HTTP-sCAN: Detecting HTTP-flooding attack by modeling multi-features of web browsing behavior from noisy web-logs

HTTP-flooding attack disables the victimized web server by sending a large number of HTTP Get requests. Recent research tends to detect HTTP-flooding with the anomaly-based approaches, which detect the HTTP-flooding by modeling the behavior of normal web surfers. However, most of the existing anomaly-based detection approaches usually cannot filter the web-crawling traces from unknown searching bots mixed in normal web browsing logs. These web-crawling traces can bias the base-line profile of anomaly-based schemes in their training phase, and further degrade their detection performance. This paper proposes a novel web-crawling traces-tolerated method to build baseline profile, and designs a new anomaly-based HTTP-flooding detection scheme (abbr. HTTP-sCAN). The simulation results show that HTTP-sCAN is immune to the interferences of unknown web-crawling traces, and can detect all HTTP-flooding attacks.

[1]  Mudhakar Srivatsa,et al.  Mitigating application-level denial of service attacks on Web servers: A client-transparent approach , 2008, TWEB.

[2]  Andreas Terzis,et al.  My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.

[3]  I. Sasase,et al.  Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior , 2007, 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing.

[4]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[5]  Jiahui Liu,et al.  Personalized news recommendation based on click behavior , 2010, IUI '10.

[6]  Taieb Znati,et al.  Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach , 2010, IEEE Transactions on Parallel and Distributed Systems.

[7]  Jin Cao,et al.  Tracking Quantiles of Network Data Streams with Dynamic Operations , 2010, 2010 Proceedings IEEE INFOCOM.

[8]  Song Guo,et al.  Can we beat legitimate cyber behavior mimicking attacks from botnets? , 2012, 2012 Proceedings IEEE INFOCOM.

[9]  Geert Deconinck,et al.  Tackling Application-layer DDoS Attacks , 2012, ANT/MobiWIS.

[10]  Shun-Zheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[11]  Shun-Zheng Yu,et al.  A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors , 2009, TNET.

[12]  Aijun An,et al.  Detection of malicious and non-malicious website visitors using unsupervised neural network learning , 2013, Appl. Soft Comput..

[13]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[14]  Jelena Mirkovic,et al.  Modeling Human Behavior for Defense Against Flash-Crowd Attacks , 2009, 2009 IEEE International Conference on Communications.

[15]  Ryen W. White,et al.  Parallel browsing behavior on the web , 2010, HT '10.

[16]  Athanasios V. Vasilakos,et al.  Browsing behavior mimicking attacks on popular web sites for large botnets , 2011, 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[17]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[18]  M. Uysal,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[19]  Jin Wang,et al.  Web DDoS Detection Schemes Based on Measuring User's Access Behavior with Large Deviation , 2011, 2011 IEEE Global Telecommunications Conference - GLOBECOM 2011.

[20]  Haining Wang,et al.  Surviving a search engine overload , 2012, WWW.

[21]  Omid Madani,et al.  A large-scale analysis of query logs for assessing personalization opportunities , 2006, KDD '06.