Detecting denial of service by modelling web-server behaviour

The article presented here discusses a system which characterizes HTTP traffic and discriminates between legitimate and other kinds of HTTP traffic, such as those generated by Botnets or distributed denial of service (DDoS) tools. The system presented in this paper uses three analyses that are sequentially applied to the traffic flow to detect abnormal users. Combining statistical methods as well as analysis of HTTP request paths and the access time to the different resources in the web server, we have labelled abnormal users in real traffic flow. First, we have tested our prototype in real traffic from a multi-site web server detecting all abnormal users, such as an illegitimate audit of the server, Google bot and web-crawlers. In a second experiment, the most common DDoS attacks were introduced in the real traffic flow. As a result, all suspicious users were detected and labelled.

[1]  Qishi Wu,et al.  Engaging Edge Networks in Preventing and Mitigating Undesirable Network Traffic , 2007, 2007 3rd IEEE Workshop on Secure Network Protocols.

[2]  Xiapu Luo,et al.  Detecting Pulsing Denial-of-Service Attacks with Nondeterministic Attack Intervals , 2009, EURASIP J. Adv. Signal Process..

[3]  Darragh O'Brien,et al.  Machine Learning for Automatic Defence Against Distributed Denial of Service Attacks , 2007, 2007 IEEE International Conference on Communications.

[4]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[5]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[6]  Danny Krizanc,et al.  Detecting Denial of Service Attacks in Tor , 2009, Financial Cryptography.

[7]  Pranab Banerjee,et al.  A Multi-Layered Approach to Botnet Detection , 2008, Security and Management.

[8]  Dimitris Gavrilis,et al.  Flash Crowd Detection Using Decoy Hyperlinks , 2007, 2007 IEEE International Conference on Networking, Sensing and Control.

[9]  Sonia Fahmy,et al.  Towards user-centric metrics for denial-of-service measurement , 2007, ExpCS '07.

[10]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[11]  Shoubao Yang,et al.  Analysis of low-rate TCP DoS attack against FAST TCP , 2006, Sixth International Conference on Intelligent Systems Design and Applications.

[12]  Gyungho Lee,et al.  DDoS Attack Detection and Wavelets , 2005, Telecommun. Syst..

[13]  Weisong Shi,et al.  Workload Characterization of Uncacheable HTTP Content , 2004, ICWE.

[14]  Basil S. Maglaris,et al.  Detecting incoming and outgoing DDoS attacks at the edge using a single set of network characteristics , 2005, 10th IEEE Symposium on Computers and Communications (ISCC'05).

[15]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[16]  Xiapu Luo,et al.  Optimizing the pulsing denial-of-service attacks , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[17]  Xin Liu,et al.  To filter or to authorize: network-layer DoS defense against multimillion-node botnets , 2008, SIGCOMM '08.

[18]  I. Sasase,et al.  Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior , 2007, 2007 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing.

[19]  Cliff Lampe,et al.  Follow the (slash) dot: effects of feedback on new members in an online community , 2005, GROUP.

[20]  Xiaozhu Lin,et al.  An Automatic Scheme to Categorize User Sessions in Modern HTTP Traffic , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[21]  Shunzheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[22]  Ying Chen,et al.  Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes , 2007, IEEE Transactions on Dependable and Secure Computing.

[23]  Wanlei Zhou,et al.  Chaos theory based detection against network mimicking DDoS attacks , 2009, IEEE Communications Letters.