Monitoring the Application-Layer DDoS Attacks for Popular Websites

Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when such attacks mimic or occur during the flash crowd event of a popular Website. Focusing on the detection for such new DDoS attacks, a scheme based on document popularity is introduced. An Access Matrix is defined to capture the spatial-temporal patterns of a normal flash crowd. Principal component analysis and independent component analysis are applied to abstract the multidimensional Access Matrix. A novel anomaly detector based on hidden semi-Markov model is proposed to describe the dynamics of Access Matrix and to detect the attacks. The entropy of document popularity fitting to the model is used to detect the potential application-layer DDoS attacks. Numerical results based on real Web traffic data are presented to demonstrate the effectiveness of the proposed method.

[1]  Mark S. Squillante,et al.  A hidden semi-Markov model for web workload self-similarity , 2002, Conference Proceedings of the IEEE International Performance, Computing, and Communications Conference (Cat. No.02CH37326).

[2]  Ian W. Marshall,et al.  File popularity characterisation , 2000, PERV.

[3]  Supranamaya Ranjan,et al.  Wide area redirection of dynamic content by Internet data centers , 2004, IEEE INFOCOM 2004.

[4]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[5]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[6]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[7]  H. Kobayashi,et al.  An efficient forward-backward algorithm for an explicit-duration hidden Markov model , 2003, IEEE Signal Processing Letters.

[8]  Supranamaya Ranjan,et al.  DDoS-Resilient Scheduling to Counter Application Layer Attacks Under Imperfect Detection , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[9]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[10]  Xiangliang Zhang,et al.  A Novel Intrusion Detection Method Based on Principle Component Analysis in Computer Security , 2004, ISNN.

[11]  Wei Chen,et al.  An active detecting method against SYN flooding attack , 2005, 11th International Conference on Parallel and Distributed Systems (ICPADS'05).

[12]  Lindsay I. Smith,et al.  A tutorial on Principal Components Analysis , 2002 .

[13]  A. Rungsawang,et al.  Distributed denial of service detection using TCP/IP header and traffic measurement analysis , 2004, IEEE International Symposium on Communications and Information Technology, 2004. ISCIT 2004..

[14]  Jin Cao,et al.  Stochastic models for generating synthetic HTTP source traffic , 2004, IEEE INFOCOM 2004.

[15]  Jian Yuan,et al.  Monitoring the macroscopic effect of DDoS flooding attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[16]  Scott A. Brandt,et al.  Modeling, Analysis and Simulation of Flash Crowds on the Internet , 2004 .

[17]  Shunzheng Yu,et al.  A Novel Model for Detecting Application Layer DDoS Attacks , 2006, First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06).

[18]  Desmond P. Taylor,et al.  On the SelfSimilar Nature of Ethernet Traffic (Extended Version) , 2007 .

[19]  Aapo Hyvärinen,et al.  Survey on Independent Component Analysis , 1999 .

[20]  Gregory F. Cooper,et al.  Summary of Biosurveillance-relevant technologies , 2003 .

[21]  Aapo Hyvärinen,et al.  Fast and robust fixed-point algorithms for independent component analysis , 1999, IEEE Trans. Neural Networks.

[22]  Wei Yen,et al.  Defending Application DDoS with Constraint Random Request Attacks , 2005, 2005 Asia-Pacific Conference on Communications.

[23]  XIE Yi,et al.  A Detection Approach of User Behaviors Based on HsMM , 2005 .

[24]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[25]  Sanguk Noh,et al.  Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning , 2003, IDEAL.

[26]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[27]  Pedro José Marrón,et al.  User centric walk: an integrated approach for modeling the browsing behavior of users on the Web , 2005, 38th Annual Simulation Symposium.

[28]  Shunzheng Yu,et al.  A Dynamic Anomaly Detection Model for Web User Behavior Based on HsMM , 2006, 2006 10th International Conference on Computer Supported Cooperative Work in Design.