Abstract
Asymmetric application layer DDoS attacks using computationally intensive HTTP requests are an extremely dangerous class of attacks capable of taking down web servers with relatively few attacking connections. These attacks consume limited network bandwidth and are similar to legitimate traffic, which makes their detection difficult. Existing detection mechanisms for these attacks use indirect representations of actual user behaviour and complex modelling techniques, which leads to a higher false positive rate (FPR) and longer detection time, which makes them unsuitable for real time use. There is a need for simple, efficient and adaptable detection mechanisms for asymmetric DDoS attacks. In this work, an attempt is made to model the actual behavioural dynamics of legitimate users using a simple annotated Probabilistic Timed Automata (PTA) along with a suspicion scoring mechanism for differentiating between legitimate and malicious users. This allows the detection mechanism to be extremely fast and have a low FPR. In addition, the model can incrementally learn from run-time traces, which makes it adaptable and reduces the FPR further. Experiments on public datasets reveal that our proposed approach has a high detection rate and low FPR and adds negligible overhead to the web server, which makes it ideal for real time use.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IEEE Transactions on Information Forensics and Security
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
