• DocumentCode
    2892846
  • Title

    Modeling Human Behavior for Defense Against Flash-Crowd Attacks

  • Author

    Oikonomou, Georgios ; Mirkovic, Jelena

  • Author_Institution
    Comput. & Inf. Sci., Univ. of Delaware, Newark, DE, USA
  • fYear
    2009
  • fDate
    14-18 June 2009
  • Firstpage
    1
  • Lastpage
    6
  • Abstract
    Flash-crowd attacks are the most vicious form of distributed denial of service (DDoS). They flood the victim with service requests generated from numerous bots. Attack requests are identical in content to those generated by legitimate, human users, and bots send at a low rate to appear non-aggressive - these features defeat many existing DDoS defenses. We propose defenses against flash-crowd attacks via human behavior modeling, which differentiate DDoS bots from human users. Current approaches to human-vs-bot differentiation, such as graphical puzzles, are insufficient and annoying to humans, whereas our defenses are highly transparent. We model three aspects of human behavior: a) request dynamics, by learning several chosen features of human interaction dynamics, and detecting bots that exhibit higher aggressiveness in one or more of these features, b) request semantics, by learning transitional probabilities of user requests, and detecting bots that generate valid but low-probability sequences, and c) ability to process visual cues, by embedding into server replies human-invisible objects, which cannot be detected by automated analysis, and flagging users that visit them as bots. We evaluate our defenses´ performance on a series of Web traffic logs, interlaced with synthetically generated attacks, and conclude that they raise the bar for a successful, sustained attack to botnets whose size is larger than the size observed in 1-5% of DDoS attacks today.
  • Keywords
    security of data; DDoS defense; Web traffic logs; distributed denial of service; flash-crowd attacks; graphical puzzles; human behavior modeling; human interaction dynamics; human-vs-bot differentiation; request dynamics; request semantics; service requests; Communications Society; Computer crime; Distributed computing; Event detection; Face detection; Floods; Humans; Object detection; Peer to peer computing; Telecommunication traffic;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Communications, 2009. ICC '09. IEEE International Conference on
  • Conference_Location
    Dresden
  • ISSN
    1938-1883
  • Print_ISBN
    978-1-4244-3435-0
  • Electronic_ISBN
    1938-1883
  • Type

    conf

  • DOI
    10.1109/ICC.2009.5199191
  • Filename
    5199191