HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce

Abstract

AbstractThe exponential growth in Internet usage causes cyber attack incidents. Among the various kinds of attacks, HTTP GET flooding attack is one of the major threats to the Internet services, as it depletes the resources and services in the application layer. It is difficult to distinguish between the legitimate traffic and malicious traffic from log file traces because the request patterns of attacks are similar to legitimate clients. The various techniques used for the detection of HTTP GET flooding attack are pattern analysis, entropy method, network‐based access control mechanism, etc. These techniques use the predefined rules obtained from the traffic patterns to detect the attack and may result in false positives. Hence, to overcome this drawback, the rules are needed to be updated for new traffic patterns caused by the attacks that may lead to more processing time. In order to mitigate this issue, the proposed method uses web server logs instead of traffic patterns. The proposed method reads the web server logs, extracts the relevant features and uses analytical hierarchical process to predict whether the attack has occurred or not and detects the suspicious sources by using Dempster–Shafer theory of evidence. The experimental results are compared with existing approaches such as Snort Intrusion Detection System (IDS), page access behaviour, entropy method and auto‐regressive model. The experimental results demonstrate that the proposed method (HADM) achieves a high detection rate, reduces false alarms and takes less processing time by using MapReduce. Copyright © 2016 John Wiley & Sons, Ltd.