Using Gated Recurrent Unit Recurrent Neural Network for Detection of HTTP Flood Attack

Abstract

The HTTP flood attacks has been on the rise in disruption of digital services and infrastructure by cybercriminals using readily available DDoS execution tools on the internet. These attacks disrupt online services by bombarding web servers with HTTP Requests to deny legitimate users access to online services. Prevention of these attacks require proactive defense mechanism to differentiate malicious HTTP Requests from legitimate users HTTP Requests in real time, the increased number of online users require more resources for monitoring. Therefore, early detection of the attacks can be utilized to implement reactive mechanism to reduce the effect of attacks by preventing escalation and reduce losses incurred by the online businesses. This research paper presents the use of GRU model to predict Web Server access logs patterns for early detection of the HTTP Flood Attacks. The hidden state in GRU provides memory of past events to enable accurate prediction of attacks based on past trends of HTTP Requests frequency in the Web Server. The model was trained on Web Server Access Logs dataset through multivariate regression analysis and prediction of HTTP Request frequency. This involved analysis of 10,365,093 HTTP Requests from ‘WEB SERVER ACCESS LOG’ dataset and 47,742 HTTP Requests from ‘EPA-HTTP’ dataset. The GRU model prediction was able to achieve the Mean Absolute Error of 0.0188 and 0.0149 respectively indicating high prediction accuracy. Further comparison with LSTM Model using the same hyperparameters and the two datasets, indicated slightly high accuracy of GRU Model of 0.0188 against 0.019 for LSTM Model for the Web Server Access Log dataset and 0.0149 for the GRU model against 0.0158 for the LSTM model using the EPA-HTTP dataset. This research shows that the Gated Recurrent Unit (GRU) simplified modern architecture of LSTM Model can be deployed to detect HTTP Flood Attacks fast by predicting frequency of HTTP Requests Methods received by the Web Server. The highspeed performance and increased accuracy of GRU will enable the analysis of huge the access logs with efficient utilization of resources for real time detection of attacks when they occur.