Detection of application layer DDoS attack with clustering and likelihood analysis

One of the attacks observed against HTTP protocol is HTTP-GET attack using sequences of requests to limit accessibility of webservers. This attack has been researched in this report, and a novel detection technique has been developed to tackle it. In general, the technique uses entropy-based clustering and application of likelihood analysis to distinguish among legitimate and attacking sequences. It has been presented that the introduced method allows for formation of recent patterns of behaviours observed at a webserver, that remain unknown to the attackers. In addition, empirical analysis shows stability of the clustering approach. Subsequently, likelihood of websession behaviour has been provided to measure anomaly of web sessions. The method performs reasonably well, regardless of browsing strategies and scope chosen by attackers.

[1]  Jelena Mirkovic,et al.  Modeling Human Behavior for Defense Against Flash-Crowd Attacks , 2009, 2009 IEEE International Conference on Communications.

[2]  Mehmed Kantardzic,et al.  Data-Mining Concepts , 2011 .

[3]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[4]  Arijit Sur,et al.  Steganalysis of Network Packet Length Based Data Hiding , 2013, Circuits Syst. Signal Process..

[5]  Emilia Mendes,et al.  Applying support vector regression for web effort estimation using a cross-company dataset , 2009, 2009 3rd International Symposium on Empirical Software Engineering and Measurement.

[6]  Xiamu Niu,et al.  A Normal-Traffic Network Covert Channel , 2009, 2009 International Conference on Computational Intelligence and Security.

[7]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[8]  Mudhakar Srivatsa,et al.  Mitigating application-level denial of service attacks on Web servers: A client-transparent approach , 2008, TWEB.

[9]  Richard W. Hamming,et al.  Error detecting and error correcting codes , 1950 .

[10]  Dominik Endres,et al.  A new metric for probability distributions , 2003, IEEE Transactions on Information Theory.

[11]  Aijun An,et al.  Detection of malicious and non-malicious website visitors using unsupervised neural network learning , 2013, Appl. Soft Comput..

[12]  Supranamaya Ranjan,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.

[13]  Cristina Conde,et al.  Detecting denial of service by modelling web-server behaviour , 2013, Comput. Electr. Eng..

[14]  Jie Lu,et al.  Ontology-style Web usage model for semantic Web applications , 2010, 2010 10th International Conference on Intelligent Systems Design and Applications.

[15]  Jongsoo Jang,et al.  AIGG Threshold Based HTTP GET Flooding Attack Detection , 2012, WISA.

[16]  Tao Li,et al.  Entropy-based criterion in categorical clustering , 2004, ICML.

[17]  Yi Li,et al.  COOLCAT: an entropy-based algorithm for categorical clustering , 2002, CIKM '02.

[18]  Sangjae Lee,et al.  Sequence-order-independent network profiling for detecting application layer DDoS attacks , 2011 .

[19]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[20]  Shunzheng Yu,et al.  A Novel Model for Detecting Application Layer DDoS Attacks , 2006, First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06).

[21]  Martin F. Arlitt,et al.  Web server workload characterization: the search for invariants , 1996, SIGMETRICS '96.

[22]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[23]  Aijun An,et al.  Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users , 2011, ANT/MobiWIS.

[24]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[25]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.