Detecting App-DDoS Attacks Based on Marking Access and d-SVDD
LI Jin-ling, WANG Bin-qiang
National Digital Switching System Engineering & Technological R&D Center
Zhengzhou , China
zifenglingsworld@163.com
Abstract---In order to enhance the extensibility of current
attack feature extracted and detection means for
App-DDoS(Application Layer Distributed Denial of Service,
App-DDoS)attacks, a novel feature extracted method based
on marking access and a new detection algorithm named
d-SVDD are proposed. After expressing kinds of App-DDoS
attacks as characteristic vectors by access marked strategy
and feature extracted strategy, d-SVDD algorithm is used
for secondary classification and detection of pre-set area
around decision boundary based on SVDD. It is proved by
experiments that the proposed feature extracted and
detection means can realize effective detection for kinds of
App-DDoS attacks, both have satisfying time, space and
extensibility performance.
Keywords-App-DDoS attack; Marking access; d-SVDD;
Anomaly detection
I. INTRODUCTION
Being different only in purpose from normal behavior,
App-DDoS attacks can easily cross the low-level defense
systems for traditional DDoS attacks, along with the fact
that dealing with a high-level application request is much
more complex, finding out effective detection and defense
means for App-DDoS attacks becomes more and more
important
[1]
.
Currently, most detection methods for App-DDoS
attacks are mainly based on behavior analysis
[2]
and log
analysis
[3]
. One typical detection method based on users’
browsing information detects HTTP flooding attacks
according to users’ browsing order and the relationship
between view time and page information
[4]
. Another
detection method proposed by Xie Yi and Yu Shunzheng
introduces HsMM model to detection algorithm
[5][6]
. In
literature [7], App-DDoS attacks are divided into three
categories by session parameter: request flooding attacks,
asymmetric workload attacks and repeated one-shot
attacks. According to this classification, a session
suspicious degree model is proposed for anomaly
detection and filtering.
After analyzing the detection methods above, we can
conclude: 1) App-DDoS attacks have lots of different
types because of the differences among application layer
services and protocols, while means based on behavior
analysis and log analysis only consider Web server mostly,
the extracted characters have poor extensibility; 2)
Anomaly detection methods deeply depend on extracted
characters, so the poor extensibility of characters directly
affects the extensibility of detection methods.
In order to enhance the extensibility of extracted
characters and corresponding detection algorithms,
achieve effective detection for various attacks, a novel
feature extracted method based on marking access and a
new detection algorithm named d-SVDD are proposed in
this paper. The flow chart of such detection algorithm is
shown in Figure 1.
i
dR<
Figure 1. The flow chart of detection algorithm
The detection algorithm is divided into training and
detection phases in detail. In training phase, mark normal
users’ access behavior with no marking strategy firstly,
and then set marking period
s
t and average interval
between consecutive access stamps
d
t
according to the
initial marked results. After that process the initial access
stamps with marking strategy. When all of these are
completed, feature extracted method is applied to obtain
effective detection characters, and SVDD algorithm is
used to get normal users’ SVDD hypersphere. All of the
results will be saved in training database and get fully
prepared for the next detection phase.
II. FEATURE EXTRACTED METHOD BASED ON
MARKING ACCESS
In detection phase, every user accessing to the server
will be marked with marking strategy, including marking
access time and access page. According to different
servers, different requests will be selected to mark. For
example, HTTP GET requests will be marked in attacks
against Web server, while DNS requests will be marked
during attacks against DNS server.
Take attacks against Web server for example, access
time marked method adopts strategy as follow: if the
current stamp interval
'
d
t is less than
d
t
, 1 will be assigned
to current stamp, otherwise 0 will be assigned. Access
page is marked using the following strategy: if the page
requested by current user doesn’t exist in protected Web
Proceedings of the 2nd International Symposium on Computer, Communication, Control and Automation (ISCCCA-13)
Published by Atlantis Press, Paris, France.
© the authors, 2013
0728
下载后可阅读完整内容,剩余4页未读,立即下载
zjshen2007
- 粉丝: 2
- 资源: 4
我的内容管理
展开
最新资源
- Flex垃圾回收与内存管理:防止内存泄露
- Python编程规范与最佳实践
- EJB3入门:实战教程与核心概念详解
- Python指南v2.6简体中文版——入门教程
- ANSYS单元类型详解:从Link1到Link11
- 深度解析C语言特性与实践应用
- Gentoo Linux安装与使用全面指南
- 牛津词典txt版:信息技术领域的便捷电子书
- VC++基础教程:从入门到精通
- CTO与程序员职业规划:能力提升与路径指南
- Google开放手机联盟与Android开发教程
- 探索Android触屏界面开发:从入门到设计原则
- Ajax实战:从理论到实践
- 探索Android应用开发:从入门到精通
- LM317T稳压管详解:1.5A可调输出,过载保护
- C语言实现SOCKET文件传输简单教程
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
