Web DDoS Detection Schemes Based on Measuring User´s Access Behavior with Large Deviation

Distributed denial-of-service (DDoS) attack seriously threatens the survivability of web services. It attempts to exhaust a server\´s resources (e.g., I/O bandwidth, CPU, and memory resources) to the extent that no resource is available for requests from legitimate users. Recently, some attackers launch web DDoS attack from the application layer (i.e., web app-DDoS), which can evade most of the existing detection approaches that mainly focused on Bandwidth-Flooding DDoS and TCP SYN-Flooding DDoS. This paper discusses the detection of web app-DDoS, and present two different models to characterize user\´s web access behavior, i.e., click-ratio based model and Markov process based model. With these characterizations as reference, we adopt large deviation theory to estimate the probability that each ongoing user\´s access behavior is "consistent" with the corresponding reference characterization, and propose two different detection schemes, LD-IID and LD-MP, respectively. We also validate our schemes with simulations, and the simulation results show that LD-IID can detect attackers accurately, yet LD-MP has high false negatives.