Next Generation Application-Layer DDoS Defences: Applying the Concepts of Outlier Detection in Data Streams with Concept Drift

The existing state-of-the art in the field of application-layer DDoS protection is generally designed, and thus effective, only for static Web-domains. To the best of our knowledge, this paper is the first one to study the problem of application-layer DDoS defense in Web-sites of dynamic content and/or organization and under non-trivial bot (i.e., Attack) behavior. The main contributions of the paper are threefold: 1) we provide a detailed taxonomy of the existing and next-generation application-layer HTTP-based DDoS attacks, 2) we discuss the relevance of a branch of data mining theory -- known as data streams with concept drift -- to the problem of application-layer DDoS defense in dynamic Web-domains, 3) we present the outline of our next-generation anti-DDoS system that is intended for dynamic Web-domains facing different sophisticated variants of application-layer DDoS attacks. The paper also includes some of our preliminary experimental results concerning the detection of malicious Web-users/sessions using the proposed system.

[1]  Yannis Manolopoulos,et al.  Continuous monitoring of distance-based outliers over data streams , 2011, 2011 IEEE 27th International Conference on Data Engineering.

[2]  Albert Bifet,et al.  Adaptive learning and mining for data streams and frequent patterns , 2009, SKDD.

[3]  Douglas Jacobson,et al.  Attribution of Fraudulent Resource Consumption in the Cloud , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[4]  Joseph Idziorek,et al.  Exploiting Cloud Utility Models for Profit and Ruin , 2011, 2011 IEEE 4th International Conference on Cloud Computing.

[5]  Natalija Vlajic,et al.  Smart crawlers for flash-crowd DDoS: The attacker's perspective , 2012, World Congress on Internet Security (WorldCIS-2012).

[6]  Geoff Holmes,et al.  MOA: Massive Online Analysis , 2010, J. Mach. Learn. Res..

[7]  Mohammed J. Zaki,et al.  ADMIT: anomaly-based data mining for intrusions , 2002, KDD.

[8]  Vipin Kumar,et al.  Comparative Evaluation of Anomaly Detection Techniques for Sequence Data , 2008, 2008 Eighth IEEE International Conference on Data Mining.

[9]  Ravi Kumar,et al.  A characterization of online browsing behavior , 2010, WWW '10.

[10]  Eelco Herder,et al.  Web page revisitation revisited: implications of a long-term click-stream study of browser usage , 2007, CHI.

[11]  Aoying Zhou,et al.  Density-Based Clustering over an Evolving Data Stream with Noise , 2006, SDM.

[12]  Aijun An,et al.  Detection of malicious and non-malicious website visitors using unsupervised neural network learning , 2013, Appl. Soft Comput..

[13]  Hans-Peter Kriegel,et al.  LoOP: local outlier probabilities , 2009, CIKM.

[14]  Aleksandar Lazarevic,et al.  Incremental Local Outlier Detection for Data Streams , 2007, 2007 IEEE Symposium on Computational Intelligence and Data Mining.

[15]  Shuang Deng,et al.  Empirical model of WWW document arrivals at access link , 1996, Proceedings of ICC/SUPERCOMM '96 - International Conference on Communications.

[16]  Li Tu,et al.  Density-based clustering for real-time stream data , 2007, KDD '07.

[17]  M. Rijke Evading DDoS detection with mimicry attacks , 2012 .

[18]  Ying Wah Teh,et al.  On Density-Based Data Streams Clustering Algorithms: A Survey , 2014, Journal of Computer Science and Technology.

[19]  A. N. Srivastava,et al.  Anomaly Detection in Large Sets of High-Dimensional Symbol Sequences , 2006 .