Detection of Application Layer DDoS Attacks with Clustering and Bayes Factors

One of the attacks observed against HTTP protocol is HTTP-GET attack using sequences of requests to limit accessibility of web servers. This attack has been researched in this report, and a novel detection technique has been developed to tackle it. In general, the technique uses entropy-based clustering and application of Bayes factors to distinguish among legitimate and attacking sequences. It has been presented that the introduced method allows for formation of recent patterns of behaviours observed at a web server, that remain unknown to the attackers. Subsequently, Bayes factors are introduced to measure anomaly of web sessions. The method performs reasonably well, against strategy and scope varying attackers.

[1]  Filomena Ferrucci,et al.  Applying support vector regression for web effort estimation using a cross-company dataset , 2009, ESEM 2009.

[2]  Shunzheng Yu,et al.  A Novel Model for Detecting Application Layer DDoS Attacks , 2006, First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06).

[3]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[4]  Roman V. Belavkin,et al.  Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements , 2012, FPS.

[5]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[6]  Tom Lodewyckx,et al.  A tutorial on Bayes factor estimation with the product space method , 2011 .

[7]  Yi Li,et al.  COOLCAT: an entropy-based algorithm for categorical clustering , 2002, CIKM '02.

[8]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[9]  Tao Li,et al.  Entropy-based criterion in categorical clustering , 2004, ICML.

[10]  Arijit Sur,et al.  Steganalysis of Network Packet Length Based Data Hiding , 2013, Circuits Syst. Signal Process..

[11]  Martin F. Arlitt,et al.  Web server workload characterization: the search for invariants , 1996, SIGMETRICS '96.

[12]  Jelena Mirkovic,et al.  Modeling Human Behavior for Defense Against Flash-Crowd Attacks , 2009, 2009 IEEE International Conference on Communications.

[13]  Dimitris Gavrilis,et al.  Detection of Web Denial-of-Service Attacks using decoy hyperlinks , 2006 .

[14]  Xiamu Niu,et al.  A Normal-Traffic Network Covert Channel , 2009, 2009 International Conference on Computational Intelligence and Security.

[15]  Aijun An,et al.  Detection of malicious and non-malicious website visitors using unsupervised neural network learning , 2013, Appl. Soft Comput..

[16]  Emilia Mendes,et al.  Using Support Vector Regression for Web Development Effort Estimation , 2009, IWSM/Mensura.

[17]  Aijun An,et al.  Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users , 2011, ANT/MobiWIS.

[18]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[19]  M. Levandowsky,et al.  Distance between Sets , 1971, Nature.

[20]  D. Edwards Data Mining: Concepts, Models, Methods, and Algorithms , 2003 .

[21]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[22]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[23]  Cristina Conde,et al.  Detecting denial of service by modelling web-server behaviour , 2013, Comput. Electr. Eng..

[24]  Jie Lu,et al.  Ontology-style Web usage model for semantic Web applications , 2010, 2010 10th International Conference on Intelligent Systems Design and Applications.

[25]  Sangjae Lee,et al.  Sequence-order-independent network profiling for detecting application layer DDoS attacks , 2011 .

[26]  Christian Hennig,et al.  Cluster-wise assessment of cluster stability , 2007, Comput. Stat. Data Anal..

[27]  Mudhakar Srivatsa,et al.  Mitigating application-level denial of service attacks on Web servers: A client-transparent approach , 2008, TWEB.

[28]  Steven L. Scott,et al.  A Bayesian paradigm for designing intrusion detection systems , 2004, Computational Statistics & Data Analysis.

[29]  Supranamaya Ranjan,et al.  DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks , 2009, IEEE/ACM Transactions on Networking.