Abstract
Distributed denial of service (DDoS) attacks are one of the major threats to the current Internet, and application-layer DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. Consequently, neither intrusion detection systems (IDS) nor victim server can detect malicious packets. In this paper, a novel approach to detect application-layer DDoS attack is proposed based on entropy of HTTP GET requests per source IP address (HRPI). By approximating the adaptive autoregressive (AAR) model, the HRPI time series is transformed into a multidimensional vector series. Then, a trained support vector machine (SVM) classifier is applied to identify the attacks. The experiments with several databases are performed and results show that this approach can detect application-layer DDoS attacks effectively.
Highlights
Distributed denial of service (DDoS) attacks have caused severe damage to servers and will cause even greater intimidation to the development of new Internet services
A group of performance metrics in classification problems are used for the evaluation of the results, consisting of False-Positive Rate (FPR), FalseNegative Rate (FNR), accuracy, Table 1: The results of DDoS detection in normal traffic
Receiver Operating Characteristic (ROC) as a classifier’s balance ability between its FPR and its FNR is a function of varying classification threshold
Summary
DDoS attacks have caused severe damage to servers and will cause even greater intimidation to the development of new Internet services. DDoS attacks are categorized into two classes: network-layer DDoS attacks and applicationlayer DDoS attacks. In network-layer DDoS attacks, attackers send a large number of bogus packets towards the victim server and normally attackers use IP spoofing. The victim server or IDS can distinguish legitimate packets from DDoS packets. In application-layer DDoS attacks, attackers attack the victim server through a flood of legitimate requests. In this attack model, attackers attack the victim Web servers by HTTP GET requests and pulling large files from the victim server in overwhelming numbers. Attackers can run a massive number of queries through the victim’s search engine or database query to bring the server down
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
