Detecting App-DDoS Attacks Based on Marking Access and d-svdd



Similar documents
Avelino J. Gonzalez School of Electrical Engineering and Computer Science University of Central Florida Orlando, FL , USA

PREFACE. 44 p. PARB PIM LTD., PART. 296 Soi Jarunsanitwong 40. and to prepare for the external quality assessment.

8 TWO-WAY SLABS. Figure 1: Two way slabs

A Cross-Layer Optimization Framework for Multicast in Multi-hop Wireless Networks

A Spam Message Filtering Method: focus on run time

CHARACTERISTICS OF WAITING LINE MODELS THE INDICATORS OF THE CUSTOMER FLOW MANAGEMENT SYSTEMS EFFICIENCY


Mixed Method of Model Reduction for Uncertain Systems

Apigee Edge: Apigee Cloud vs. Private Cloud. Evaluating deployment models for API management

Morningstar Fixed Income Style Box TM Methodology

Change Management Plan Blackboard Help Course 24/7

Design of Channel Filter based on Asymmetric One-Dimensional Defective Photonic Crystal for Broadband Responses

FAULT LOCATION AND SERVICE RESTORATION METHOD FOR LARGE-SCALE DISTRIBUTION NETWORKS

Solved Problems Chapter 3: Mechanical Systems

Secure Network Coding with a Cost Criterion

Return on Investment and Effort Expenditure in the Software Development Environment

License & SW Asset Management at CES Design Services

DISTRIBUTED DATA PARALLEL TECHNIQUES FOR CONTENT-MATCHING INTRUSION DETECTION SYSTEMS

EVALUATING SERVICE QUALITY OF MOBILE APPLICATION STORES: A COMPARISON OF THREE TELECOMMUNICATION COMPANIES IN TAIWAN

DISTRIBUTED DATA PARALLEL TECHNIQUES FOR CONTENT-MATCHING INTRUSION DETECTION SYSTEMS. G. Chapman J. Cleese E. Idle

CASE STUDY BRIDGE.

A Review On Software Testing In SDlC And Testing Tools

Project Management Basics

Independent Samples T- test

A Similarity Search Scheme over Encrypted Cloud Images based on Secure Transformation

Two Dimensional FEM Simulation of Ultrasonic Wave Propagation in Isotropic Solid Media using COMSOL

CASE STUDY ALLOCATE SOFTWARE

Simultaneous Routing and Power Allocation in CDMA Wireless Data Networks

REDUCTION OF TOTAL SUPPLY CHAIN CYCLE TIME IN INTERNAL BUSINESS PROCESS OF REAMER USING DOE AND TAGUCHI METHODOLOGY. Abstract. 1.

A note on profit maximization and monotonicity for inbound call centers

Warehouse Security System based on Embedded System

Performance of Multiple TFRC in Heterogeneous Wireless Networks

BUILT-IN DUAL FREQUENCY ANTENNA WITH AN EMBEDDED CAMERA AND A VERTICAL GROUND PLANE

Bi-Objective Optimization for the Clinical Trial Supply Chain Management

A technical guide to 2014 key stage 2 to key stage 4 value added measures

Simulation of Sensorless Speed Control of Induction Motor Using APFO Technique

Active Sway Control of a Single Pendulum Gantry Crane System using Output-Delayed Feedback Control Technique

Profitability of Loyalty Programs in the Presence of Uncertainty in Customers Valuations

An Integrated Data Management Framework of Wireless Sensor Network

A train dispatching model based on fuzzy passenger demand forecasting during holidays

Acceleration-Displacement Crash Pulse Optimisation A New Methodology to Optimise Vehicle Response for Multiple Impact Speeds

Fast Robust Hashing. ) [7] will be re-mapped (and therefore discarded), due to the load-balancing property of hashing.

How Enterprises Can Build Integrated Digital Marketing Experiences Using Drupal

Bio-Plex Analysis Software

Cluster-Aware Cache for Network Attached Storage *

Optical Illusion. Sara Bolouki, Roger Grosse, Honglak Lee, Andrew Ng

Chapter 3 Torque Sensor

Solutions to Sample Problems for Test 3

Physics 100A Homework 11- Chapter 11 (part 1) The force passes through the point A, so there is no arm and the torque is zero.

Teamwork. Abstract. 2.1 Overview

Advanced ColdFusion 4.0 Application Development Server Clustering Using Bright Tiger

A New Statistical Approach to Network Anomaly Detection

Performance of a Browser-Based JavaScript Bandwidth Test

CHAPTER 5 BROADBAND CLASS-E AMPLIFIER

Report b Measurement report. Sylomer - field test

Face Hallucination and Recognition

Multi-Robot Task Scheduling

SNMP Reference Guide for Avaya Communication Manager

Control Theory based Approach for the Improvement of Integrated Business Process Interoperability

Utility-Based Flow Control for Sequential Imagery over Wireless Networks

Four Ways Companies Can Use Open Source Social Publishing Tools to Enhance Their Business Operations

AFFORDABLE BUSINESS QUALITY PRINTING FOR YOUR OFFICE

Brand Equity Net Promoter Scores Versus Mean Scores. Which Presents a Clearer Picture For Action? A Non-Elite Branded University Example.

Scheduling of Jobs and Maintenance Activities on Parallel Machines

SHARESYNC SECURITY FEATURES

A Resolution Approach to a Hierarchical Multiobjective Routing Model for MPLS Networks

Software Engineering Management: strategic choices in a new decade

Pekka Helkiö, 58490K Antti Seppälä, 63212W Ossi Syd, 63513T

CERTIFICATE COURSE ON CLIMATE CHANGE AND SUSTAINABILITY. Course Offered By: Indian Environmental Society

Solution of the Heat Equation for transient conduction by LaPlace Transform

A Supplier Evaluation System for Automotive Industry According To Iso/Ts Requirements

T-test for dependent Samples. Difference Scores. The t Test for Dependent Samples. The t Test for Dependent Samples. s D

Mobile Network Configuration for Large-scale Multimedia Delivery on a Single WLAN

ACO and SVM Selection Feature Weighting of Network Intrusion Detection Method

CLUSTBIGFIM-FREQUENT ITEMSET MINING OF BIG DATA USING PRE-PROCESSING BASED ON MAPREDUCE FRAMEWORK

FEDERATION OF ARAB SCIENTIFIC RESEARCH COUNCILS

TRADING rules are widely used in financial market as

ACTION: Breaking the Privacy Barrier for RFID Systems

Lecture 7 Datalink Ethernet, Home. Datalink Layer Architectures

Transcription:

Proceeding of the nd Internationa Sympoium on Computer, Communication, Contro and Automation (ISCCCA-3 Detecting App-DDoS Attack Baed on Marking Acce and d-svdd LI Jin-ing, WANG Bin-qiang Nationa Digita Switching Sytem Engineering & Technoogica R&D Center Zhengzhou, China zifengingword@63.com Abtract---In order to enhance the extenibiity of current attack feature extracted and detection mean for App-DDoS(Appication Layer Ditributed Denia of Service, App-DDoSattack, a nove feature extracted method baed on marking acce and a new detection agorithm named d-svdd are propoed. After expreing kind of App-DDoS attack a characteritic vector by acce marked trategy and feature extracted trategy, d-svdd agorithm i ued for econdary caification and detection of pre-et area around deciion boundary baed on SVDD. It i proved by experiment that the propoed feature extracted and detection mean can reaize effective detection for kind of App-DDoS attack, both have atifying time, pace and extenibiity performance. Keyword-App-DDoS attack Marking acce d-svdd Anomay detection I. INTRODUCTION Being different ony in purpoe from norma behavior, App-DDoS attack can eaiy cro the ow-eve defene ytem for traditiona DDoS attack, aong with the fact that deaing with a high-eve appication requet i much more compex, finding out effective detection and defene mean for App-DDoS attack become more and more important []. Currenty, mot detection method for App-DDoS attack are mainy baed on behavior anayi [] and og anayi [3]. One typica detection method baed on uer browing information detect HTTP fooding attack according to uer browing order and the reationhip between view time and page information [4]. Another detection method propoed by Xie Yi and Yu Shunzheng introduce HMM mode to detection agorithm [5][6]. In iterature [7], App-DDoS attack are divided into three categorie by eion parameter: requet fooding attack, aymmetric workoad attack and repeated one-hot attack. According to thi caification, a eion upiciou degree mode i propoed for anomay detection and fitering. After anayzing the detection method above, we can concude: App-DDoS attack have ot of different type becaue of the difference among appication ayer ervice and protoco, whie mean baed on behavior anayi and og anayi ony conider Web erver moty, the extracted character have poor extenibiity Anomay detection method deepy depend on extracted character, o the poor extenibiity of character directy affect the extenibiity of detection method. In order to enhance the extenibiity of extracted character and correponding detection agorithm, achieve effective detection for variou attack, a nove feature extracted method baed on marking acce and a new detection agorithm named d-svdd are propoed in thi paper. The fow chart of uch detection agorithm i hown in Figure. di < R Figure. The fow chart of detection agorithm The detection agorithm i divided into training and detection phae in detai. In training phae, mark norma uer acce behavior with no marking trategy firty, and then et marking period and average interva between conecutive acce tamp t d according to the initia marked reut. After that proce the initia acce tamp with marking trategy. When a of thee are competed, feature extracted method i appied to obtain effective detection character, and SVDD agorithm i ued to get norma uer SVDD hyperphere. A of the reut wi be aved in training databae and get fuy prepared for the next detection phae. II. FEATURE EXTRACTED METHOD BASED ON MARKING ACCESS In detection phae, every uer acceing to the erver wi be marked with marking trategy, incuding marking acce time and acce page. According to different erver, different requet wi be eected to mark. For exampe, HTTP GET requet wi be marked in attack againt Web erver, whie DNS requet wi be marked during attack againt DNS erver. Take attack againt Web erver for exampe, acce time marked method adopt trategy a foow: if the currentamp interva t ' i e than d t d, wi be aigned to currentamp, otherwie 0 wi be aigned. Acce page i marked uing the foowing trategy: if the page requeted by current uer doen t exit in protected Web Pubihed by Atanti Pre, Pari, France. the author, 03 078

Proceeding of the nd Internationa Sympoium on Computer, Communication, Contro and Automation (ISCCCA-3 erver, wi be aigned, otherwie no-treatment wi be taken. Acce marked trategy for attack againt DNS erver i ony ighty different from Web erver in acce page marked trategy: if the domain name requeted doen t exit in currenerver cache, and no anwer received after a recurive query, mark current page a, otherwie, do nothing. Obviouy, the marked reut can not be ued a detection character, it neceary to obtain effective character by uitabe feature extracted trategy. The effective character houd meet the foowing condition: the extracted character can fuy refect the time and pace ditribution of uer acce behavior the character wi change obviouy when attack occur. Take attack againt Web erver for exampe, the character extracted trategy i decribed a foowing: Input: uer marked reut during Output: the character vector of uer i Method: For uer i during : Count the tota number of tamp and 0, expreed a ic Count the maxima number of continuou tamp, expreed a i 3 Count the maxima number of continuou tamp 0, expreed a i0 4 Count the tota number of tamp, expreed a i 5 Cacuate the ratio of i to ic, expreed a p i = i / ic For a the uer during : 6 Cacuate the entropy of a the requeted page, expreed a H Then uer i can be expreed a character vector Ci =< ic, i, i0, pi, H >, where ic expree the tota requet of uer i during, i and i0 expre the view time of uer i. Under norma behavior, i and ic are maer whie i0 i arger than attack time. pi expree the frequency of forged requet aunched by uer i. which i very effective for detecting Forged-URL Food attack. H expree the ditribution of uer interet, which i arger under attack time. Acce marked and feature extracted mean are not imited to pecific erver, which can ao be uefu for detecting attack againt other erver via ighty modifying correponding trategie. Take attack againt DNS erver for exampe, acce uer can be expreed a character vector Ci =< ic, i, i0, pi >.In ummary, for differenerver, athough there exit difference between acce marked trategie and character extracted trategie, undeniaby the imiarity between them bring u more urprie, which enhance the extenibiity of extracted character perfecty. III. d-svdd SECONDARY CLASSIFICATION AND DETECTION ALGORITHM A. SVDD caification agorithm Conidering the workoad and purity of obtaining kind of App-DDoS attack ampe in training phae, our paper adopt a caification agorithm named Support Vector Data Decription, SVDD for hort [8], in which ony norma ampe wi be needed. In SVDD, norma d ampe ci R ( i =,,, wi be mapped to high -dimeniona pace by Φ (where Kc ( i, cj =Φ( ci Φ ( cj,k i the kerne function eected, then a minimum hyperphere a deciion boundary wi be obtained, containing norma ampe a many a poibe. The center and radiu of the phere are denoted a C 0 and R. The agorithm SVDD i tranformed into oving optimization probem tated a: min R + ξi v i=.t Φ( ci C0 R ξi, ξi 0, i =,,, ( where ack variabe ξ i repreent the penaty aociated with the deviation of the ith training ampe outide the phere, and /v ( v [0,], i the number of ampei a trade-off contant controing the reative importance of each ampe. The dua probem of equation i: max W( α = αα K( c, c α K( c, c i j i j i i i i, j= i=.t αi =, αi [0, ], i =,, ( i= v Soving the dua probem above, a ma amount of ampe with zero vaue of αi are taken a upport vector, the center of hyperphere can be expreed a C0 = αiφ( ci (3 i= and radiu R can be computed by utiizing the ditance between C 0 and any upport vector: i j α j i j α j= R ( K( c, c K( c, c + = 0 (4 The fina form of deciion function i f ( c = R [ Kcc (, α Kc (, c+ αα Kc (, c] i i i j i j i= i, j= (5 In order to find optima number of upport vector, et -ting trade-off contant/v and eecting kerne function K pay an important roe. The maer the parameter v i, the more the ampe contained in hyperphere. We ue the popuar Gauian radia bai function (RBF a the kerne function, defined a x x kx (, x = exp[ ] (6 σ RBF kerne function [9] can map noninear ampe to unimited high-dimeniona pace with etting ony one parameter σ, where σ determine the compexity of deciion boundary. Pubihed by Atanti Pre, Pari, France. the author, 03 079

Proceeding of the nd Internationa Sympoium on Computer, Communication, Contro and Automation (ISCCCA-3 B. d-svdd econdary caification agorithm Fae aarm rate and detection rate are taken to judge the performance of SVDD caification agorithm. In order to repone norma uer requet a many a poibe, good agorithm extenibiity and ow fae aarm rate houd be conidered during getting SVDD hyperphere, which wi ead to ome decine in detection rate. In order to achieve a better baance between the fae aarm rate and detection rate, guaranteeing high detection rate whie enuring reaonabe extenibiity, a new caification agorithm named diviion of Support Vector Data Decription, hort for d-svdd i propoed. Baed on SVDD, the interna and externa pace of hyperphere near the deciion boundary wi be caified econdariy, that i caed econdariy caified area. K-mean cutering agorithm wi be ued to reaize ub-region egmentation of econdariy caified area and the abnorma degree of each ub-region wi be cacuated. For character vector in econdariy caified area, abnorma degree wi be aigned according to pecific ub-region, and the correponding uer requet behavior wi be tracked for imited integer mutipe of. Finay, we can reaize econdary detection for upiciou uer by average abnorma degree during the tracking time. The d-svdd agorithm i decribed a foowing: Input: the phere of SVDD, ampe for detection Output: anomay detection reut Method: During, ditance between C i and C 0 can be of jth ub-region can be cacuated according to the equation f j = nj / n, where 0<j<m, the abnorma degree of bank area i defined a. 4 If ditance d i between C i and C0 i maer than R, and the ampe i out of econdariy caified area, it wi be treated a norma uer denoted a C ii, the abnormay degree i et a 0. If d i > R, and the ampe i out of econdariy caified area, it wi be treated a attack uer denoted a C io, the abnorma degree i et a. 5 If the currenampe ie in the jth ub-region, it wi be denoted a C i with the correponding abnorma degree et a f. 6 Track C i j for imited integer mutipe of, and cacuate it average abnorma degree during tracking time. If the reut i higher than threhod, the ampe wi be treated a attacker, otherwie it wi be treated a norma. Becaue of the fact that d-svdd further caifie the upiciou ampe in econdariy caified area, a good baance i obtained between agorithm extenibiity and detection rate, which improve the detection performance greaty than SVDD agorithm and i more uitabe for App-DDoS attack detection. According to tep 4, we can fiter the obviou attacker whie anomay detection, and mitigate the preure of the protected erver to be attacked. IV. SIMULATION cacuated through di = K( ci, cj α jk( ci, cj + α.after In order to verify the effectivene of character j = extracted method baed on marking acce and the etting the factor of econdariy caified area λ detection agorithm d-svdd, thi paper buid Web ( 0< λ <,the econdariy caified area can be erver, DNS erver tet network environment expreed a ( λ R di ( + λ R. repectivey according to reference [] and []. Acce data from 700 t During training phae, ampe in econdariy to 00 before the attack are taken for caified area wi be cutered by K-mean cutering training, whie the foowing 00 norma data before agorithm [0]. The ub-region of ioated ampe i a attack are taken for teting. Simuate 0 CC attack phere with the ampe itef a center, and foowing the againt Web erver and 60 attack againt DNS erver principe that there are no overap with any other by CC attack oftware and DNS Abuer v.0 repectivey. exiting ub-region. Take the repace of econdariy Attack data are randomy injected into tet data, and caified area that doen t beong to any exiting detected by the propoed method. The detection reut ub-region a the at region named bank region. We are hown in tabe. uppoe there are m ub-region after econdary partition. 3 If there are n ampe in econdariy caified area and n j ampe in the jth ub-region, the abnorma degree TABLE I. The detection reut of CC attack and DNS Attack attack type judge tandard SVDD d-svdd CC attack (Attack (Norma detection rate t /Tota fae aarm rate /Tota t 78.% (0/30 6.8% (00/30 8.3% (60/00 5.6% (40/00 97.% (0/30.0% (00/30 98.0% (60/00 0.9% (40/00 DNS rebounding attack (Attack detection rate /Tota 80.8% (60/60 84.7% (30/00 97.% (60/60 98.5% (30/00 Pubihed by Atanti Pre, Pari, France. the author, 03 0730

Proceeding of the nd Internationa Sympoium on Computer, Communication, Contro and Automation (ISCCCA-3 fae aarm rate (Norma /Tota There can be concuded from experiment reut in tabe : Both CC and DNS rebounding attack have been detected effectivey, which expree reativey trong extenibiity of acce marked trategy and agorithm d-svdd Under the ame condition, the detection performance of d-svdd i obviouy better than SVDD, thi i becaue the deciion boundary of SVDD i et without attack information, whie the further detection for econdariy caified area by d-svdd compenate thi drawback we 3 Both two agorithm how better detection performance for DNS rebounding attack than CC attack, which i mainy due to the matching degree between attack and extracted character. V. PERFORMANCE ANALYSIS A. The pace compexity of character extracted trategy baed on marking acce There are ony two tate during marking acce time: or 0, o one bit i enough to expre. Simiary, one bit i ao enough to expre the two tate during marking acce page. Therefore, if the average tamp during are 0, the correponding pace occupied i 40 bit, and 80 Mbit(=0Mbyte are enough for marking 0 6 uer. Thu, even there are ot of acce uer, the pace occupied for marking i ti very ow. B. The time compexity of agorithm SVDD and d-svdd When SVDD i ued, there are two competey different procee in fact: training phae and detecting phae. For anomay detection in our paper, we mainy concern the accuracy and competene of training phae, the time compexity in acceptabe range ha itte affection on agorithm performance, o we ony concern the time compexity of detection phae. Mot of the time conumed during detection phae i pent on cacuating ditance d i and comparing it with R, becaue center C0 and radiu R are known, o the time compexity i O(. The time conumed during d-svdd detection phae i mainy pent on k-mean cutering and cacuating abnorma degree, the time compexity of them are O(knt and O( repectivey, where k i the number of cuter, t i the number of iteration, n i the number of vector for cutering, generay t<n, k<n. Becaue vector in econdariy caified area are a ma portion of the tota vector, o the time compexity of d-svdd i acceptabe. In ummary, the tota time compexity i O(knt. 7.9% (00/60 Detection rate Detecion rate 6.3% (70/00 0.8 0.6 0.4 0. 0.96% (00/60 0.83% (70/00 d-svdd HMM Seion 0 0-3 0-0 - 0 0 Fae aarm rate Figure. Comparion of ROC curve for DNS erver 0.8 0.6 0.4 0. d-svdd HMM Seion 0 0-3 0-0 - 0 0 Fae aarm rate Figure 3. Comparion of ROC curve for FTP erver C. Comparion with other agorithm Due to the reativey trong extenibiity of character extracted method baed on marking acce and the detection agorithm d-svdd, detection performance obviouy extend that of Seion mode and HMM mode when detecting attack againt FTP and DNS attack, hown in figure and 3. We can ee that d-svdd agorithm ha atifying performance for a kind of App-DDoS attack, whie Seion mode and HMM mode have poor detection performance for FTP and DNS attack. VI. CONCLUSION In order to enhance the extenibiity of extracted character and detection agorithm, achieve effective detection for variou App-DDoS attack, thi paper give a new character extracted method baed on marking acce and an improved detection agorithm d-svdd. Acce marked and feature extracted mean are not imited to pecific erver, which can ao be uitabe for detecting attack againt other erver baed on ighty improving correponding trategie. The agorithm d-svdd compenate SVDD drawback we through further detection for econdariy caified area, which greaty improve detection performance under the ame training and detecting condition. Due to the idea pace, time and detection performance of detection agorithm propoed in thi paper, it wi achieve atifying detection performance for kind of App-DDoS attack. Pubihed by Atanti Pre, Pari, France. the author, 03 073

Proceeding of the nd Internationa Sympoium on Computer, Communication, Contro and Automation (ISCCCA-3 ACKNOWLEDGMENT Thi work i upported by Nationa High-Tech Reearch & Deveopment Program of China (No. 0AA0A03. REFERENCES [] V Durcekova, L Schwartz, N Shahmehri. Sophiticated Denia of Service Attack Aimed at Appication Layer[C]. ELEKTRO, Rajeck Tepice, 0:55-60. [] Anuja. R. Zade, Suha. H. Pati. A Survey on Variou Defene Mechanim Againt Appication Layer Ditributed Denia Of Service Attack [J]. Internationa Journa on Computer Science and Engineering, 0, (3:3558-3563. [3] DUAN Jian-i, LIU Shu-xia. Reearch on Web Log Mining Anayi[C]. Internationa Sympoium on Intrumentation & Meaurement, Senor Network and Automation, 0:55-59. [4] Yatahai T,Iohara T,Saae I. Detection of HTTP-GET Food Attack Baed on Anayi of Page Acce Behavior[C]. Proceeding of the IEEE Pacific Rim Conference on Communication,Computer and Signa Proceing,007: 3-35. [5] XIE Yi, YU Shun-zheng. Monitoring the Appication-Layer DDoS Attack for Popuar Webite[C]. IEEE/ACM Tranaction on Networking, 009, (7:5-5. [6] XIE Yi, YU Shun-zheng. A Large-Scae Hidden Semi-Markov Mode for Anomay Detection on Uer Browing Behavior[C]. IEEE/ACM Tranaction on Networking, 009, (7:54-65. [7] Ranjan S, Swaninathan R, Uya M, Knighty E. DDoS-Shied: DDoS-reiiencheduing to counter appication ayer attack[c]. IEEE/ACM Tranaction on Networking, 009, (7:6-39. [8] Agrawa, P.K, Gupta, B.B, Jain, S. SVM Baed Scheme for Predicting Number of Zombie in a DDoS Attack[C]. European Inteigence and Security Informatic Conference, Athen, 0:78-8. [9] ZHU Xiao-kai, YANG De-gui. Muti-Ca Support Vector Domain Decription for Pattern Recognition Baed on a Meaure of Expanibiity[J]. Chinee Journa of Eectronic. 009, 3(37:464-469. [0] Tapa kanungo, David M. Mount, Nathan S. Netanyahu. An Efficient k-mean Cutering Agorithm: Anayi and Impementation[J]. IEEE Tranaction on Pattern Anayi and Machine Inteigence, 00, 7(4:88-89. [] ZHI Jian. Reearch on DDoS Attack Baed on The Appication Layer. [Mater diertation], Daian Maritime Univerity, 0. [] OU Shuai. Reearch and Deign of Defene Sytem Againt DNS Ditributed Denia of Service Attack. [Mater diertation], Southwet Jiaotong Univerity, 009. Pubihed by Atanti Pre, Pari, France. the author, 03 073

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information