Table 4 Summary of features relevant to the detection of DoW attacks.
Feature | Description | Relevance to DoS/DDoS attacks |
|---|---|---|
ID | Unique identifier for every entry. | Assists in tracking particular requests and analyzing attack patterns. |
IP | SOURCE_IP address. | Utilized to detect the origin of attack requests. The high frequency may exhibit bot activity. |
Bot | FLAG_if_IP_is_Bot (TRUE/FALSE). | The presence of a Bot is a key indicator of automated attack traffic. |
FunctionId | Identifier of the specific function being triggered. | Function call patterns can assist in detecting unusual requests and illustrating an attack. |
FunctionTrigger | FUNCTION_Trigger (e.g., notification). | Malicious activity may be the result of anomalous function triggers. |
Timestamp | TIMESTAMP_Request. | It assists in detecting the time of attack and correlates with high traffic spikes. |
SubmitTime | TIME_to_Submit a request. | Longer submission times may hint at attack attempts like flooding. |
Round-Trip Time (RTT) | TIME_for_Signal to travel to the destination and back. | High RTT values may show network congestion due to an attack. |
InvocationDelay | DELAY_before_Function_Invoke | Enhanced delays may suggest throttling from attack traffic. |
ResponseDelay | The time between getting the request and sending a response. | Delays in responses show resource saturation, which is usual in DoS/DDoS. |
FunctionDuration | DURATION_Function_Runs. | Long durations reflect attacks that overload system functions. |
ActiveFunctionsAtRequest | ACTIVEFUNCTIONS_during_Request. | Higher numbers could indicate system stress from attack traffic. |
ActiveFunctionsAtResponse | Number of active functions at the time of response. | A higher number may indicate overloading, revealing DoS attacks. |
MaxCPU | MAX_CPU_USAGE during the request. | Enhanced CPU usage may show resource exhaustion from an attack. |
AvgCPU | AVG_CPU_USAGE during the request. | Higher average CPU usage can illustrate a DoS/DDoS attack. |
P95MaxCPU | The 95th percentile of maximum CPU usage. | It assists in highlighting outliers in CPU usage and helps detect spikes caused by attacks. |
VMCategory | Category of virtual machine (e.g., Delay-insensitive). | VM classes assist in correlating attack types, such as delay-sensitive traffic overload. |
VMCoreCountBucket | CPU_No. cores in the VM bucketed into categories. | Unusual core usage patterns may depict resource hogging from attack traffic. |
VMMemoryBucket | Bucket for VM memory allocation. | Memory usage spikes may show resource exhaustion during an attack. |
