Abstract
Distributed Denial of Service (DDoS) attack is a major threat to the availability of Web service. The inherent presence of self-similarity in Web traffic motivates the applicability of time series analysis in the study of the burst feature of DDoS attack. This paper presents a method of detecting DDoS attacks against Web server by analyzing the abrupt change of time series data obtained from Web traffic. Time series data are specified in reference sliding window and test sliding window, and the abrupt change is modeled using Auto-Regressive (AR) process. By comparing two adjacent non-overlapping windows of the time series, the attack traffic could be detected at a time point. Combined with alarm correlation and location correlation, not only the presence of DDoS attack, but also its occurring time and location can be determined. The experimental results in a test environment are illustrated to justify our method.
Similar content being viewed by others
References
Garber L. Denial-of-Service Attacks Rip the Internet.IEEE Computer, 2000,33(4):12–17.
Moore D, Voelker G M, Savage S. Inferring Internet Denial-of-Service Activity.Proc of 2001 Security USENIX Symposium. Washington: ACM Press, 2001. 9–22.
Jelena M, Peter L R. A Taxonomy of DDoS Attack and DDoS Defense Mechanisms.Computer Communication Review, 2004,34(2):39–53.
Tao P, Christopher L, Kotagiri R. Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring.Third International IFIP-TC6 Networking Conference. Berlin Heidelberg: Springer, 2004. 771–782.
Jungtaek Seo, Cheolho Lee, Jongsub Moon. Defending DDoS Attacks Using Network Traffic Analysis and Probabilistic Packet Drop.GCC 2004 Workshops. Berlin Heidelberg: Springer, 2004. 390–397.
Mark E C, Azer B. Self-Similarity in World Wide Web Traffic: Evidence and Possible Causes.IEEE/ACM Transactions on Networking, 1997,5(6):835–846.
Chao C S, Yang D L, Liu A C. A LAN Fault Diagnosis System.Computer Communications, 2001,24(14):1439–1451.
Cabrera J BD, Lewis L, Qin X Z,et al. Proactive Intrusion Detection and Distributed Denial of Service Attacks-A Case Study in Security Management.Journal of Network and Systems Management, 2002,10(2):225–254.
Peter J B, Richard A D.Time Series: Theory and Methods. New York: Springer-Verlag, 2001.
Brownlee N. Using NeTraMet for production traffic measurement. 7thInternational Symposium on Integrated Network Management (IM2001). Seattle: IEEE Press, 2001. 213–226.
Deng S. Empirical Model of WWW Document Arrivals at Access Link.Proc of the 1996 IEEE International Conference on Communications. Dallas TX: IEEE Press, 1996. 1797–1802.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National Natural Science Fundation of China (60373075)
Biography: WU Qing-tao (1975-), male, Ph. D. candidate, research direction: Network abnormal events detection.
Rights and permissions
About this article
Cite this article
Qing-tao, W., Zhi-qing, S. Detecting DDoS attacks against web server using time series analysis. Wuhan Univ. J. Nat. Sci. 11, 175–180 (2006). https://doi.org/10.1007/BF02831726
Received:
Issue Date:
DOI: https://doi.org/10.1007/BF02831726