Research Article Real-Time Detection of Application-Layer DDoS Attack Using Time Series Analysis

Similar documents
Modified Line Search Method for Global Optimization

Research Article Sign Data Derivative Recovery

Study on the application of the software phase-locked loop in tracking and filtering of pulse signal

Output Analysis (2, Chapters 10 &11 Law)

LECTURE 13: Cross-validation

An Adaptive Method for Source-end Detection of Pulsing DoS Attacks

Confidence Intervals for One Mean

Project Deliverables. CS 361, Lecture 28. Outline. Project Deliverables. Administrative. Project Comments

Properties of MLE: consistency, asymptotic normality. Fisher information.

Non-life insurance mathematics. Nils F. Haavardsson, University of Oslo and DNB Skadeforsikring

Data Analysis and Statistical Behaviors of Stock Market Fluctuations

(VCP-310)

Vladimir N. Burkov, Dmitri A. Novikov MODELS AND METHODS OF MULTIPROJECTS MANAGEMENT

5: Introduction to Estimation

Review: Classification Outline

Chapter 6: Variance, the law of large numbers and the Monte-Carlo method

VEHICLE TRACKING USING KALMAN FILTER AND FEATURES

Soving Recurrence Relations

Research Article An Approach to Evaluating Computer Network Security with Intuitionistic Trapezoidal Fuzzy Information

Systems Design Project: Indoor Location of Wireless Devices

Chapter 7 - Sampling Distributions. 1 Introduction. What is statistics? It consist of three major areas:

Incremental calculation of weighted mean and variance

A probabilistic proof of a binomial identity

PROCEEDINGS OF THE YEREVAN STATE UNIVERSITY AN ALTERNATIVE MODEL FOR BONUS-MALUS SYSTEM

Overview of some probability distributions.

Reliability Analysis in HPC clusters

Chapter 7 Methods of Finding Estimators

A gentle introduction to Expectation Maximization

PSYCHOLOGICAL STATISTICS

Plug-in martingales for testing exchangeability on-line

Normal Distribution.

Traffic Modeling and Prediction using ARIMA/GARCH model

Analyzing Longitudinal Data from Complex Surveys Using SUDAAN

Estimating Probability Distributions by Observing Betting Practices

COMPARISON OF THE EFFICIENCY OF S-CONTROL CHART AND EWMA-S 2 CONTROL CHART FOR THE CHANGES IN A PROCESS

Multi-server Optimal Bandwidth Monitoring for QoS based Multimedia Delivery Anup Basu, Irene Cheng and Yinzhe Yu

Recovery time guaranteed heuristic routing for improving computation complexity in survivable WDM networks

DDoS attacks defence strategies based on nonparametric CUSUM algorithm

ADAPTIVE NETWORKS SAFETY CONTROL ON FUZZY LOGIC

Evaluating Model for B2C E- commerce Enterprise Development Based on DEA


Basic Measurement Issues. Sampling Theory and Analog-to-Digital Conversion

The analysis of the Cournot oligopoly model considering the subjective motive in the strategy selection

Case Study. Normal and t Distributions. Density Plot. Normal Distributions

SECTION 1.5 : SUMMATION NOTATION + WORK WITH SEQUENCES

Overview on S-Box Design Principles

Clustering Algorithm Analysis of Web Users with Dissimilarity and SOM Neural Networks

, a Wishart distribution with n -1 degrees of freedom and scale matrix.

Taking DCOP to the Real World: Efficient Complete Solutions for Distributed Multi-Event Scheduling

Spam Detection. A Bayesian approach to filtering spam

1. C. The formula for the confidence interval for a population mean is: x t, which was

Hypothesis testing. Null and alternative hypotheses

Hypergeometric Distributions

1 Computing the Standard Deviation of Sample Means

Maximum Likelihood Estimators.

Evaluation of Different Fitness Functions for the Evolutionary Testing of an Autonomous Parking System

Iran. J. Chem. Chem. Eng. Vol. 26, No.1, Sensitivity Analysis of Water Flooding Optimization by Dynamic Optimization

Automatic Tuning for FOREX Trading System Using Fuzzy Time Series

Research Method (I) --Knowledge on Sampling (Simple Random Sampling)

Domain 1: Designing a SQL Server Instance and a Database Solution

Your organization has a Class B IP address of Before you implement subnetting, the Network ID and Host ID are divided as follows:

Overview. Learning Objectives. Point Estimate. Estimation. Estimating the Value of a Parameter Using Confidence Intervals

A Faster Clause-Shortening Algorithm for SAT with No Restriction on Clause Length

Effective Hybrid Intrusion Detection System: A Layered Approach

Real-Time Computing Without Stable States: A New Framework for Neural Computation Based on Perturbations

Z-TEST / Z-STATISTIC: used to test hypotheses about. µ when the population standard deviation is unknown

I. Chi-squared Distributions

CHAPTER 3 DIGITAL CODING OF SIGNALS

Optimal Adaptive Bandwidth Monitoring for QoS Based Retrieval

Log-Logistic Software Reliability Growth Model

Enhancing Oracle Business Intelligence with cubus EV How users of Oracle BI on Essbase cubes can benefit from cubus outperform EV Analytics (cubus EV)

Center, Spread, and Shape in Inference: Claims, Caveats, and Insights

Determining the sample size

Cantilever Beam Experiment

CONTROL CHART BASED ON A MULTIPLICATIVE-BINOMIAL DISTRIBUTION

Nr. 2. Interpolation of Discount Factors. Heinz Cremers Willi Schwarz. Mai 1996

Statistical and Fuzzy Approach for Database Security

AN ANOMALY DETECTION SYSTEM FOR DDOS ATTACK IN GRID COMPUTING

MARKOV MODEL M/M/M/K IN CONTACT CENTER

Verifying the Availability of Cloud Applications

Extracting Similar and Opposite News Websites Based on Sentiment Analysis

How To Improve Software Reliability

Escola Federal de Engenharia de Itajubá

Confidence Intervals. CI for a population mean (σ is known and n > 30 or the variable is normally distributed in the.

Modeling of Ship Propulsion Performance

Annuities Under Random Rates of Interest II By Abraham Zaks. Technion I.I.T. Haifa ISRAEL and Haifa University Haifa ISRAEL.

DAME - Microsoft Excel add-in for solving multicriteria decision problems with scenarios Radomir Perzina 1, Jaroslav Ramik 2

A Combined Continuous/Binary Genetic Algorithm for Microstrip Antenna Design

Capacity of Wireless Networks with Heterogeneous Traffic

Malicious Node Detection in Wireless Sensor Networks using Weighted Trust Evaluation

FACIAL EXPRESSION RECOGNITION BASED ON CLOUD MODEL

Optimize your Network. In the Courier, Express and Parcel market ADDING CREDIBILITY

Transcription:

Cotrol Sciece ad Egieerig Volume 2013, Article ID 821315, 6 pages http://dx.doi.org/10.1155/2013/821315 Research Article Real-Time Detectio of Applicatio-Layer DDoS Attack Usig Time Series Aalysis Togguag Ni, Xiaoqig Gu, Hogyua Wag, ad Yu Li School of Iformatio Sciece ad Egieerig, Chagzhou Uiversity, Chagzhou 213164, Chia Correspodece should be addressed to Hogyua Wag; tiddyddd@163.com Received 7 Jue 2013; Accepted 25 August 2013 Academic Editor: Xiaomei Qi Copyright 2013 Togguag Ni et al. This is a ope access article distributed uder the Creative Commos Attributio Licese, which permits urestricted use, distributio, ad reproductio i ay medium, provided the origial work is properly cited. Distributed deial of service (DDoS) attacks are oe of the major threats to the curret Iteret, ad applicatio-layer DDoS attacks utilizig legitimate HTTP requests to overwhelm victim resources are more udetectable. Cosequetly, either itrusio detectio systems (IDS) or victim server ca detect malicious packets. I this paper, a ovel approach to detect applicatio-layer DDoS attack is proposed based o etropy of HTTP GET requests per source IP address (HRPI). By approximatig the adaptive autoregressive (AAR) model, the HRPI time series is trasformed ito a multidimesioal vector series. The, a traied support vector machie (SVM) classifier is applied to idetify the attacks. The experimets with several databases are performed ad results show that this approach ca detect applicatio-layer DDoS attacks effectively. 1. Itroductio DDoSattackshavecausedseveredamagetoserversad will cause eve greater itimidatio to the developmet of ew Iteret services. DDoS attacks are categorized ito two classes: etwork-layer DDoS attacks ad applicatiolayer DDoS attacks. I etwork-layer DDoS attacks, attackers sed a large umber of bogus packets towards the victim server ad ormally attackers use IP spoofig. The victim server or IDS ca easily distiguish legitimate packets from DDoS packets. I cotrast, i applicatio-layer DDoS attacks, attackers attack the victim server through a flood of legitimate requests. I this attack model, attackers attack the victim Web servers by HTTP GET requests ad pullig large files from thevictimserverioverwhelmigumbers.also,attackers ca ru a massive umber of queries through the victim s search egie or database query to brig the server dow. To circumvet detectio, the attackers icreasigly move away from pure badwidth floods to stealthy DDoS attacks that masquerade as flash crowd. Flash crowd 1, 2] refers to the situatiowheaverylargeumberofuserssimultaeously access a website, which may be due to the aoucemet of a ew service or free software dowload. Because burst traffic ad high volume are the commo characteristics of applicatio-layer DDoS attacks ad flash crowd, it is ot easy to distiguish them. Therefore, applicatio layer DDoS attacks may be stealthier ad more dagerous for the websites tha the geeral etwork-layer DDoS attacks. Most well-kow DDoS coutermeasure 3] techiques are agaist etwork-layer DDoS attacks. Those techiques caot hadle applicatio-layer DDoS attacks. Couterig applicatio-layer DDoS attacks becomes a great challege. Statistical methods is used to detect characteristics of HTTP sessios ad employed rate-limitig as the primary defese mechaism i 4]. Costrait radom request attacks by the statistical methods are used to defed agaist the applicatiolayer DDoS attacks i 5]. A CAPTCHA puzzle is used to esure that the respose is geerated by a huma ot by a machie i 6]. A semi-markov model is proposed to describe the browsig Behaviors of Web surfers i 7], ad a improved semi-markov model is proposed to describe the dyamic behavior process of aggregated traffic i 8]. Recetly, trust-based methods 9, 10] wereitroducedfor resistig applicatio-layer DDoS attacks. The commo feature of these methods is that a defese system establishes credit records for each user. The credit value give to a seder isdesigedtobemeasuredbasedoitshistoryofcommuicatio patters. I applicatio-layer DDoS attacks, attack sources have bee programmed ad worked accordig to their attack

2 Cotrol Sciece ad Egieerig fuctios, so detectio based o its patter is possible. I this paper, the etropy of HTTP GET requests per source IP address (HRPI) is proposed, which reflects the essetial features of applicatio-layer DDoS attacks: the distributio of source IP address ad HTTP GET request frequecy. To icrease the detectio accuracy i various coditios, HRPI time series are trasformed ito a multidimesioal vector by estimatig the adaptive autoregressive (AAR) model parameters usig Kalma filter. Furthermore, a support vector machie (SVM) classifier, which is traied by AAR parameters of HRPI time series, is applied to classify the state of curret etwork traffic ad idetify the applicatio-layer DDoS attacks. The rest of the paper is orgaized as follows. Sectio 2 discusses the applicatio-layer DDoS attacks ad details their properties. Sectio 3 describes our approach to detect the applicatio-layer DDoSattacks.I Sectio 4, experimets are preseted to validate our detectio model. Fially, the coclusio is give i Sectio 5 ad it poits out the future work. 2. Applicatio-Layer DDoS Attacks Applicatio-layer DDoS attacks ca be clustered ito two types: badwidth exhaustig (HTTP floodig) ad resources exhaustig 11]. I badwidth exhaustig DDoS attacks, attackers attack the victim server through a flood of legitimate requests. Ay zombie machie has to establish a TCP coectio with the victim server, which requires a geuie IP address. Attacks maily focus o the homepage or a hot webpage, ad also differet web pages. I this case, the sources of the traffic coverge to a group of poits ad high HTTP Get request rate from the attackers. Besides the floodig attack patter, applicatio-layer DDoS attacks may focus o exhaustig the server resources such as Sockets, CPU, memory, disk/database badwidth, ad I/O badwidth. With icreasig computatioal complexity i Iteret applicatios ad larger etwork badwidth, server resources may become the bottleeck of these applicatios. Thistypeofattackisabletousefewerzombiesbuttheattack hasaevelargerdamagetothewebsite.however,thetraffic will be similar to the badwidth exhaustig DDoS. As a result, the sources of the traffic coverge to a group of poits but the targets of the traffic become dispersed i some extet. At thesametime,thefrequecyofhttpgetrequestfromthe attackersishighlylarge. O the Web, flash crowd refers to the situatio whe a very large umber of users simultaeously access a popular website, which produces a surge i traffic to the website ad mightcausethesitetobevirtuallyureachable.ddosattacks are absolutely differet from flash crowd, DDoS attacks are due to a icrease i the request rates for a small group of cliets while flash crowd is due to a icrease i the umber of cliets. The sources of flash crowd are defiitely scattered, coversely, the sources of applicatio-layer DDoS attacks coverge to a group of poits. 3. Our Approach 3.1. Defiitio of HRPI. For popular websites, the traffic targeted is a stream of successive HTTP Get requests. Defiitio 1. HTTPGetrequestsithecertaitimeiterval Δt isgiveitheformof (x 1,s 1 ), (x 2,s 2 ),...,(x,s ). For the (x i,s i ), x i is the source IP address ad s i is the umber of HTTP Get requests for x i. Defiitio 2. EtropyofHTTPGETrequestspersourceIP address (HRPI) is defied as SRE = p(x i ) lbp (x i ), (1) where p(x i ) is the probability of HTTP Get requests belogig to x i,adp(x i )=s i / i=1 s i. HRPI as a summarizatio tool is used to quatify the degree of dispersal or cocetratio of HTTP Get request feature distributios. Accordig to the aalysis i Sectio 2, we deduced the followig coclusio (DDoS as 1, ormal as 2, flash crowd as 3): HRPI (3) > HRPI (2) > HRPI (1). (2) I most cases, distributio form of source IP address of legitimateusersismoreuiformlyscatteredacrosstheiteret; the distributio form of source IP address of attackers is more cumulative i someplaces. I DDoS attacks, several clusters of source IP addresses ad lager umber of HTTP GET requests are coverged, so HRPI value dramatically drops whe attacks happe. Coversely, the sources of flash crowdarescatteredadtherewereosuchclusters,soitwill result i a abormal icrease i HRPI of the etwork. 3.2. Geeratio of HRPI Time Series. Adaptive autoregressive AAR (p)model12] of degree p is defied as y t = p k=1 a k t y t k +e t, (3) where y t deotes the observatio at istat t ad a k t deotes the time-varyig model parameters. As the traffic collectig device may cause measuremet errors, stochastic variable e t isusedtocapturethiserror.themodelusesaweightedsumof p previous values to estimate the curret observatio value. The weights a k t (k = 1,...,p) are time depedet, ad the curret value ca be predicted as a liear combiatio of p past values. By usig time-varyig AAR model, we allow a model of ormal behavior to adapt to the chages of the moitored system. Kalma filter is a adaptive ad recursive data processig algorithm that is suited for olie estimatio 13, 14]. Kalma filter ca process traffic matrix as a whole ad all traffic ca be estimated simultaeously. This implies that we do ot have to cosider all the previous data agai, to compute the optimal estimates; we oly eed to cosider the estimates from the previous time step ad the ew measuremet. I our case, we estimate the AAR model parameters from the observed alert series {y t }. The true parameters caot be observed directly ad i state space termiology they are called the state X. Now,assumethatwehaveaobservatio model givig the relatio betwee the uobservable state

Cotrol Sciece ad Egieerig 3 ad the observatios, ad a evolutio model describig the time-varyig ature of the state. So the AAR model ca be put i vector form as follows: Y t =H t X t +e t, (4) where H t deotes a iteral matrix ad H t =(Y t,...,y t p ). X t deotes the state vector at istat t ad X t =(a 1 t,...,ap t )T. Without prior iformatio, the evolutio of the state is ofte described with a radom walk model 15]. A liear equatio is costructed as follows to build a predictio model to correlate X t+1 ad X t : X t+1 =X t +w t, (5) where state oise w t ad measuremet oise e t are ucorrelated, zero-mea white-oise processes ad with covariace matrices σ 2 w ad σ2 e,respectively. ForrepresetigtheKalmafilterequatios, X deotes theestimateofx ad P t t 1 deotes error covariace matrix for estimatio error of the state at istat t usig observatios accumulated at istat t 1.Wheiitialcoditios, X 0 = EX 0 ] ad error covariace matrix P 0 = E( X 0 X 0 )( X 0 X 0 ) T ], the system state X t t 1 cabeestimated iterativelybythefollowigequatios: X t t 1 =X t 1, P t t 1 =P t 1 +C wt 1, K t =P t t 1 H T t (H tp t t 1 H T t +C et ) 1, X t = X t t 1 +K t (Y t H t X t t 1 ), P t =(I K t H t )P t t 1. Usig Kalma filter i practice requires iitial values for state X 0, error covariace P 0, state oise covariace C w (C w = σ 2 w I), ad observatio oise covariace C e (C e = σ 2 e = I). AcommoapproachistosetX 0 = 0, P 0 = I,adru the algorithm o a short segmet from observatio data backwards. The values obtaied i this way for X ad P 0 are the used to iitialize these values i the actual processig ru. The adaptatio speed icreases with C w ad the variace of state estimates is iversely proportioal to the value of C w. Therefore, it should be chose for a desired balace betwee state estimate variace ad filter adaptatio speed accordig to the applicatio. C w eeds to be set dyamically adaccordigiapplicatio. 3.3. Kalma Filter Smoothig. There are three classical smoothig algorithms, fixed-poit smoother, fixed-iterval smoother, ad fixed-lag smoother. We use fixed-lag smoother, sice it is suitable for olie processig whe a small, fixed delay of L observatios is allowed 16]. To estimate the state X t at istat t with a fixed-lag smoother,wewillwaittohaveobservatiosuptoistatt+l, where L>0.Thestateadobservatioequatioshaveow (6) exteded variables. The Kalma filter equatios remai the same, ad the observatio (4)becomes Y t =H t,0,...,0] X t X t 1. X t L The simplified state (5)ca be writte as X t+1 X t X t 1. X t (L 1) = ] ] X t X t 1 X t 2. X t L +e ] t. (7) ] w t 0 + 0. (8) ]. ] ] 0 ] 3.4. SVM Classifier. By samplig the etwork traffic with time iterval Δt, calculatigthehrpiofeverysample,the HRPI sample series {HRPI i,i = 1,2,...,N} is gotte, N is the legth of the series. Based o (6) (8), multidimesioal vector X(i) of degree p cabeusedtodescribethestate features of etwork traffic. As a result, detectig DDoS attacks equates to classifyig X(i) series virtually. Support vector machie (SVM) is applied here, which is a well-kow data classificatio techique, to classify AAR parameters vector. SVM method ca get the optimal solutio whether the sample size teds to be fiite or ifiite. It ca establish a mappig of a oliear kerel fuctio, structurig the optimal hyperplae, so problem ca be coverted ito a liearly separable oe i the high-dimesioal feature space. Besides, it solves the dimesio problem ad its complexity has othig to do with the sample s dimesio. Sice traffic is oly cosidered as legitimate or attack, it is aturally a biary classificatio problem. The SVM classifier ca be described as η= M i=1 α i y i K(φ i,φ)+b, (9) where η is the classificatio result for the sample, α i is the Lagrage multiplies, y i is the category, ad y i { 1,1}. K(φ i,φ)is the kerel fuctio ad b is the deviatio factor. The optimal hyperplae that SVM classifier created i the high-dimesioal feature space is where f(φ)=sg ( α i y i (K (φ r,φ i )+K(φ s,φ i ))), (10) i SV b= 1 2 α i y i (K (φ r,φ i )+K(φ s,φ i )). (11) i SV SV (Support Vector) deotes the support vector ad φ r meas positive support vector, φ s meas egative support vector.

4 Cotrol Sciece ad Egieerig The coefficiet ca be obtaied by the followig quadratic programmig: max w (a) = i i=1a 1 a 2 i a j y i y j K(x i,x j ) i=1j=1 s.t. i=1 a i y i =0 0 α i C (i=1,2,...,m), (12) where C is the parameter to price the misclassificatio. Before the SVM ca classify traffics, it should udergo a traiig process to develop a classificatio model. We use the LibSVM library 17]to implemet SVM. 4. Experimets I order to evaluate the performace of our scheme, we divided our study ito two groups of experimets: to detect applicatio layer DDoS i ormal traffic ad i flash crowd. 4.1. Dataset. Normal traffic is the real-life Iteret traces collected from the traffic archive of Chagzhou uiversity WWW server. The traces cotai two weeks worth of all HTTP requests to the web server. We implemeted applicatio-layer DDoS attack i a simulator. Simulatios are carried out usig NS-2 etwork simulator o Liux platform. For geeratig attack traffic, there are 50 zombie machies ad a web server. Attack rates are 20 HTTP Get requests/s, 30 HTTP Get requests/s,...,60http Get requests/s, which simulate the attack rates of worm Mydoom, ad every attack lasts 1800s. Flash crowd is collected from the World Cup 98 website 18]. As this is a high arrival rate, we expect our approach to detect this traffic as flash crowd. We obtaied HRPI time series by multiple samplig ad calculatio whe the samplig iterval Δt is 0.1 s. As show i Figure 1(a), HRPI of ormal traffic varies with the time ad its mathematical expectatio is 9.26. Figure 1(b) shows HRPI of DDoS attack ad its mathematical expectatio is 3.58, ad HRPI of flash crowd is show i Figure 1(c) with mathematical expectatio 11.57. We ca see that the HRPI time series are sesitive to DDoS attack ad flash crowd, so HRPI ca distiguish three types of traffic distictly. 4.2. Model Parameters. There are three parameters which may affect the HRPI time series performaces. The first oe is the parameter p of AAR model. I practice, the model degree is ofte fixed usig some prior kowledge or guidelies. To optimize the goodess of fit verse, model complexity ratio, adalsotoeasethecomputatioalload,wesettledp=3as a degree which allowed the model to capture sufficietly well the ormal traffic behavior. The secod oe is state oise covariace C w (C w =σ 2 w I). The adaptatio speed of the Kalma filter is determied by the state oise covariace factor σ 2 w.itcotrolshowfast the state adopts the chages i observatios ad gives a suitable balace i adaptig to ormal behavior ad avoidig icorporatig aomalous behavior i to the model. We HRPI HRPI HRPI 11 10.5 10 9.5 9 8.5 8 0 100 200 300 400 500 5 4.5 4 3.5 3 0.1 (s) (a) HRPIoformaltraffic 2.5 0 100 200 300 400 500 0.1 (s) 13 12.5 12 11.5 11 (b) HRPI of DDoS attack 10.5 0 100 200 300 400 500 0.1 (s) (c) HRPI of flash crowd Figure 1: HRPI of differet web traffics. experimeted with differet values ad chose to use σ 2 w = 0.0001. The third oe is the lag of Kalma filter, ad we oticed a sigificat icrease i model accuracy whe L = 1.The icrease i accuracy was slower whe further icreasig L. As larger L meas also loger delay i detectio, we chose to use L=1. 4.3. Experimets ad Results 4.3.1. Evaluatio Criteria. I this paper, a group of performace metrics i classificatio problems are used for the evaluatio of the results, cosistig of FPR, FNR, accuracy,

Cotrol Sciece ad Egieerig 5 Table 1: The results of DDoS detectio i ormal traffic. Accuracy FPR FNR Precisio Recall ROC P-20 91.52% 8.24% 7.27% 91.62% 92.51% 90.12% P-30 94.26% 5.05% 3.94% 94.51% 95.28% 95.31% P-40 96.31% 3.74% 3.08% 96.79% 97.00% 98.79% P-50 97.24% 2.76% 2.23% 97.30% 97.64% 99.10% P-60 97.81% 2.05% 1.88% 97.94% 98.02% 99.26% Table 2: The results of DDoS detectio i flash crowd. Accuracy FPR FNR Precisio Recall ROC T-20 92.33% 6.69% 6.03% 92.66% 93.28% 91.67% T-30 95.02% 4.10% 3.09% 95.64% 96.37% 96.34% T-40 96.39% 3.52% 2.58% 96.82% 96.95% 98.99% T-50 97.68% 2.16% 1.94% 97.22% 98.03% 99.61% T-60 98.06% 1.47% 1.02% 98.29% 98.49% 99.70% precisio, recall, ad ROC. Let TP represet the ormal test samples that have bee correctly classified ad let FP represet the oes that have bee wrogly classified. Let TN represet the attackig test samples that have bee correctly classified ad let FN represet the oes that have bee falsely classified. Thus, the False-Positive Rate (FPR) ad the False- Negative Rate (FNR) are the proportios of wrogly classified ormal test samples ad attackig test samples, respectively (FPR = FP/(FP + TN), FNR = FN/(TP + FN)). Accuracy states the overall percetage of correctly classified attackig test samples (accuracy = (TP + TN)/(TP + FP + TN + FN)). Precisio as the classifier s safety, states the degree i which messages idetified as attackig test samples are ideed malicious (precisio = TP/(TP + FP)). Recall as the classifier s effectiveess, states the percetage of attackig test samples that the classifier maages to classify correctly (recall = TP/(TP + FN)). Receiver Operatig Characteristic (ROC) as a classifier s balace ability betwee its FPR ad its FNR is a fuctio of varyig classificatio threshold. 4.3.2. Experimet 1: Detect DDoS Attacks i Normal Traffic. We set that the samplig iterval Δt is 0.1 s, HRPI time series legth N is 100, so the detectio time is 10 s. I this experimet, ormal traffic cotai 600 series, ad DDoS attack traffic cotai 450 series. Obtaied dataset is divided ito two parts: traiig data cotais 60% of total data values, testig data cotais the rest of the obtaied dataset. The kerel fuctio i SVM classifier is radial basis fuctio (RBF) ad the robustess of the classifiers is evaluated usig 10-fold cross-validatio. I order to test the robustess of our method to the disturbace of ormal traffic, we do five experimets amed as P-20, P-30,..., P-60, i which traffic attacks are 20 HTTP Get requests/s,...,60httpget requests/s mixig ormal traffic at the same time. Table 1 shows the performace results; the detectio ratio of our approach icreases whe the attack traffic volume icreases. Whe ormal traffic is much larger tha attack traffic, the detectio ratio still keeps a high level. This meas that our approach ca idetify the DDoS attack traffic with a high precisio, ad be sesitive to DDoS attack traffic. 4.3.3. Experimet 2: Detect DDoS Attacks i Flash Crowd. I this experimet, the samplig iterval Δt is 0.1 s, ad HRPI time series legth N is 100, too. We sample flash crowd 500 series, ad DDoS attack traffic 350 series. The traiig ad testig method of SVM is the same as experimet 1. We do five experimets amed as T-20, T-30,...,T-60, by mixig attackig traffic 20 HTTP Get requests/s,...,60 HTTP Get requests/s ad flash crowd. Table 2 shows the performace results, with the icremet of flash crowd, the detectio ratio of our approach does ot declie rapidly. The FPR ad FNR are reduced with the icrease of attack rate, ad the accuracy, precisio, recall, ad ROC are asceded with the icrease of attack rate. I the above two groups of experimets, the false egativescomemailyfromtwoaspects:firstly,duetotheicrease of ormal traffic or flash crowd, which makes the HRPI states lear to ormal oes, thus makig the differece too small for detectio. Secodly, the etwork state shift caused by etwork radom oise results i false egative. 5. Coclusio Applicatio-layer DDoS attacks detectio is a hot ad difficult research topic i the field of itrusio detectio. Based o the characteristics of DDoS attack, this paper proposes a ovel approach to detect DDoS attacks. The work provides two cotributios: (1) HRPI is itroduced to detect DDoS attacks, ad it reflects the essetial features of attacks ad (2) a detectio scheme agaist DDoS attacks is proposed, ad it ca achieve high detectio efficiecy ad flexibility. I our future work, we will make a detailed study of how to set all kids of parameters i differet applicatio scearios adaptively. Ackowledgmet This work was supported by the Natioal Natural Sciece Foudatio of Chia uder Cotact (61070121). Refereces 1] T. Thapgam, S. Yu, W. Zhou, ad G. Beliakov, Discrimiatig DDoS attack traffic from flash crowd through packet arrival patters, i Proceedigs of the IEEE Coferece o Computer Commuicatios Workshops (INFOCOM 11), pp. 952 957, April 2011. 2] G. Oikoomou ad J. Mirkovic, Modelig huma behavior for defese agaist flash-crowd attacks, i Proceedigs of the IEEE Iteratioal Coferece o Commuicatios (ICC 09),pp.1 6, Jue 2009. 3] H. Beitollahi ad G. Decoick, Aalyzig well-kow coutermeasures agaist distributed deial of service attacks, Computer Commuicatios, vol. 35, pp. 1312 1332, 2012. 4] S. Raja, R. Swamiatha, M. Uysal, ad E. Kightly, DDoSresiliet schedulig to couter applicatio layer attacks uder

6 Cotrol Sciece ad Egieerig imperfect detectio, i Proceedigs of the 25th IEEE Iteratioal Coferece o Computer Commuicatios (INFOCOM 06),pp.1 13,April2006. 5] W. Ye ad M.-F. Lee, Defedig applicatio DDoS with costrait radom request attacks, i Proceedigs of the Asia- Pacific Coferece o Commuicatios, pp. 620 624, Perth, Australia, October 2005. 6] L. Vo Ah, M. Blum, ad J. Lagford, Tellig humas ad computers apart automatically, Commuicatios of the ACM, vol.47,o.2,pp.56 60,2004. 7] Y. Xie ad S.-Z. Yu, A large-scale hidde semi-markov model for aomaly detectio o user browsig behaviors, IEEE/ACM Trasactios o Networkig,vol.17,o.1,pp.54 65,2009. 8] Y.Xie,S.Tag,adX.Huag, Detectiglatetattackbehavior from aggregated Web traffic, Computer Commuicatios,o.5, pp. 895 907, 2013. 9] J.Yu,C.Fag,L.Luetal., Alightweightmechaismtomitigate applicatio layer DDoS attacks, Scalable Iformatio Systems, vol. 18, pp. 175 191, 2009. 10] P. Du ad A. Nakao, OverCourt: DDoS mitigatio through credit-based traffic segregatio ad path migratio, Computer Commuicatios,vol.33,o.18,pp.2164 2175,2010. 11] H. Beitollahi ad G. Decoick, Tacklig Applicatio-layer DDoS Attacks, Procedia Computer Sciece,vol.10,pp.432 441, 2012. 12] Q.-D. Su, D.-Y. Zhag, ad P. Gao, Detectig distributed deial of service attacks based o time series aalysis, Chiese Computers,vol.28,o.5,pp.767 773,2005. 13] R. Ya, Q. Zheg, ad H. Li, Combiig adaptive filterig adifflowstodetectddosattackswithiarouter, KSII Trasactios o Iteret ad Iformatio Systems, vol.4,o.3, pp.428 451,2010. 14] S. We, W. Jia, W. Zhou, W. Zhou, ad C. Xu, CALD: Survivig various applicatio-layer DDoS attacks that mimic flash crowd, i Proceedigs of the 4th Iteratioal Coferece o Network ad System Security (NSS 10), pp. 247 254, Victoria, Australia, September 2010. 15] S. Haykl, Adaptive Filter Theory, Pretice-Hall, Upper saddle River, NJ, USA, 3rd editio, 1996. 16] J. Viiikka, H. Debar, L. Mé, A. Lehikoie, ad M. Tarvaie, Processig itrusio detectio alert aggregates with time series modelig, Iformatio Fusio,vol.10,o.4,pp.312 324,2009. 17] J. Platt, Sequetial miimal optimizatio: a fast algorithm for traiig support vector machies, Tech. Rep. MSR-TR-98-14, Microsoft Research, 1998. 18] M. Arlitt ad T. Ji, 1998 World Cup Web Site Access Logs, 1998, http://ita.ee.lbl.gov/html/cotrib/worldcup.html.

Rotatig Machiery Egieerig The Scietific World Joural Distributed Sesor Networks Sesors Cotrol Sciece ad Egieerig Advaces i Civil Egieerig Submit your mauscripts at Electrical ad Computer Egieerig Robotics VLSI Desig Advaces i OptoElectroics Navigatio ad Observatio Chemical Egieerig Active ad Passive Electroic Compoets Ateas ad Propagatio Aerospace Egieerig Modellig & Simulatio i Egieerig Shock ad Vibratio Advaces i Acoustics ad Vibratio

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information