Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices

Application-layer distributed denial of service (AL-DDoS) attacks are becoming critical threats to websites because the stealth of AL-DDoS attacks makes many intrusion prevention systems ineffective. To detect AL-DDoS attacks aimed at websites, we propose a novel statistical model called the RM (rhythm matrix). Although the original features from the network layer are adopted, the access trajectory, including requested objects and corresponding dwell-time values, can be abstracted and accumulated into an RM. With an RM, we can almost losslessly compress complex features into a simple structure and characterize the user access behavior. We detect AL-DDoS attacks according to the increase of the abnormality degree in the RM and further identify malicious hosts based on change-rate outliers. In the experiments, we simulate three modes of AL-DDoS attacks with the latest popular DDoS attack tools: LOIC and HOIC. The results show that our method can detect these simulated attacks and identify the malicious hosts accurately and efficiently. For an AL-DDoS detection method, the ability to distinguish flash crowds is indispensable. We also demonstrate the excellent performance of our approach in distinguishing flash crowds from AL-DDoS attacks with two reconstructed public datasets.

[1]  Lu Zhou,et al.  Low-Rate DDoS Attack Detection Using Expectation of Packet Size , 2017, Secur. Commun. Networks.

[2]  Aida Mustapha,et al.  Comprehensive Review of Artificial Intelligence and Statistical Approaches in Distributed Denial of Service Attack and Defense Methods , 2019, IEEE Access.

[3]  Brij B. Gupta,et al.  A Novel Solution to Handle DDOS Attack in MANET , 2013 .

[4]  Dimitris Gavrilis,et al.  Flash Crowd Detection Using Decoy Hyperlinks , 2007, 2007 IEEE International Conference on Networking, Sensing and Control.

[5]  Tianbo Lu,et al.  Towards lightweight and efficient DDOS attacks detection for web server , 2009, WWW '09.

[6]  Xiapu Luo,et al.  SkyShield: A Sketch-Based Defense System Against Application Layer DDoS Attacks , 2018, IEEE Transactions on Information Forensics and Security.

[7]  Phuoc Tran-Gia,et al.  An HTTP web traffic model based on the top one million visited web pages , 2012, Proceedings of the 8th Euro-NF Conference on Next Generation Internet NGI 2012.

[8]  Xu Liu,et al.  Anomaly Detection for Application Layer User Browsing Behavior Based on Attributes and Features , 2018 .

[9]  Paramvir Singh,et al.  Application layer HTTP-GET flood DDoS attacks: Research landscape and challenges , 2017, Comput. Secur..

[10]  Khelchandra Thongam,et al.  Detection and differentiation of application layer DDoS attack from flash events using fuzzy-GA computation , 2018, IET Inf. Secur..

[11]  Tim Watson,et al.  Hybrid feature selection technique for intrusion detection system , 2019, Int. J. High Perform. Comput. Netw..

[12]  Akashdeep Bhardwaj,et al.  Comparing Single Tier and Three Tier Infrastructure Designs against DDoS Attacks , 2017, Int. J. Cloud Appl. Comput..

[13]  Yang Li,et al.  A lightweight web server anomaly detection method based on transductive scheme and genetic algorithms , 2008, Comput. Commun..

[14]  Raj Jain,et al.  A Survey on Distributed Denial of Service (DDoS) Attacks in SDN and Cloud Computing Environments , 2019, IEEE Access.

[15]  Vasilios Katos,et al.  Real time DDoS detection using fuzzy estimators , 2012, Comput. Secur..

[16]  Song Guo,et al.  Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient , 2012, IEEE Transactions on Parallel and Distributed Systems.

[17]  Xiao Jun Defend Against Application-Layer Distributed Denial-of-Service Attacks Based on Session Suspicion Probability Model , 2010 .

[18]  Neeraj Suri,et al.  SENTRY: A Novel Approach for Mitigating Application Layer DDoS Threats , 2016, 2016 IEEE Trustcom/BigDataSE/ISPA.

[19]  Brij B. Gupta,et al.  A Recent Survey on DDoS Attacks and Defense Mechanisms , 2011 .

[20]  Minghui Gao,et al.  Web Application-Layer DDoS Attack Detection Based on Generalized Jaccard Similarity and Information Entropy , 2019, ICAIS.

[21]  Lie Lu,et al.  Automatic mood detection and tracking of music audio signals , 2006, IEEE Transactions on Audio, Speech, and Language Processing.

[22]  B. B. Gupta,et al.  Taxonomy of DoS and DDoS attacks and desirable defense mechanism in a Cloud computing environment , 2017, Neural Computing and Applications.

[23]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[24]  Jisa David,et al.  Efficient DDoS flood attack detection using dynamic thresholding on flow-based network traffic , 2019, Comput. Secur..

[25]  Dong Seong Kim,et al.  Detection of DDoS attacks using optimized traffic matrix , 2012, Comput. Math. Appl..

[26]  Witold Pedrycz,et al.  Network traffic fusion and analysis against DDoS flooding attacks with a novel reversible sketch , 2019, Inf. Fusion.

[27]  N. Scaringella,et al.  Automatic genre classification of music content: a survey , 2006, IEEE Signal Process. Mag..

[28]  C. Krumhansl Rhythm and pitch in music cognition. , 2000, Psychological bulletin.

[29]  P. Santhi Thilagam,et al.  DDoS Attacks at the Application Layer: Challenges and Research Perspectives for Safeguarding Web Applications , 2019, IEEE Communications Surveys & Tutorials.

[30]  Martin Arlitt,et al.  A workload characterization study of the 1998 World Cup Web site , 2000, IEEE Netw..

[31]  Shun-Zheng Yu,et al.  A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors , 2009, TNET.

[32]  Soodeh Hosseini,et al.  The hybrid technique for DDoS detection with supervised learning algorithms , 2019, Comput. Networks.

[33]  Gürkan Gür,et al.  Filtering-Based Defense Mechanisms Against DDoS Attacks: A Survey , 2017, IEEE Systems Journal.

[34]  Wanlei Zhou,et al.  Detection and defense of application-layer DDoS attacks in backbone web traffic , 2014, Future Gener. Comput. Syst..

[35]  Ming Li,et al.  Change trend of averaged Hurst parameter of traffic under DDOS flood attacks , 2006, Comput. Secur..

[36]  Xizhao Wang,et al.  Covariance-Matrix Modeling and Detecting Various Flooding Attacks , 2007, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[37]  B. B. Gupta,et al.  Enhanced CBF Packet Filtering Method to Detect DDoS Attack in Cloud Computing Environment , 2013, ArXiv.

[38]  Muhammad Ejaz Ahmed,et al.  Statistical Application Fingerprinting for DDoS Attack Mitigation , 2019, IEEE Transactions on Information Forensics and Security.

[39]  Zhihan Lv,et al.  Modeling network traffic for traffic matrix estimation and anomaly detection based on Bayesian network in cloud computing networks , 2017, Ann. des Télécommunications.

[40]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[41]  Maurizio Longo,et al.  DDoS Attacks With Randomized Traffic Innovation: Botnet Identification Challenges and Strategies , 2016, IEEE Transactions on Information Forensics and Security.

[42]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[43]  Ali A. Ghorbani,et al.  Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling , 2017, Comput. Networks.