30-05-2012, 01:55 PM
Monitoring the Application-Layer DDoS Attacks for Popular Websites
Monitoring the Application-Layer DDoS Attacks for.pdf (Size: 861.92 KB / Downloads: 23)
INTRODUCTION
DISTRIBUTED denial of service (DDoS) attack has
caused severe damage to servers and will cause even
greater intimidation to the development of new Internet
services. Traditionally, DDoS attacks are carried out at the
network layer, such as ICMP flooding, SYN flooding, and
UDP flooding, which are called Net-DDoS attacks in this
paper. The intent of these attacks is to consume the network
bandwidth and deny service to legitimate users of the victim
systems. Since many studies have noticed this type of attack
and have proposed different schemes (e.g., network measure or
anomaly detection) to protect the network and equipment from
bandwidth attacks, it is not as easy as in the past for attackers
to launch the DDoS attacks based on network layer. When the
simple Net-DDoS attacks fail, attackers shift their offensive
strategies to application-layer attacks and establish a more
sophisticated type of DDoS attacks.
RELATED WORK
Our literature survey has noted that researchers attempt to
detect DDoS attacks from three different layers: IP layer, TCP
layer, and application layer. From all of these perspectives, researchers
are investigating various approaches to distinguish
normal traffic from the attack one. Here, we survey representative
research from each perspective.
Most DDoS-related research has focused on the IP layer.
These mechanisms attempt to detect attacks by analyzing
specific features, e.g., arrival rate or header information. For
example, Cabrera et al. [12] used the management information
base (MIB) data which include parameters that indicate
different packet and routing statistics from routers to achieve
the early detection. Yuan et al. [13] used the cross-correlation
analysis to capture the traffic patterns and then to decide where
and when a DDoS attack possibly arises. Mirkovic et al. [14]
monitored the asymmetry of two-way packet rates and to
identify attacks in edge routers. Other statistical approaches
for detection of DDoS attacks includes IP addresses [15] and
time-to-live (TTL) values [16].
DETECTION PRINCIPLE
Web user behavior is mainly influenced by the structure of
Website (e.g., the Web documents and hyperlink) and the way
users access web pages. In this paper, our monitoring scheme
considers the App-DDoS attack as anomaly browsing behavior.
We investigate the characteristic of Web access behavior in
Figs. 2 and 6. Fig. 2 plots the HTTP request number and the
user number per 5 s during the burst Web workload of a semifinal
collected from the logs of the 1998 World Cup. From the
maximum correlation coefficient 0.9986, between the series of
request numbers and that of the user numbers, we can see that
the normal flash crowd is mainly caused by the sudden increment
of user amount. Fig. 6 plotted in the following experiment
section shows that the entropy of the aggregate access behavior
against our model does not change much during the flash crowd
event, which implies that both the main access behavior profile
of normal users and the structure of Website do not have
obvious varieties during the flash crowd event and its vicinity
area. This conclusion is the same as [5] and is similar to those
of other HTTP traces, e.g., Calgary-HTTP, ClarkNet-HTTP, and
NASA-HTTP, which can be downloaded freely from [24].
Performance
In the above scenarios, based on the entropy outputted by
the algorithm, we can detect the anomaly caused by the App-
DDoS attack. Fig. 7(a) shows the distributions of average entropy.
There exist significant differences in entropy distributions
between two groups: the normal Web traffic’s entropies
are larger than 6, but most entropies of the traffic containing
attacks are less than 8. The statistical results of the entropy of
normal training data and emulated App-DDoS attacks
CONCLUSION
Creating defenses for attacks requires monitoring dynamic
network activities in order to obtain timely and signification
information. While most current effort focuses on detecting
Net-DDoS attacks with stable background traffic, we proposed
a detection architecture in this paper aiming at monitoring
Web traffic in order to reveal dynamic shifts in normal burst
traffic, which might signal onset of App-DDoS attacks during
the flash crowd event. Our method reveals early attacks merely
depending on the document popularity obtained from the server
log. The proposed method is based on PCA, ICA, and HsMM.
We conducted the experiment with different App-DDoS attack
modes (i.e., constant rate attacks, increasing rate attacks and
stochastic pulsing attack) during a flash crowd event collected
from a real trace. Our simulation results show that the system
could capture the shift of Web traffic caused by attacks under
the flash crowd and the entropy of the observed data fitting
to the HsMM can be used as the measure of abnormality. In
our experiments, when the detection threshold of entropy is set
5.3, the DR is 90% and the FPR is 1%. It also demonstrates
that the proposed architecture is expected to be practical in
monitoring App-DDoS attacks and in triggering more dedicated
detection on victim network.