Monitoring the Application-Layer DDoS Attacks for Popular Websites
- 20 June 2008
- journal article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in IEEE/ACM Transactions on Networking
- Vol. 17 (1), 15-25
- https://doi.org/10.1109/tnet.2008.925628
Abstract
Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when such attacks mimic or occur during the flash crowd event of a popular Website. Focusing on the detection for such new DDoS attacks, a scheme based on document popularity is introduced. An Access Matrix is defined to capture the spatial-temporal patterns of a normal flash crowd. Principal component analysis and independent component analysis are applied to abstract the multidimensional Access Matrix. A novel anomaly detector based on hidden semi-Markov model is proposed to describe the dynamics of Access Matrix and to detect the attacks. The entropy of document popularity fitting to the model is used to detect the potential application-layer DDoS attacks. Numerical results based on real Web traffic data are presented to demonstrate the effectiveness of the proposed method.Keywords
This publication has 18 references indexed in Scilit:
- Monitoring the Macroscopic Effect of DDoS Flooding AttacksIEEE Transactions on Dependable and Secure Computing, 2005
- An Active Detecting Method Against SYN Flooding AttackPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2005
- Distributed denial of service detection using TCP/IP header and traffic measurement analysisPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2005
- Protection from distributed denial of service attacks using history-based IP filteringPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2004
- Attacking DDoS at the sourcePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- Detecting SYN flooding attacksPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility studyPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- File popularity characterisationACM SIGMETRICS Performance Evaluation Review, 2000
- Fast and robust fixed-point algorithms for independent component analysisIEEE Transactions on Neural Networks, 1999
- On the self-similar nature of Ethernet traffic (extended version)IEEE/ACM Transactions on Networking, 1994