ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Monitoring the application-layer DDoS attacks for popular websites
Full text PdfPdf (883 KB)
Source IEEE/ACM Transactions on Networking (TON) archive
Volume 17 ,  Issue 1  (February 2009) table of contents
Pages 15-25  
Year of Publication: 2009
ISSN:1063-6692
Authors
Yi Xie  Department of Electrical and Communication Engineering, School of Information Science and Technology, Sun Yat-Sen University, Guangzhou, China
Shun-Zheng Yu  Department of Electrical and Communication Engineering, School of Information Science and Technology, Sun Yat-Sen University, Guangzhou, China
Publisher
IEEE Press  Piscataway, NJ, USA
Bibliometrics
Downloads (6 Weeks): 67,   Downloads (12 Months): 364,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: 10.1109/TNET.2008.925628

ABSTRACT

Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when such attacks mimic or occur during the flash crowd event of a popular Website. Focusing on the detection for such new DDoS attacks, a scheme based on document popularity is introduced. An Access Matrix is defined to capture the spatial-temporal patterns of a normal flash crowd. Principal component analysis and independent component analysis are applied to abstract the multidimensional Access Matrix. A novel anomaly detector based on hidden semi-Markov model is proposed to describe the dynamics of Access Matrix and to detect the attacks. The entropy of document popularity fitting to the model is used to detect the potential application-layer DDoS attacks. Numerical results based on real Web traffic data are presented to demonstrate the effectiveness of the proposed method.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
K. Poulsen, "FBI Busts Alleged DDoS Mafia," 2004. [Online]. Available: http://www.securityfocus.com/news/9411
 
2
"Incident Note IN-2004-01 W32/Novarg. A Virus," CERT, 2004. [Online]. Available: http://www.cert.org/incident_notes/IN-2004-01.html
 
3
S. Kandula, D. Katabi, M. Jacob, and A. W. Berger, "Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds," MIT, Tech. Rep. TR-969, 2004 [Online]. Available: http://www.usenix.org/events/ nsdi05/tech/kandula/kandula.pdf
 
4
I. Ari, B. Hong, E. L. Miller, S. A. Brandt, and D. D. E. Long, "Modeling, Analysis and Simulation of Flash Crowds on the Internet," Storage Systems Research Center Jack Baskin School of Engineering University of California, Santa Cruz Santa Cruz, CA, Tech. Rep. UCSC-CRL-03-15, Feb. 28, 2004 [Online]. Available: http://ssrc.cse.ucsc.edu/, 95064.
5
Jaeyeon Jung , Balachander Krishnamurthy , Michael Rabinovich, Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511485]
 
6
Y. Xie and S. Yu, "A detection approach of user behaviors based on HsMM," in Proc. 19th Int. Teletraffic Congress (ITC19), Beijing, China, Aug. 29-Sep. 2 2005, pp. 451-460.
 
7
Yi Xie , Shun-Zheng Yu, A Novel Model for Detecting Application Layer DDoS Attacks, Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences - Volume 2 (IMSCCS'06), p.56-63, April 20-24, 2006  [doi>10.1109/IMSCCS.2006.159]
 
8
S.-Z. Yu and H. Kobayashi, "An efficient forward-backward algorithm for an explicit duration hidden Markov model," IEEE Signal Process. Lett., vol. 10, no. 1, pp. 11-14, Jan. 2003.
 
9
L. I. Smith, A Tutorial on Principal Components Analysis [EB/OL], 2003 [Online]. Available: http://www.snl.salk.edu/~shlens/pub/notes/ pca.pdf
 
10
A. Hyvärinen, "Survey on independent component analysis," Neural Comput. Surveys, vol. 2, pp. 94-128, 1999.
 
11
A. Hyvärinen, "Fast and robust fixed-point algorithms for independent component analysis," IEEE Trans. Neural Netw., vol. 10, no. 3, pp. 626-634, Jun. 1999.
 
12
J. B. D. Cabrera, L. Lewis, X. Qin, W. Lee, R. K. Prasanth, B. Ravichandran, and R. K. Mehra, "Proactive detection of distributed denial of service attacks using MIB traffic variables a feasibility study," in Proc. IEEE/IFIP Int. Symp. Integr. Netw. Manag., May 2001, pp. 609-622.
 
13
Jian Yuan , Kevin Mills, Monitoring the Macroscopic Effect of DDoS Flooding Attacks, IEEE Transactions on Dependable and Secure Computing, v.2 n.4, p.324-335, October 2005  [doi>10.1109/TDSC.2005.50]
 
14
Jelena Mirkovic , Gregory Prier , Peter L. Reiher, Attacking DDoS at the Source, Proceedings of the 10th IEEE International Conference on Network Protocols, p.312-321, November 12-15, 2002
 
15
T. Peng and K. R. M. C. Leckie, "Protection from distributed denial of service attacks using history-based IP filtering," in Proc. IEEE Int. Conf. Commun., May 2003, vol. 1, pp. 482-486.
 
16
Bin Xiao , Wei Chen , Yanxiang He , Edwin H. -M. Sha, An Active Detecting Method Against SYN Flooding Attack, Proceedings of the 11th International Conference on Parallel and Distributed Systems, p.709-715, July 20-22, 2005  [doi>10.1109/ICPADS.2005.67]
 
17
H. Wang, D. Zhang, and K. G. Shin, "Detecting SYN flooding attacks," in Proc. IEEE INFOCOM, 2002, vol. 3, pp. 1530-1539.
 
18
L. Limwiwatkul and A. Rungsawangr, "Distributed denial of service detection using TCP/IP header and traffic measurement analysis," in Proc. Int. Symp. Commun. Inf. Technol., Sappoo, Japan, Oct. 26-29, 2004, pp. 605-610.
 
19
S. Noh, C. Lee, K. Choi, and G. Jung, "Detecting Distributed Denial of Service (DDoS) attacks through inductive learning," Lecture Notes in Computer Science, vol. 2690, pp. 286-295, 2003.
 
20
S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, "DDoS-resilient scheduling to counter application layer attacks under imperfect detection," in Proc. IEEE INFOCOM, Apr. 2006 [Online]. Available: http://www-ece.rice.edu/networks/papers/dos-sched.pdf
 
21
W. Yen and M.-F. Lee, "Defending application DDoS with constraint random request attacks," in Proc. Asia-Pacific Conf. Commun., Perth, Western Australia, Oct. 3-5, 2005, pp. 620-624.
 
22
S. Ranjan, R. Karrer, and Knightly, "Wide area redirection of dynamic content by Internet data centers," in Proc. 23rd Ann. Joint Conf. IEEE Comput. Commun. Soc., Mar. 7-11, 2004, vol. 2, pp. 816-826.
 
23
[Online]. Available: http://www.caida.org/analysis/security/sco-dos/
 
24
[Online]. Available: http://ita.ee.lbl.gov/html/traces.html
 
25
J. Cao, W. S. Cleveland, Y. Gao, K. Jeffay, F. D. Smith, and M. Weigle, "Stochastic models for generating synthetic HTTP source traffic," in Proc. IEEE INFOCOM, 2004, vol. 3, pp. 1546-1557.
 
26
NS2 [Online]. Available: http://www.isi.edu/nsnam/ns/
 
27
W. Wang, X. Guan, and X. Zhang, "A novel intrusion detection method based on principle component analysis in computer security," in Proc. Int. Symp. Neural Networks, Dalian, China, Aug. 19-21, 2004, pp. 657-662, Part II.
 
28
Y. Xie and S. Yu, "A dynamic anomaly detection model for web user behavior based on HsMM," in Proc. 10th Int. Conf. Comput. Supported Cooperative Work in Design (CSCWD 2006), Nanjing, China, May 3-5, 2006, vol. 2, pp. 811-816.
 
29
Susanne Burklen , Pedro Jose Marron , Serena Fritsch , Kurt Rothermel, User Centric Walk: An Integrated Approach for Modeling the Browsing Behavior of Users on the Web, Proceedings of the 38th annual Symposium on Simulation, p.149-159, April 04-06, 2005  [doi>10.1109/ANSS.2005.44]
30
Chris Roadknight , Ian Marshall , Debbie Vearer, File popularity characterisation, ACM SIGMETRICS Performance Evaluation Review, v.27 n.4, p.45-50, March 2000  [doi>10.1145/346000.346014]
 
31
A. M. G. Cooper, R. Tsui, and M. Wagner, Summary of Biosurveillance-Relevant Technologies. [Online]. Available: http://www.cs.cmu. edu/~awm/biosurv-methods.pdf
 
32
Shun-Zheng Yu , Zhen Liu , M. S. Squillante , Cathy Xia , Li Zhang, A hidden semi-Markov model for web workload self-similarity, Proceedings of the Performance, Computing, and Communications Conference, 2002. on 21st IEEE International, p.65-72, April 03-05, 2002  [doi>10.1109/IPCCC.2002.995137]
 
33
Will E. Leland , Murad S. Taqqu , Walter Willinger , Daniel V. Wilson, On the self-similar nature of Ethernet traffic (extended version), IEEE/ACM Transactions on Networking (TON), v.2 n.1, p.1-15, Feb. 1994  [doi>10.1109/90.282603]

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.2 Network Protocols
          Subjects: Applications (SMTP, FTP, etc.)
      C.2.3 Network Operations
          Subjects: Network monitoring

  G. Mathematics of Computing
  G.3 PROBABILITY AND STATISTICS
      Subjects: Statistical computing

  I. Computing Methodologies
  I.6 SIMULATION AND MODELING
      I.6.4 Model Validation and Analysis


General Terms:
Algorithms, Design, Management, Performance


Keywords:
application-layer, distributed denial of service (DDoS), popular Website

Collaborative Colleagues:
Yi Xie: colleagues
Shun-Zheng Yu: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player