Anomaly Detection for Application Layer User Browsing Behavior Based on Attributes and Features

Application layer distributed denial of service (App-DDoS) attacks has posed a great threat to the security of the Internet. Since these attacks occur in the application layer, they can easily evade traditional network layer and transport layer detection methods. In this paper, we extract a group of user behavior attributes from our intercept program instead of web server logs and construct a behavior feature matrix based on nine user behavior features to characterize user behavior. Subsequently, principal component analysis (PCA) is applied to profile the user browsing behavior pattern in the feature matrix and outliers from the pattern are used to recognize normal users and attackers. Experiment results show that the proposed method is good to distinguish normal users and attackers. Finally, we implement three machine learning algorithms (K-means, DBSCAN and SVM) to further validate the effectiveness of the proposed attributes and features.

[1]  S. Selvakumar,et al.  Detection of application layer DDoS attack by modeling user behavior using logistic regression , 2015, 2015 4th International Conference on Reliability, Infocom Technologies and Optimization (ICRITO) (Trends and Future Directions).

[2]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[3]  Jelena Mirkovic,et al.  Modeling Human Behavior for Defense Against Flash-Crowd Attacks , 2009, 2009 IEEE International Conference on Communications.

[4]  Hong Li,et al.  Feature extraction and construction of application layer DDoS attack based on user behavior , 2014, CCC 2014.

[5]  Song Guo,et al.  Discriminating DDoS Attacks from Flash Crowds Using Flow Correlation Coefficient , 2012, IEEE Transactions on Parallel and Distributed Systems.

[6]  H. Abdi,et al.  Principal component analysis , 2010 .

[7]  Shun-Zheng Yu,et al.  A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors , 2009, TNET.

[8]  Shun-Zheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[9]  Yi Xie,et al.  Resisting Web Proxy-Based HTTP Attacks by Temporal and Spatial Locality Behavior , 2013, IEEE Transactions on Parallel and Distributed Systems.

[10]  Ali A. Ghorbani,et al.  Application-layer denial of service attacks: taxonomy and survey , 2015, Int. J. Inf. Comput. Secur..

[11]  Aijun An,et al.  Detection of malicious and non-malicious website visitors using unsupervised neural network learning , 2013, Appl. Soft Comput..

[12]  Sangjae Lee,et al.  Sequence-order-independent network profiling for detecting application layer DDoS attacks , 2011 .