RUDY Attack: Detection at the Network Level and Its Important Features

Compared to common DoS/DDoS attacks that are destructive and generate massive traffic, the application layer DoS attacks can be slow-and-low which means they occur at a slow rate and do not generate a massive amount of traffic. These attacks appear legitimate in terms of the protocol rules and rates. These characteristics make the detection of these attacks difficult. In this paper, we study the RUDY (R-U-DeadYet) attack which is one of the slow-and-low application layer attack types. RUDY attacks can bring down a server by creating long POST HTTP form submissions to the server at a very slow rate which results in application threads at the server side becoming stuck. The mitigation methods against RUDY attacks are mostly host-based. In this paper, we use a machine learning approach for the detection of RUDY attacks as well as determining the important features for their detection at the network level. The network level detection is scalable and it provides detection for hosts that do not have their own detection mechanism. We extract features from bi-directional instances of the network traffic. We then use an ensemble feature selection approach containing 10 different feature ranker methods in order to extract the most important features for the detection of RUDY attacks at the network level.