Distributed denial of service (DDoS) attacks are one of the major threats to the current Internet, and application-layer DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. Consequently, neither intrusion detection systems (IDS) nor victim server can detect malicious packets. In this paper, a novel approach to detect application-layer DDoS attack is proposed based on entropy of HTTP GET requests per source IP address (HRPI). By approximating the adaptive autoregressive (AAR) model, the HRPI time series is transformed into a multidimensional vector series. Then, a trained support vector machine (SVM) classifier is applied to identify the attacks. The experiments with several databases are performed and results show that this approach can detect application-layer DDoS attacks effectively. 1. Introduction DDoS attacks have caused severe damage to servers and will cause even greater intimidation to the development of new Internet services. DDoS attacks are categorized into two classes: network-layer DDoS attacks and application-layer DDoS attacks. In network-layer DDoS attacks, attackers send a large number of bogus packets towards the victim server and normally attackers use IP spoofing. The victim server or IDS can easily distinguish legitimate packets from DDoS packets. In contrast, in application-layer DDoS attacks, attackers attack the victim server through a flood of legitimate requests. In this attack model, attackers attack the victim Web servers by HTTP GET requests and pulling large files from the victim server in overwhelming numbers. Also, attackers can run a massive number of queries through the victim’s search engine or database query to bring the server down. To circumvent detection, the attackers increasingly move away from pure bandwidth floods to stealthy DDoS attacks that masquerade as flash crowd. Flash crowd [1, 2] refers to the situation when a very large number of users simultaneously access a website, which may be due to the announcement of a new service or free software download. Because burst traffic and high volume are the common characteristics of application-layer DDoS attacks and flash crowd, it is not easy to distinguish them. Therefore, application layer DDoS attacks may be stealthier and more dangerous for the websites than the general network-layer DDoS attacks. Most well-known DDoS countermeasure [3] techniques are against network-layer DDoS attacks. Those techniques cannot handle application-layer DDoS attacks. Countering application-layer DDoS attacks becomes a great
References
[1]
T. Thapngam, S. Yu, W. Zhou, and G. Beliakov, “Discriminating DDoS attack traffic from flash crowd through packet arrival patterns,” in Proceedings of the IEEE Conference on Computer Communications Workshops (INFOCOM '11), pp. 952–957, April 2011.
[2]
G. Oikonomou and J. Mirkovic, “Modeling human behavior for defense against flash-crowd attacks,” in Proceedings of the IEEE International Conference on Communications (ICC '09), pp. 1–6, June 2009.
[3]
H. Beitollahi and G. Deconinck, “Analyzing well-known countermeasures against distributed denial of service attacks,” Computer Communications, vol. 35, pp. 1312–1332, 2012.
[4]
S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, “DDoS-resilient scheduling to counter application layer attacks under imperfect detection,” in Proceedings of the 25th IEEE International Conference on Computer Communications (INFOCOM '06), pp. 1–13, April 2006.
[5]
W. Yen and M.-F. Lee, “Defending application DDoS with constraint random request attacks,” in Proceedings of the Asia-Pacific Conference on Communications, pp. 620–624, Perth, Australia, October 2005.
[6]
L. Von Ahn, M. Blum, and J. Langford, “Telling humans and computers apart automatically,” Communications of the ACM, vol. 47, no. 2, pp. 56–60, 2004.
[7]
Y. Xie and S.-Z. Yu, “A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors,” IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp. 54–65, 2009.
[8]
Y. Xie, S. Tang, and X. Huang, “Detecting latent attack behavior from aggregated Web traffic,” Computer Communications, no. 5, pp. 895–907, 2013.
[9]
J. Yu, C. Fang, L. Lu, et al., “A lightweight mechanism to mitigate application layer DDoS attacks,” Scalable Information Systems, vol. 18, pp. 175–191, 2009.
[10]
P. Du and A. Nakao, “OverCourt: DDoS mitigation through credit-based traffic segregation and path migration,” Computer Communications, vol. 33, no. 18, pp. 2164–2175, 2010.
[11]
H. Beitollahi and G. Deconinck, “Tackling Application-layer DDoS Attacks,” Procedia Computer Science, vol. 10, pp. 432–441, 2012.
[12]
Q.-D. Sun, D.-Y. Zhang, and P. Gao, “Detecting distributed denial of service attacks based on time series analysis,” Chinese Journal of Computers, vol. 28, no. 5, pp. 767–773, 2005.
[13]
R. Yan, Q. Zheng, and H. Li, “Combining adaptive filtering and IF flows to detect DDOS attacks within a router,” KSII Transactions on Internet and Information Systems, vol. 4, no. 3, pp. 428–451, 2010.
[14]
S. Wen, W. Jia, W. Zhou, W. Zhou, and C. Xu, “CALD: Surviving various application-layer DDoS attacks that mimic flash crowd,” in Proceedings of the 4th International Conference on Network and System Security (NSS '10), pp. 247–254, Victoria, Australia, September 2010.
[15]
S. Haykln, Adaptive Filter Theory, Prentice-Hall, Upper saddle River, NJ, USA, 3rd edition, 1996.
[16]
J. Viinikka, H. Debar, L. Mé, A. Lehikoinen, and M. Tarvainen, “Processing intrusion detection alert aggregates with time series modeling,” Information Fusion, vol. 10, no. 4, pp. 312–324, 2009.
[17]
J. Platt, “Sequential minimal optimization: a fast algorithm for training support vector machines,” Tech. Rep. MSR-TR-98-14, Microsoft Research, 1998.
[18]
M. Arlitt and T. Jin, “1998 World Cup Web Site Access Logs,” 1998, http://ita.ee.lbl.gov/html/contrib/WorldCup.html.
