Advertisement

Use of access characteristics to distinguish legitimate user traffic from DDoS attack traffic

  • Kentaro AburadaEmail author
  • Yuki Arikawa
  • Shotaro Usuzaki
  • Hisaaki Yamaba
  • Tetsuro Katayama
  • Mirang Park
  • Naonobu Okazaki
Original Article
  • 7 Downloads

Abstract

Distributed denial of service attacks are a serious threat in the current information society, where the Internet plays an important role as infrastructure. We have been studying ways to mitigate these attacks using a method that distinguishes between legitimate users and attacks. Our previous method was not sufficient because it only analyzed access logs after the attack. In this study, we propose a new method that can distinguish between legitimate users and attacks while the services are running. When the IDS detects an attack, a quarantine server distinguishes legitimate users using access characteristics. The access characteristics are: (1) user follows links, (2) sender accessed a popular page, and (3) the sender’s current average transmission interval. Our experiments confirmed that the proposed method can distinguish between legitimate users and attacks.

Keywords

DDoS HTTP GET flood attack OpenFlow 

Notes

Acknowledgements

This work was supported by JSPS KAKENHI Grant numbers JP17H01736, JP17K00139, JP18K11268.

References

  1. 1.
    Cambiaso E, Papaleo G, Chiola G, Aiello M (2016) Mobile executions of slow DoS attacks. Logic J IGPL 24(1):54–67MathSciNetzbMATHGoogle Scholar
  2. 2.
    Duravkin I, Carlsson A, Loktionova A (2014), Method of slow-attack detection. In: Problems of infocommunications science and technology. 1st international scientific-practical conference, pp 171–172Google Scholar
  3. 3.
    Yatagai T, Isohara T, Sasasse I (2007) Detection of HTTP-GET flood attack based on analysis of page access behavior. In: Proceedings IEEE pacific rim conference on communications, computers and signal processing, pp 232–235Google Scholar
  4. 4.
    Liao Q, Li H, Kang S, Liu C (2015) Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching. Secur Commun Netw 8(17):3111–3120CrossRefGoogle Scholar
  5. 5.
    Giotis K, Argyropoulos C, Androulidakis G (2014) Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw 62:122–136CrossRefGoogle Scholar
  6. 6.
    Mirkovic J, Reiher P (2004) A taxonomy of DDoS attack and DDoS defense mechanisms. Newsl ACM SIGCOMM Compu Commun Rev 34(2):39–53CrossRefGoogle Scholar
  7. 7.
    GitHub Markus-Go/bonesi: BoNeSi—the DDoS Botnet Simulator. https://github.com/markus-go/bonesi

Copyright information

© International Society of Artificial Life and Robotics (ISAROB) 2019

Authors and Affiliations

  • Kentaro Aburada
    • 1
    Email author
  • Yuki Arikawa
    • 1
  • Shotaro Usuzaki
    • 1
  • Hisaaki Yamaba
    • 1
  • Tetsuro Katayama
    • 1
  • Mirang Park
    • 2
  • Naonobu Okazaki
    • 1
  1. 1.University of MiyazakiMiyazakiJapan
  2. 2.Kanagawa Institute of TechnologyAtsugiJapan

Personalised recommendations