Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements

One of the attacks observed against HTTP protocol is HTTP-GET attack using sequences of requests to limit accessibility of webservers. This attack has been researched in this report, and a novel, off-line clustering technique has been developed to tackle it. In general, the technique uses entropy-based clustering and application of information theoretical measurements to distinguish among legitimate and attacking sequences. It has been presented that the introduced method allows for formation of recent patterns of behaviours observed at a webserver, that remain unknown for the attackers. Subsequently, statistical and information theoretical metrics are introduced to measure difference between a sequence of requests, and legitimate patterns of behaviour.The method recognises more than 80% of legitimate and attacking sequences, regardless of strategies chosen by attackers.

[1]  Xiangjian He,et al.  A Two-Tier System for Web Attack Detection Using Linear Discriminant Method , 2010, ICICS.

[2]  Roberto Tronci,et al.  HMMPayl: An intrusion detection system based on Hidden Markov Models , 2011, Comput. Secur..

[3]  Mudhakar Srivatsa,et al.  Mitigating application-level denial of service attacks on Web servers: A client-transparent approach , 2008, TWEB.

[4]  Yi Li,et al.  COOLCAT: an entropy-based algorithm for categorical clustering , 2002, CIKM '02.

[5]  Stephanie Forrest,et al.  Learning DFA representations of HTTP for protecting web applications , 2007, Comput. Networks.

[6]  R. Mooney,et al.  Impact of Similarity Measures on Web-page Clustering , 2000 .

[7]  Shunzheng Yu,et al.  A Novel Model for Detecting Application Layer DDoS Attacks , 2006, First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS'06).

[8]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[9]  Ali Mamat,et al.  WebPUM: A Web-based recommendation system to predict user future movements , 2010, Expert Syst. Appl..

[10]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[11]  Shun-Zheng Yu,et al.  Monitoring the Application-Layer DDoS Attacks for Popular Websites , 2009, IEEE/ACM Transactions on Networking.

[12]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[13]  Aijun An,et al.  Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users , 2011, ANT/MobiWIS.

[14]  Andrew McCallum,et al.  Dynamic conditional random fields: factorized probabilistic models for labeling and segmenting sequence data , 2004, J. Mach. Learn. Res..

[15]  Aijun An,et al.  Detection of malicious and non-malicious website visitors using unsupervised neural network learning , 2013, Appl. Soft Comput..

[16]  Christopher Krügel,et al.  A multi-model approach to the detection of web-based attacks , 2005, Comput. Networks.

[17]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[18]  R. A. Leibler,et al.  On Information and Sufficiency , 1951 .

[19]  Salvatore J. Stolfo,et al.  A framework for constructing features and models for intrusion detection systems , 2000, TSEC.

[20]  Gianluca Antonini,et al.  On nested palindromes in clickstream data , 2012, KDD.

[21]  Tao Li,et al.  Entropy-based criterion in categorical clustering , 2004, ICML.

[22]  Christos Faloutsos,et al.  SBAD: Sequence Based Attack Detection via Sequence Comparison , 2010, PSDML.

[23]  Yu-Hsiang Fu,et al.  A novel prediction model based on hierarchical characteristic of web site , 2011, Expert Syst. Appl..

[24]  Shie Mannor,et al.  A Tutorial on the Cross-Entropy Method , 2005, Ann. Oper. Res..

[25]  Pedro M. Domingos,et al.  Adaptive Web Navigation for Wireless Devices , 2001, IJCAI.

[26]  Pradeep Kumar,et al.  Rough clustering of sequential data , 2007, Data Knowl. Eng..

[27]  Maya Gokhale,et al.  Massively parallel acceleration of a document-similarity classifier to detect web attacks , 2011, J. Parallel Distributed Comput..

[28]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[29]  Sangjae Lee,et al.  Sequence-order-independent network profiling for detecting application layer DDoS attacks , 2011 .