Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching

Distributed Denial of Service attack DDoS has been one of the greatest threats to network security for years. In recent years, DDoS attackers turn to application layer, which makes DDoS attack detection systems based on net layer and transport layer lose their performance. In this layer, Web service is the most vulnerable application. In this study, we analyze the differentiation between users behaviors, as we extract two feature sequences from Web logs to represent characteristics of user behavior, and then, application layer DDoS attack detection system architecture based on feature sequences is presented. This architecture is divided into two parts. For each part, we propose detection methods, respectively. Specially, we consider users request frequency sequence as sparse vector, and then put forward a kind of classification algorithm called sparse vector decomposition and rhythm matching SVD-RM, which is based on sparse vector decomposition and rhythm matching. This algorithm is fully considering the discrepancy of different users in access behavior. A cluster algorithm with label, called L-Kmeans, is also proposed as embedded classifier in SVD-RM. Finally, we simulate four kinds of prevalent application layer DDoS attack and conduct experiments to certify the effectiveness of our methods. Experimental results show that proposed methods are good to distinguish legal users and attackers in application layer. Copyright © 2015 John Wiley & Sons, Ltd.

[1]  Guo Li-j The Research of Application Layer DDoS Attack Detection based the Model of Human Access , 2014 .

[2]  Shui Yu,et al.  DDoS Attack Detection , 2014 .

[3]  Shun-Zheng Yu,et al.  A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors , 2009, TNET.

[4]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[5]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[6]  Wanlei Zhou,et al.  Detection and defense of application-layer DDoS attacks in backbone web traffic , 2014, Future Gener. Comput. Syst..

[7]  Shun-Zheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[8]  Aijun An,et al.  Detection of malicious and non-malicious website visitors using unsupervised neural network learning , 2013, Appl. Soft Comput..

[9]  Hyo-Chan Bang,et al.  An in-depth analysis on traffic flooding attacks detection and system using data mining techniques , 2013, J. Syst. Archit..

[10]  Song Guo,et al.  Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient , 2012, IEEE Transactions on Parallel and Distributed Systems.

[11]  Jin Wang,et al.  Web DDoS Detection Schemes Based on Measuring User's Access Behavior with Large Deviation , 2011, 2011 IEEE Global Telecommunications Conference - GLOBECOM 2011.

[12]  S. Selvakumar,et al.  Distributed denial of service attack detection using an ensemble of neural classifier , 2011, Comput. Commun..

[13]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[14]  Xizhao Wang,et al.  Covariance-Matrix Modeling and Detecting Various Flooding Attacks , 2007, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[15]  S. Mercy Shalinie,et al.  Real time detection and classification of DDoS attacks using enhanced SVM with string kernels , 2011, 2011 International Conference on Recent Trends in Information Technology (ICRTIT).

[16]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[17]  John Langford,et al.  Telling humans and computers apart automatically , 2004, CACM.

[18]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.