Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices
Application-layer distributed denial of service (AL-DDoS) attacks are becoming critical threats to websites because the stealth of AL-DDoS attacks makes many intrusion prevention systems ineffective. To detect AL-DDoS attacks aimed at websites, we propose a novel statistical model called the RM (rhy...
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2019-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/8888259/ |
| _version_ | 1818350129684414464 |
|---|---|
| author | Huan Lin Shoufeng Cao Jiayan Wu Zhenzhong Cao Fengyu Wang |
| author_facet | Huan Lin Shoufeng Cao Jiayan Wu Zhenzhong Cao Fengyu Wang |
| author_sort | Huan Lin |
| collection | DOAJ |
| description | Application-layer distributed denial of service (AL-DDoS) attacks are becoming critical threats to websites because the stealth of AL-DDoS attacks makes many intrusion prevention systems ineffective. To detect AL-DDoS attacks aimed at websites, we propose a novel statistical model called the RM (rhythm matrix). Although the original features from the network layer are adopted, the access trajectory, including requested objects and corresponding dwell-time values, can be abstracted and accumulated into an RM. With an RM, we can almost losslessly compress complex features into a simple structure and characterize the user access behavior. We detect AL-DDoS attacks according to the increase of the abnormality degree in the RM and further identify malicious hosts based on change-rate outliers. In the experiments, we simulate three modes of AL-DDoS attacks with the latest popular DDoS attack tools: LOIC and HOIC. The results show that our method can detect these simulated attacks and identify the malicious hosts accurately and efficiently. For an AL-DDoS detection method, the ability to distinguish flash crowds is indispensable. We also demonstrate the excellent performance of our approach in distinguishing flash crowds from AL-DDoS attacks with two reconstructed public datasets. |
| first_indexed | 2024-12-13T18:16:56Z |
| format | Article |
| id | doaj.art-5a1ff10b079b4151b6bf1df5ed670e95 |
| institution | Directory Open Access Journal |
| issn | 2169-3536 |
| language | English |
| last_indexed | 2024-12-13T18:16:56Z |
| publishDate | 2019-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj.art-5a1ff10b079b4151b6bf1df5ed670e952022-12-21T23:35:49ZengIEEEIEEE Access2169-35362019-01-01716448016449110.1109/ACCESS.2019.29508208888259Identifying Application-Layer DDoS Attacks Based on Request Rhythm MatricesHuan Lin0https://orcid.org/0000-0003-4229-7837Shoufeng Cao1Jiayan Wu2Zhenzhong Cao3Fengyu Wang4School of Software, Shandong University, Jinan, ChinaNational Computer Network Emergency Response Technical Team Coordination Center of China, Beijing, ChinaSchool of Software, Shandong University, Jinan, ChinaSchool of Software, Qufu Normal University, Qufu, ChinaSchool of Software, Shandong University, Jinan, ChinaApplication-layer distributed denial of service (AL-DDoS) attacks are becoming critical threats to websites because the stealth of AL-DDoS attacks makes many intrusion prevention systems ineffective. To detect AL-DDoS attacks aimed at websites, we propose a novel statistical model called the RM (rhythm matrix). Although the original features from the network layer are adopted, the access trajectory, including requested objects and corresponding dwell-time values, can be abstracted and accumulated into an RM. With an RM, we can almost losslessly compress complex features into a simple structure and characterize the user access behavior. We detect AL-DDoS attacks according to the increase of the abnormality degree in the RM and further identify malicious hosts based on change-rate outliers. In the experiments, we simulate three modes of AL-DDoS attacks with the latest popular DDoS attack tools: LOIC and HOIC. The results show that our method can detect these simulated attacks and identify the malicious hosts accurately and efficiently. For an AL-DDoS detection method, the ability to distinguish flash crowds is indispensable. We also demonstrate the excellent performance of our approach in distinguishing flash crowds from AL-DDoS attacks with two reconstructed public datasets.https://ieeexplore.ieee.org/document/8888259/Network securityapplication-layer DDoS attackanomaly detectionrhythm matrixoutliers |
| spellingShingle | Huan Lin Shoufeng Cao Jiayan Wu Zhenzhong Cao Fengyu Wang Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices IEEE Access Network security application-layer DDoS attack anomaly detection rhythm matrix outliers |
| title | Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices |
| title_full | Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices |
| title_fullStr | Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices |
| title_full_unstemmed | Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices |
| title_short | Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices |
| title_sort | identifying application layer ddos attacks based on request rhythm matrices |
| topic | Network security application-layer DDoS attack anomaly detection rhythm matrix outliers |
| url | https://ieeexplore.ieee.org/document/8888259/ |
| work_keys_str_mv | AT huanlin identifyingapplicationlayerddosattacksbasedonrequestrhythmmatrices AT shoufengcao identifyingapplicationlayerddosattacksbasedonrequestrhythmmatrices AT jiayanwu identifyingapplicationlayerddosattacksbasedonrequestrhythmmatrices AT zhenzhongcao identifyingapplicationlayerddosattacksbasedonrequestrhythmmatrices AT fengyuwang identifyingapplicationlayerddosattacksbasedonrequestrhythmmatrices |