Abstract
Computer network systems are often subject to several types of attacks. For example, an excessive traffic load sent to a web server for making it unusable is the main technique introduced by the Distributed Denial of Service (DDoS) attack. A well-known method for detecting attacks consists in analyzing the sequence of source IP addresses for detecting possible anomalies. With the aim of predicting the next IP address, the Probability Density Function of the IP address sequence is estimated. Anomalous requests are detected via predicting source’s IP addresses in future accesses to the server. Thus, when an access to the server occurs, the server accepts only the requests from the predicted IP addresses and it blocks all the others. The approaches used to estimate the Probability Density Function of IP addresses range from the sequence of IP addresses seen previously and stored in a database to address clustering, for instance via the K-Means algorithm. Instead, the sequence of IP addresses is considered as a numerical sequence in this paper, and non-linear analysis of this numerical sequence is applied. In particular, we exploited non-linear analysis based on Volterra Kernels and Hammerstein models. The experiments carried out with datasets of source IP address sequences show that the prediction errors obtained with Hammerstein models are smaller than those obtained both with the Volterra Kernels and with the sequence clustering based on the K-Means algorithm.
Highlights
User modeling is an important task for web applications dealing with large traffic flows
For example, an Intrusion Prevention System wants to mitigate Distributed Denial of Service (DDoS) attacks, the only information that it can use are inferred from the normal traffic before the attack
We deal with the management of DDoS because nowadays it has become a major threat in the internet
Summary
User modeling is an important task for web applications dealing with large traffic flows. Several papers show the importance of user modeling in other problems such as improving detection and mitigate of Distributed Denial of Service (DDoS) attacks (see [19, 22, 29]), improving the quality of service (see [32]), individuate click fraud detection and optimize traffic management. Due to the current internet infrastructure, the only solution to this problem has proven to be the mitigation of DDoS attacks in the machines near to the target servers. This protection aims to identify malicious requests in order to limit their destabilizing effect on the servers. Near-target filtering solutions has proven to be the most effective ones These techniques use the data contained in the IP packet header information to estimate normal users behavior.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
