Abstract
HTTP-flooding attack is a much stealthier distributed denial of service (DDoS) attack, challenging the survivability of the web services seriously. Observing the web access behavior, we find that the surfing preference of normal users is much more consistent with the webpage popularity than that of malicious users. Based on this observation, this paper proposes a novel detection scheme for HTTP-flooding (HTTP-SoLDiER). Specifically, HTTP-SoLDiER first quantifies the consistency between web users surfing preference and the webpage popularity with large-deviation principle. Then HTTP-SoLDiER distinguishes the malicious users from normal ones according to the large-deviation probability. In practice, the webpage popularity plays a key role in attack detection of HTTP-SoLDiER. Due to the never-ending updating of the webpage content and the disturbance induced by attackers, the webpage popularity often varies over time. Thus, it is critical for HTTP-SoLDiER to dynamically update the webpage popularity. We design a reversible exponentially weighted moving average (EWMA) algorithm to solve the problem. Finally, we evaluate the effectiveness of this scheme in terms of true positive (TP) and false positive (FP) probabilities with NS-3 simulations. The simulation results show that HTTP-SoLDiER can detect all random HTTP-flooding attackers and most of the perfect-knowledge HTTP-flooding attackers at little false positive.
Similar content being viewed by others
References
Labovitz C. Botnets, DDoS and Ground-Truth One Year and 5,000 Operator Classified Attacks, NANOG50. Atlanta, 2010
Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput Commun Rev, 2004, 34: 39–53
Anderson T, Roscoe T, Wetherall D. Preventing internet denial of service with capabilities. HotNets-II, 2004. 39–44
Yang X W, Wetherall D, Anderson T. A DoS limiting network architecture. In: Proceedings of SIGCOMM, New York, 2005. 241–252
Argyraki K, Cheriton D R. Scalable network-layer defense against internet bandwidth-flooding attacks. IEEE/ACM Trans Netw, 2009, 17: 1284–1297
Beaumont-Gay M. A comparison of SYN flood detection algorithms. In: Proceedings of Second International Conference on Internet Monitoring and Protection, San Jose, 2007. 9–10
Ohsita Y, Ata S, Murata M. Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically. IEEE Glob Telecommun Conf, 2004, 4: 2043–2049
Das A S, Datar M, Garg A, et al. Google news personalization: scalable online collaborative filtering. In: Proceedings of the 16th International Conference on World Wide Web, New York, 2007. 271–280
Billsus D, Pazzani M J. A hybrid user model for news story classification. In: Proceedings of the 7th International Conference on User Modeling, Corfu, 1999. 99–108
Liu J H, Dolan P, Pedersen E R. Personalized news recommendation based on click behavior. In: Proceedings of the 15th International Conference on Intelligent User Interfaces, New York, 2010. 31–40
Oikonomou G, Mirkovic J. Modeling human behavior for defense against flash-crowd attacks. In: Proceedings of IEEE International Conference on Communications, Dresden, 2009. 1–6
Yu S, Zhao G F, Guo S, et al. Browsing behavior mimicking attacks on popular web sites for large botnets. In: Proceedings of IEEE Conference on Computer Communications Workshops, Shanghai, 2011. 947–951
Wang J, Yang X L, Long K P. Web DDoS detection schemes based on measuring user’s access behavior with large deviation. In: Proceedings of IEEE Conference on Global Telecommunications, Houston, 2011. 1–5
Sekar R, Gupta A, Frullo J, et al. Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, New York, 2002. 265–274
Kandula S, Katabi D, Jacob M, et al. Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds. Technical Report: TR-969, MIT, 2004
Srivatsa M, Iyengar A, Yin J, et al. Mitigating application-level denial of service attacks on web servers: a clienttransparent approach. ACM Trans Web, 2008, 2: 15
Ying X, Incheol S, Thai M T, et al. Detecting application denial-of-service attacks: a group-test-based approach. IEEE Trans Parall Distr Syst, 2010, 21: 1203–1216
Khattab S, Gobriel S, Melhem R, et al. Live baiting for service-level DoS attackers. In: Proceedings of 27th IEEE Conference on Computer Communications, Phoenix, 2008. 682–690
Walfish M, Vutukuru M, Balakrishnan H, et al. DDoS defense by offense. ACM SIGCOMM Comput Commun Rev, 2006, 36: 303–314
Jung J, Krishnamurthy B, Rabinovich M. Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of the 11th International Conference on World Wide Web, New York, 2002. 293–304
Yi X, Yu S Z. Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans Netw, 2009, 17: 15–25
Ranjan S, Swaminathan R, Uysal M, et al. DDoS-resilient scheduling to counter application layer attacks under imperfect detecting. In: Proceedings of 25th IEEE International Conference on Computer Communications, Barcelona, 2006. 1–13
Xie Y, Yu S Z. A large-scale hidden semi-markov model for anomaly detection on user browsing behaviors. IEEE/ACM Trans Netw, 2009. 17: 54–65
Stevanovic D, Vlajic N, An A. Detection of malicious and non-malicious website visitors using unsupervised neural network learning. Appl Soft Comput, 2013, 13: 698–708
Dembo A, Zeitouni O. Large-Deviations Techniques and Applications. 2nd ed. New York: Springer-Verlag, 1998
Paschalidis I C, Smaragdakis G. Spatio-temporal network anomaly detection by assessing deviations of empirical measures. IEEE/ACM Trans Netw, 2009, 17: 685–697
Dhyani D, Bhowmick S S, Wee Keong Ng. Modelling and predicting a web page accesses using Markov processes. In: Proceedings of 14th IEEE International Workshop on Database and Expert Systems Applications, Prague, 2003. 332–336
Yu S Z. Macro behavior of web workload. Pattern Recogn Artif Intell, 2005, 18: 31–37
Cao J, Li L, Bu T, et al. Tracking quantiles of network data streams with dynamic operations. In: Proceedings of IEEE INFOCOM, San Diego, 2010. 1–5
Fawcett T. ROC Graphs: Notes and Practical Considerations for Data Mining Researchers. Intelligent Enterprise Technologies Laboratory, HP Laboratories, Palo Alto. HPL-2003-4. 2003
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Wang, J., Yang, X., Zhang, M. et al. HTTP-SoLDiER: An HTTP-flooding attack detection scheme with the large deviation principle. Sci. China Inf. Sci. 57, 1–15 (2014). https://doi.org/10.1007/s11432-013-5015-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-013-5015-2