Abstract
Web Proxy and cache play important roles in the modern Internet. Although much work has been done on them, few studies were focused on the fact that these trusted intermediaries may be utilized to launch Web-based attacks and to shield the attackers’ malicious behavior. This paper fills an void in this area by proposing a new server-side detection scheme based on the behavior characteristics of proxy-to-server Web traffic. Proxy’s access behavior is extracted from the temporal locality and the bytes of the requested objects. A stochastic process based on Gaussian mixtures hidden semi-Markov model is applied to describe the dynamic variability of the observed variables. The entropies of those pending Web traffics launched by proxies fitting to the model are used as the criterion for attack detection. Experiments based on the real Web traffic and an emulated attack are implemented to valid the proposal.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Patcha, A., Park, J.: An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks 51(12), 3448–3470 (2007)
Ranjan, S., Swaminathan, R., Uysal, M., Knightly, E.: DDoS-Resilient Scheduling to Counter Application Layer Attacks under Imperfect Detection. In: Proceedings of IEEE INFOCOM, Barcelona, Spain, April, pp. 1–13 (2006)
Zhang, L., White, G.: Anomaly detection for application level network attacks using payload keywords. In: IEEE Symposium on Computational Intelligence in Security and Defense Applications, 2007. CISDA 2007, April 1-5, 2007, pp. 178–185 (2007)
Smith, A.: Cache Memories. ACM Computing Surveys (CSUR) 14(3), 473–530 (1982)
Hill, M., Smith, A.: Evaluating Associativity in CPU Caches. IEEE Transactions on Computers 38(12), 1612–1630 (1989)
Spirn, J.: Distance String Models for Program Behavior. Computer 9(11), 14–20 (1976)
Almeida, V., Bestavros, A., Crovella, M., de Oliveira, A.: Characterizing reference locality in the WWW. In: Fourth International Conference on Parallel and Distributed Information Systems, 1996, pp. 92–103 (1996)
Mahanti, A., Eager, D., Williamson, C.: Temporal locality and its impact on Web proxy cache performance. Performance Evaluation 42(2-3), 187–203 (2000)
Yu, S.Z., Kobayashi, H.: An efficient forward-backward algorithm for an explicit-duration hidden Markov model. Signal Processing Letters 10(1), 11–14 (2003)
Yu, S.Z., Liu, Z., Squillante, M., Xia, C., Zhang, L.: A hidden semi-Markov model for web workload self-similarity. In: 21st IEEE International on Performance, Computing, and Communications Conference, 2002, pp. 65–72 (2002)
Rabiner, L.: A tutorial on hidden Markov models and selected applications inspeech recognition. Proceedings of the IEEE 77(2), 257–286 (1989)
NS2 (Ns2 ), http://www.isi.edu/nsnam/ns/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Xie, Y., Yu, Sz. (2008). Measuring the Normality of Web Proxies’ Behavior Based on Locality Principles. In: Cao, J., Li, M., Wu, MY., Chen, J. (eds) Network and Parallel Computing. NPC 2008. Lecture Notes in Computer Science, vol 5245. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88140-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-540-88140-7_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88139-1
Online ISBN: 978-3-540-88140-7
eBook Packages: Computer ScienceComputer Science (R0)