Abstract
Distributed denial of service (DDoS) attacks, which are a major threat on the Internet, have recently become more sophisticated as a result of their ability to exploit application-layer vulnerabilities. Most defense methods are designed for detecting DDoS attacks on IP and TCP layers and consequently have difficulty in detecting this new type of DDoS attack. With the profiling of web browsing behavior, the sequence order of web page requests can be used for detecting the application-layer DDoS (App-DDoS) attacks. However, the sequence order may be more harmful than helpful in the profiling of web browsing behaviors because it varies significantly for different individuals and different browsing behaviors. This article introduces a sequence-order-independent method for the profiling of network traffic and the detection of a new type of App-DDoS attacks. Four attributes are extracted from web page request sequences without consideration of the sequence order of requested pages. A model based on the multiple principal component analysis is proposed for the profiling of normal web browsing behaviors, and its reconstruction error is used as a criterion for detecting DDoS attacks. The proposed method is experimentally confirmed with various types of new App-DDoS attacks.
Highlights
Distributed denial of service (DDoS) attacks have become a major threat and one of the hardest problems to overcome on the Internet
We describe them in a matrix and use multiple principal component analysis (PCA) to model the browsing patterns
Datasets To validate our App-DDoS attack defense method, we used the web-logs from real websites: an educational website, a community website, and an online shopping website
Summary
Distributed denial of service (DDoS) attacks have become a major threat and one of the hardest problems to overcome on the Internet. For the detection of App-DDoS attacks, Xie et al [8] used a hidden semi-Markov model (HsMM) to describe the normal browsing behavior of web users. The HsMM uses the sequence order of web page requests to profile normal web browsing behavior. We propose a sequence-order-independent method that distinguishes App-DDoS attacks from normal traffic. PCA model to profile normal web browsing patterns and distinguish App-DDoS attacks. Since DDoS attack detection systems are required to handle an extremely large volume of traffic, we base our description of the web browsing patterns on PCA instead of nonlinear methods such as kernel methods and manifold learning [10,11]
Published Version (Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have