Renukadevi SARAVANAN, Saraswathi SHANMUGANATHAN, Yogesh PALANICHAMY

196

Behavior-based detection of application layer distributed denial of service attacks during flash events

Behavior-based detection of application layer distributed denial of service attacks during flash events

Distributed denial of service (DDoS) attacks are ever threatening to the developers and users of the Internet. DDoS attacks targeted at the application layer are especially difficult to be detected since they mimic the legitimate users requests. The situation becomes more serious when they occur during flash events. A more sophisticated algorithm is required to detect such attacks during a flash crowd. A few existing works make use of flow similarity for differentiating flash crowds and DDoS, but flow characteristics alone cannot be used for effective detection. In this paper, we propose a novel mechanism for discriminating DDoS and flash crowds based on the combination of the parameters reflecting their behavioral differences. Flow similarity, client legitimacy, and web page requested are identified as the principal parameters and are used together for effective discrimination. The proposed mechanism is implemented on resilient proxies in order to protect the server from direct flooding and to improve the overall performance. The real datasets are used for simulation, and the results are presented to evaluate the performance of the proposed system. The results show that the proposed mechanism does effective detection with fewer false positives and false negatives.
PDF

___

  • [1] Li K, Zhou W, Li P, Hai J, Liu J. Distinguishing DDoS attacks from flash crowds using probability metrics. In: International Conference on Network and System Security; 19–21 October 2009; Gold Coast, Australia. New York, NY, USA: IEEE. pp. 9–17.
  • [2] Zhang S, Dasgupta P. Denying denial-of-service attacks: a router based solution. In: International Conference on Internet Computing; June 2003. pp. 301–307.
  • [3] El-Moussa FA, Linge N, Hope M. Active router approach to defeating denial-of-service attacks in networks. IET Commun 2007; 1: 55–63.
  • [4] Wang H, Jin C, Shin KG. Defense against spoofed IP traffic using hop-count filtering. IEEE T Networking 2007; 15: 40–53.
  • [5] Keromytis AD, Misra V, Rubenstein D. SOS: An architecture for mitigating DDoS attacks. IEEE J Sel Area Comm 2004; 22: 176–188.
  • [6] Li K, Zhou W, Yu S. Effective metric for detecting distributed denial-of-service attacks based on information divergence. IET Commun 2009; 3: 1851–1860.
  • [7] Limwiwatkul L, Rungsawangr A. Distributed denial of service detection using TCP/IP header and traffic measurement analysis. In: International Symposium on Communications and Information Technology; 26–29 October 2004; Japan. New York, NY, USA: IEEE. pp. 605–610.
  • [8] Cabrera JBD, Lewis L, Qin X, Lee W, Prasanth RK, Ravichandran B, Mehra RK. Proactive detection of distributed denial of service attacks using MIB traffic variables a feasibility study. In: IEEE/IFIP International Symposium on Integrated Network Management; 14–18 May 2001; Seattle, WA, USA. New York, NY, USA: IEEE. pp. 609–622.
  • [9] Wang J, Yang X, Long K. A new relative entropy based app-DDoS detection method. In: IEEE Symposium On Computers and Communications; 22–25 June 2010; Riccione, Italy. New York, NY, USA: IEEE. pp. 966–968.
  • [10] Liu H, Chang K. Defending systems against tilt DDoS attacks. In: International Conference on Telecommunication Systems, Services, and Applications; 20–21 October 2011; Bali, Indonesia. New York, NY, USA: IEEE. pp. 22–27.
  • [11] Yu J, Fang C, Lu L, Li Z. Mitigating application layer DDoS attacks via effective trust management. IET Commun 2010; 4: 1952–1962.
  • [12] Srivatsa M, Iyengar A, Yin J, Liu L. Mitigating application-level denial of service attacks on web servers: a clienttransparent approach. ACM T Web 2008; 2: 15.
  • [13] Jung J, Krishnamurthy B, Rabinovich M. Flash crowds and denial-of-service attacks: characterization and implications for CDNs and web sites. In: International World Wide Web Conferences; 2002. pp. 293–304.
  • [14] Kandula S, Katabi D, Jacob M, Berger A. Botz-4-sale: Surviving organized DDoS attacks that mimic flash crowds. In: 2nd Conference on Symposium on Network and Distributed System Security; May 2005; Boston, MA, USA. pp. 287–300.
  • [15] Oikonomou G, Mirkovic J. Modeling human behavior for defense against flash-crowd attacks. In: IEEE Conference on Computer Communication; 14–18 June 2009; Dresden, Germany. New York, NY, USA: IEEE. pp. 1–6.
  • [16] Thapngam T, Yu S, Zhou W, Beliakov G. Discriminating DDoS attack traffic from flash crowd through packet arrival patterns. In: International Workshop on Security in Computers, Networking and Communications; 10–15 April 2011; Shanghai, China. New York, NY, USA: IEEE. pp. 952–957.
  • [17] Yu S, Zhou W, Jia W, Guo S, Xiang Y, Tang T. Discriminating DDoS attacks from flash crowds using flow correlation coefficient. IEEE T Parall Distr 2012; 23: 1073–1080.
  • [18] Yu S, Thapngam T, Liu J, Wei S, Zhou W. Discriminating DDoS flows from flash crowds using information distance. In: International Conference on Network and System Security; 2009. New York, NY, USA: IEEE. pp. 351–356.
  • [19] Xie Y, Yu S. Monitoring the application-layer DDoS attacks for popular websites. IEEE T Networking 2009; 17: 15–25.
  • [20] Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, Kruegel C, Vigna G. Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security; 2009. New York, NY, USA: ACM. pp. 635–647.
  • [21] Thing VLL, Sloman M, Dulay N. A survey of bots used for distributed denial of service attacks. In: International Information Security Conference; 2007. pp. 229–240.
  • [22] Yu S, Guo S, Stojmenovic I. Can we beat legitimate cyber behavior mimicking attacks from botnets? In: IEEE International Conference on Computer Communications; 2012. New York, NY, USA. pp. 2851–2855.
  • [23] Garrido A. About some properties of the Kullback-Leibler divergence. Advanced Modeling and Optimization 2009; 11: 4.
  • [24] Kantardzic M. Data Mining: Concepts, Models, Methods, and Algorithm. New York, NY, USA: IEEE Press, 2002.
  • [25] Comer DE. Computer Networks and Internets. Upper Saddle River, NJ, USA: Prentice Hall Press, 2008.
  • [26] Moore D, Shannon C, Brown DJ. Inferring internet denial-of-service activity. ACM T Comput Syst 2006; 24: 115–139.
  • [27] Xu C, Du C, Kong X. An application layer DDoS real-time detection method in flash crowd. In: IACSIT Hong Kong Conferences; 2012. pp. 68–73.
Turkish Journal of Electrical Engineering and Computer Sciences-Cover
  • ISSN: 1300-0632
  • Yayın Aralığı: Yılda 6 Sayı
  • Yayıncı: TÜBİTAK
Arşiv
Sayıdaki Diğer Makaleler

Incremental weighted bipartite algorithm for large-scale recommendation systems

HaiHong E, Jian Feng WANG, MeiNa SONG, Qiang BI, YingYi LIU

Extracting the region of interest from MFL signals

Ali SADR, Raziyeh Sadat OKHOVAT

Design and analysis of a novel UWB bandpass filter using 3-D EM simulation-based neural network model with HSA

Salih DEMİREL, Cafer UYANIK

Linear model of a three-phase shunt active power filter with a hysteresis controller

Eyup AKPINAR, Kadir VARDAR

A distributed map animation framework for spatiotemporal datasets

Ahmet SAYAR

Research on switched reluctance machine drive topology and control strategies for electric vehicles

Hao CHEN, He CHENG, Lei MA, Guojun YU

Optimization of automatic steering control on a vehicle with a steer-by-wire system using particle swarm optimization

Fachrudin HUNAINI, Imam ROBANDI, Nyoman SUTANTRA

A 2.4-GHz highly linear derivative superposition Gilbert cell mixer

Samaneh SEDIGHI, Omid HASHEMIPOUR, Massoud DOUSTI

An improved real-time adaptive Kalman filter with recursive noise covariance updating rules

Kemalettin ERBATUR, Iyad HASHLAMON

A switchable approach to large object allocation in real-time Java

Veysel Harun ŞAHİN, Ümit KOCABIÇAK