Feature extraction and construction of application layer DDoS attack based on user behavior

Distributed Denial of Service (DDoS) has been one of the greatest threats to network security for years. In recent years, DDoS attackers turn to application layer, which makes DDoS attack detection systems based on net layer and transport layer lost their performance. In this layer, Web service is the most vulnerable application. The study in this paper analyzed the differentiation between user behavior based on web log, as we proposed a series of features based on user behavior to represent characteristics of user behavior, and then, transformed web logs which contain authentic legal users' records and attackers' records to an 14 dimensional feature space. In particular, through the transformation, our work aims to obtain a better representation for users' behaviors, as well as to investigate the relative differences and/or similarities between DDoS attackers and normal users. Finally, we simulated four kinds of prevalent application layer DDoS attack and conducted experiments using three classical data mining classification algorithms to certify the effectiveness of our method. Experimental results show that proposed features are good to distinguish legal users and attackers in application layer.

[1]  Lars Schmidt-Thieme,et al.  Web Robot Detection - Preprocessing Web Logfiles for Robot Detection , 2005 .

[2]  S. Mercy Shalinie,et al.  Real time detection and classification of DDoS attacks using enhanced SVM with string kernels , 2011, 2011 International Conference on Recent Trends in Information Technology (ICRTIT).

[3]  Aijun An,et al.  Detection of malicious and non-malicious website visitors using unsupervised neural network learning , 2013, Appl. Soft Comput..

[4]  Alex Talevski,et al.  Web Spambot Detection Based on Web Navigation Behaviour , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[5]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[6]  S. Selvakumar,et al.  Distributed denial of service attack detection using an ensemble of neural classifier , 2011, Comput. Commun..

[7]  Jelena Mirkovic,et al.  Modeling Human Behavior for Defense Against Flash-Crowd Attacks , 2009, 2009 IEEE International Conference on Communications.

[8]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[9]  John Langford,et al.  Telling humans and computers apart automatically , 2004, CACM.

[10]  Kang-Won Lee,et al.  Securing Web Service by Automatic Robot Detection , 2006, USENIX Annual Technical Conference, General Track.

[11]  Jin Wang,et al.  Web DDoS Detection Schemes Based on Measuring User's Access Behavior with Large Deviation , 2011, 2011 IEEE Global Telecommunications Conference - GLOBECOM 2011.

[12]  Shun-Zheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[13]  Shunzheng Yu,et al.  A Novel Model for Detecting Application Layer DDoS Attacks , 2006, First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06).

[14]  Hyo-Chan Bang,et al.  An in-depth analysis on traffic flooding attacks detection and system using data mining techniques , 2013, J. Syst. Archit..

[15]  Song Guo,et al.  Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient , 2012, IEEE Transactions on Parallel and Distributed Systems.