Detection on application layer DDoS using random walk model

Application Layer Distributed Denial of Service (ALDDoS) attacks have been increasing rapidly with the growth of Botnets and Ubiquitous computing. Differentiate to the former DDoS attacks, ALDDoS attacks cannot be efficiently detected, as attackers always adopt legitimate requests with real IP address, and the traffic has high similarity to legitimate traffic. In spite of that, we think, the attackers' browsing behavior will have great disparity from that of the legitimate users'. In this paper, we put forward a novel user behavior-based method to detect the application layer asymmetric DDoS attack. We introduce an extended random walk model to describe user browsing behavior and establish the legitimate pattern of browsing sequences. For each incoming browser, we observe his page request sequence and predict subsequent page request sequence based on random walk model. The similarity between the predicted and the observed page request sequence is used as a criterion to measure the legality of the user, and then attacker would be detected based on it. Evaluation results based on real collected data set has demonstrated that our method is very effective in detecting asymmetric ALDDoS attacks.

[1]  Lukas Kencl,et al.  SIP Protector: Defense architecture mitigating DDoS flood attacks against SIP servers , 2012, 2012 IEEE International Conference on Communications (ICC).

[2]  Mudhakar Srivatsa,et al.  Mitigating application-level denial of service attacks on Web servers: A client-transparent approach , 2008, TWEB.

[3]  Gerard Salton,et al.  Automatic Text Processing: The Transformation, Analysis, and Retrieval of Information by Computer , 1989 .

[4]  Supranamaya Ranjan,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[5]  Athanasios V. Vasilakos,et al.  Browsing behavior mimicking attacks on popular web sites for large botnets , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[6]  Shun-Zheng Yu,et al.  A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors , 2009, TNET.

[7]  Guofeng Zhao,et al.  A novel model for user clicks identification based on hidden semi-Markov , 2013, J. Netw. Comput. Appl..

[8]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[9]  Taieb Znati,et al.  Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach , 2010, IEEE Transactions on Parallel and Distributed Systems.

[10]  Song Guo,et al.  Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient , 2012, IEEE Transactions on Parallel and Distributed Systems.

[11]  Michael Walfish,et al.  DDoS defense by offense , 2006, SIGCOMM 2006.

[12]  Yueting Zhuang,et al.  Review-oriented metadata enrichment: a case study , 2009, JCDL '09.

[13]  Philippe Owezarski,et al.  Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies , 2007, IEEE Transactions on Dependable and Secure Computing.