Diagnosing the start of a slow HTTP DDoS attack based on two-parameter traffic correlation analysis

Abstract

The article investigates the problem of detecting slow DDoS attacks based on network traffic analysis. Detecting a slow HTTP attack is a significant challenge because the attacker's behavior can mimic that of a legitimate user with slow resources. The authors proposed a four-zone attack detection architecture based on the analysis of two parameters: the number of connections to the server and the average client response delay time. A technique for detecting slow DDOS attacks based on correlation analysis and parameter forecasting is proposed. The author's approach uses an original two-parameter correlation analysis model based on the number of connections and the average real delay in the network. An algorithm for detecting a slow DDoS attack based on the prediction of two parameters has been developed. These parameters are used both for analysis and for short-term prediction of traffic behavior. The forecasting algorithm uses the method of calculating the posterior trajectory of the time series depending on a priori statistical observations. Prediction of user behavior parameters allows early detection of slow DDoS attacks based on an algorithm for searching for unknown future values for a time series of parameters. Using the relative values of NC and ARNL as prediction parameters makes it possible to build a flexible recognition system adapted to the specifics of a particular system. Simulation of the two-parameter algorithm for detecting slow DDOS attacks based on prediction was carried out and its effectiveness was evaluated. The proposed method is a combination of artificial intelligence and statistical analysis and uses a self-learning algorithm with sufficient attack statistics. Experimental results show that the method is suitable for early detection of attacks such as Slow HTTP Headers, Slow HTTP Body, Slow HTTP Read. Simulation of traffic parameters confirms the method's ability to detect slow attacks at different time intervals, since the accuracy of the forecast depends on the timeliness of the observations. With sufficient statistics of observations, the deviation of the forecast curve can be less than 5%.