Abstract
Application-layer distributed denial of service (AL-DDoS) attacks are becoming critical threats to websites because the stealth of AL-DDoS attacks makes many intrusion prevention systems ineffective. To detect AL-DDoS attacks aimed at websites, we propose a novel statistical model called the RM (rhythm matrix). Although the original features from the network layer are adopted, the access trajectory, including requested objects and corresponding dwell-time values, can be abstracted and accumulated into an RM. With an RM, we can almost losslessly compress complex features into a simple structure and characterize the user access behavior. We detect AL-DDoS attacks according to the increase of the abnormality degree in the RM and further identify malicious hosts based on change-rate outliers. In the experiments, we simulate three modes of AL-DDoS attacks with the latest popular DDoS attack tools: LOIC and HOIC. The results show that our method can detect these simulated attacks and identify the malicious hosts accurately and efficiently. For an AL-DDoS detection method, the ability to distinguish flash crowds is indispensable. We also demonstrate the excellent performance of our approach in distinguishing flash crowds from AL-DDoS attacks with two reconstructed public datasets.
Highlights
Over the past two decades, distributed denial of service (DDoS) attacks have been a continuous critical threat to the Internet
We examine the change-rate abnormality in the RM to detect application-layer DDoS (AL-DDoS) attacks, and furhter identify the malicious hosts according to their droppoints in the RM
After an AL-DDoS attack is detected, we find out the change-rate outliers from the subsequent RMs, and track the associations between hosts’ droppoints and these outliers
Summary
Over the past two decades, distributed denial of service (DDoS) attacks have been a continuous critical threat to the Internet. Denial of service (DOS) attacks have been known to the network research community since the early 1980s. The first Distributed DoS (DDoS) attack incident was reported in the summer of 1999 and most of the DoS attacks since have been distributed in nature [1]. Many tools are available to perpetrate DDoS attacks, and many cyberspace crimes are closely related to DDoS attacks. The attack modes of DDoS attacks have changed in the recent years. While most traditional attacks are still active, more application-layer traffic is emerging, such as HTTP, HTTPS and DNS queries. We adopt the taxonomy in [2] and call these attacks application-layer DDoS (AL-DDoS)
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call