Http-Flood DDoS Detection Scheme Based on Large Deviation and Performance Analysis

doi:10.3724/SP.J.1001.2012.04068

微信服务号

微信订阅号

2025-4-24- 19

Home > Archive>Volume 23, Issue 5, 2012 >1272-1280. DOI:10.3724/SP.J.1001.2012.04068

PDF HTML XML Export Cite reminder

Http-Flood DDoS Detection Scheme Based on Large Deviation and Performance Analysis
DOI:
                        10.3724/SP.J.1001.2012.04068
                    
Author:
                        WANG JinWANG Jin
Research Center for Optical Internet and Mobile Information Network, University of Electronic Science and Technology of China, Chengdu 611731, China; Network Center, Chengdu University, Chengdu 610106, China
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
YANG Xiao-LongYANG Xiao-Long
Research Center for Optical Internet and Mobile Information Network, University of Electronic Science and Technology of China, Chengdu 611731, China; School of Computer and Communications Engineering, University of Science and Technology Beijing, Beijing
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site
LONG Ke-PingLONG Ke-Ping
Research Center for Optical Internet and Mobile Information Network, University of Electronic Science and Technology of China, Chengdu 611731, China; School of Computer and Communications Engineering, University of Science and Technology Beijing, Beijing
Find this author on CNKI
Find this author on BaiDu
Search for this author on this site

                    
Affiliation:
Clc Number:
Fund Project:

Article

Figures

Metrics

Reference [23]

Related [20]

Cited by

Materials

Comments

Abstract:

This paper focuses on Http-Flood DDoS (distributed denial of service) attack and proposes a detection scheme based on large deviation statistical model. The detection scheme characterizes the user access behavior with its Web-pages accessed and adopts the type method quantizing user’s access behavior. Based on this quantization method, this study analyzes the deviation of ongoing user’s empirical access behavior from the website’s priori one with large deviation statistical model, and detects Http-Flood DDoS with large deviation probability. This paper also provides preliminary simulation regarding the efficiency of the scheme, and the simulation results show that the large deviation of most normal Web surfers is larger than 10^-36, yet, the attacker’s is smaller than 10^-40. Thus, this scheme is promising to detect Http-Flood DDoS. Specifically, the scheme can achieve 0.6% false positive and 97.5% true positive with detection threshold of 10^-60. And compared with the existing detection methods, this detection scheme can outperform them in detection performance. In particular, this scheme can improve the true positive ratio 0.6% over the transition probability based detection scheme with the false positive below 5%.

Key words:IP network;distributed denial of service (DDoS);large deviation

Reference

[1] http://world.kbs.co.kr/chinese/program/program_economyplus_detail.htm?No=1813

[2] Mirkovic J, Reiher P. A Taxonomy of DDoS attack and DDoS defense mechanisms. ACM Sigcomm Computer Communications Review, 2004,34(2):39-53. [doi: 10.1145/997150.997156]

[3] Sun ZX, Jiang JL, Jiao L. DDOS attack detecting and defending model. Journal of Software, 2007,18(9):2245-2258 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/18/2245.htm [doi: 10.1360/jos182245]

[4] Anderson T, Roscoe T, Wetherall D. Preventing Internet denial of service with capabilities. In: Proc. of the HotNets-II. 2003. 39-44. [doi: 10.1145/972374.972382]

[5] Yang XW, Wetherall D, Anderson T. A DoS-limiting network architecture. In: Proc. of the ACM SIGCOMM 2005, Vol.35. 2005. 241-252. [doi: 10.1145/1080091.1080120]

[6] Argyraki K, Cheriton DR. Scalable network-layer defense against Internet bandwidth-flooding attacks. IEEE/ACM Trans. on Networking, 2009,17(4):1284-1297. [doi: 10.1109/TNET.2008.2007431]

[7] Beaumont-Gay M. A comparison of SYN flood detection algorithms. In: Proc. of the 2nd Int’l Conf. on Internet Monitoring and Protection. 2007. [doi: 10.1109/ICIMP.2007.1]

[8] Ohsita Y, Ata S, Murata M. Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically. In: Proc. of the IEEE Globecom. 2004. 2043-2049. [doi: 10.1109/GLOCOM.2004.1378371]

[9] Yu SZ. Macro behavior of Web workload. Pattern Recognition and Artificial Intelligence, 2005,18(1):31-37 (in Chinese with English abstract).

[10] Kandula S, Katabi D, Jacob M, Berger AW. Botz-4-Sale: Surviving organized DDoS attacks that mimic flash crowds. Technical Report, TR-969, MIT, 2004.

[11] Mori G, Malik J. Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA. In: Proc. of the Computer Vision and Pattern Recognition. 2003. 134-144.

[12] Srivatsa M, Iyengar A, Yin J, Liu L. A client-transparent approach to defend against denial of service attacks. In: Proc. of the 25th IEEE Symp. on Reliable and Distributed Systems (SRDS). 2006. 61-70. [doi: 10.1109/SRDS.2006.6]

[13] Xuan Y, Shin I, ThaiMT, Znati T. Detecting application denial-of-service attacks: A group-testing-based approach. IEEE Trans. on Parallel and Distributed Systems, 2010,21(8):1203-1216. [doi: 10.1109/TPDS.2009.147]

[14] Khattab S, Gobriel S, Melhem R, Mosse D. Live baiting for service-level DoS attackers. In: Proc. of the Infocom 2008. 2008. 682-690. [doi: 10.1109/INFOCOM.2008.43]

[15] Walfish M, Vutukuru M, Balakrishnan H, Karger D, Shenker S. DDoS defense by offense. In: Proc. of the ACM Sigcom 2006. 2006. [doi: 10.1145/1159913.1159948]

[16] Jung J, Krishnamurthy B, Rabinovich M. Flash crowds and denial of service attacks: Characterization and implications for CDNs and Web sites. In: Proc. of the Int’l World Wide Web Conf. 2002. 252-262. [doi: 10.1145/511446.511485]

[17] Ranjan S, Swaminathan R, Uysal M, Knightly E. DDoS-Resilient scheduling to counter application layer attacks under imperfect detection. In: Proc. of the IEEE Infocom 2006. 2006. 1-13. [doi: 10.1109/INFOCOM.2006.127]

[18] Oikonomou G, Mirkovic J. Modeling human behavior for defense against flash-crowd attacks. In: Proc. of the IEEE ICC 2009. 2009. 1-6. [doi: 10.1109/ICC.2009.5199191]

[19] Xie Y, Yu SZ. Monitoring the application-layer DDoS attacks for popular Websites. IEEE/ACM Trans. on Networks, 2009,17(1): 15-25. [doi: 10.1109/TNET.2008.925628]

[20] Xie Y, Yu SZ. A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors. IEEE/ACM Trans. on Networks, 2009,17(1):54-65. [doi: 10.1109/TNET.2008.923716]

[21] Cover TM, Thomas JA. Elements of Information Theory. New York: Wiley Interscience, 1991.

[22] Dembo A, Zeitouni O. Large-Deviations techniques and applications. 2nd ed., New York: Springer-Verlag, 1998.

[23] Fawcett T. ROC graphs: Notes and practical considerations for data mining researchers. Technical Report, HPL-2003-4, Palo Alto: HP Laboratories, 2003.

Get Citation

王进,阳小龙,隆克平.基于大偏差统计模型的Http-Flood DDoS 检测机制及性能分析.软件学报,2012,23(5):1272-1280

Copy

Article Metrics

Abstract:3872
PDF: 6551
HTML: 0
Cited by: 0

History

Received:April 13,2011
Revised:June 20,2011
Adopted:
Online: April 29,2012
Published:

You are the first2038233Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address：4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code：100190
Phone：010-62562563 Fax：010-62562533 Email：jos@iscas.ac.cn
Technical Support：Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063

微信服务号

微信订阅号

Get Citation

Share

微信扫一扫：分享

Article Metrics

History