest User behavior analysis 


  1. 1.
    Mansfield-Devine, S.: The growth and evolution of ddos. Netw. Secur. 2015(10), 13–20 (2015)CrossRefGoogle Scholar
  2. 2.
    Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNS and web sites. In: Proceedings of the 11th international conference on World Wide Web, pp. 293–304. ACM (2002)Google Scholar
  3. 3.
    Prasad, K.M., Reddy, A.R.M., Rao, K.V.: Discriminating DDoS attack traffic from flash crowds on internet threat monitors (ITM) using entropy variations. Afr. J. Comput. ICT 6(3) (2013)Google Scholar
  4. 4.
    Von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart automatically. Commun. ACM 47(2), 56–60 (2004)CrossRefGoogle Scholar
  5. 5.
    AYAHs: website:ayahs.
  6. 6.
    Yu, S., Guo, S., Stojmenovic, I.: Fool me if you can: mimicking attacks and anti-attacks in cyberspace. IEEE Trans. Comput. 64(1), 139–151 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. In: Hotbots, p. 5 (2012)Google Scholar
  8. 8.
    Xie, Y., Yu, S.Z.: A large-scale hidden semi-markov model for anomaly detection on user browsing behaviors. IEEE/ACM Trans. Netw. (TON) 17(1), 54–65 (2009)CrossRefGoogle Scholar
  9. 9.
    Thapngam, T., Yu, S., Zhou, W., Beliakov, G.: Discriminating DDoS attack traffic from flash crowd through packet arrival patterns. In: 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 952–957. IEEE (2011)Google Scholar
  10. 10.
    Bhatia, S., Mohay, G., Tickle, A., Ahmed, E.: Parametric differences between a real-world distributed denial-of-service attack and a flash event. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 210–217. IEEE (2011)Google Scholar
  11. 11.
    Saravanan, R., Shanmuganathan, S., Palanichamy, Y.: Behavior-based detection of application layer distributed denial of service attacks during flash events. Turk. J. Electr. Eng. Comput. Sci. 24(2), 510–523 (2016)CrossRefGoogle Scholar
  12. 12.
    Somani, G., Gaur, M.S., Sanghi, D., Conti, M., Buyya, R.: Ddos attacks in cloud computing: Issues, taxonomy, and future directions. arXiv preprint arXiv:1512.08187 (2015)
  13. 13.
    Bottou, L., Gun, Y.L.: Online learning for very large data sets. Appl. Stochast. Models Bus. Ind. 21(2), 137–151 (2005)CrossRefzbMATHGoogle Scholar
  14. 14.
    Saffari, A., Leistner, C., Santner, J., Godec, M., Bischof, H.: On-line random forests. In: IEEE International Conference on Computer Vision Workshops, pp. 1393–1400 (2009)Google Scholar
  15. 15.
    Denil, M., Matheson, D., Freitas, N.D.: Consistency of online random forests. Eprint Arxiv, pp. 1256–1264 (2013)Google Scholar
  16. 16.
    Lakshminarayanan, B., Roy, D.M., Teh, Y.W.: Mondrian forests: efficient online random forests. Adv. Neural Inf. Process. Syst. 4, 3140–3148 (2015)Google Scholar
  17. 17.
    DDoS: Caida ddos attack 2007 dataset (2007).
  18. 18.
    FlashCrowds: World cup 1998 dataset (1998).

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations