Application layer ddos detection using clustering analysis

Author

Chengxu Ye ; Kesong Zheng ; Chuyu She

Author_Institution

Sch. of Comput., Qinghai Normal Univ., Xining, China

fYear

2012

fDate

29-31 Dec. 2012

Firstpage

1038

Lastpage

1041

Abstract

Many methods were designed in previous literatures to protect systems from IP and TCP layers distributed denial of service attacks instead of the application layer. However, they will not work well any more when encountering with application layer distributed denial of service. We will introduce clustering method to analysis application layer ddos in this paper. To capture users´ browsing behavior, we cluster users´ sessions. We consider bots´ browsing behavior as abnormally behavior. That is, different from normal human behavior. We first extract four features from session to cluster users sessions-average size of objects requested in the session, request rate, average popularity of all objects in the session, average transition probability. Then, we use large amount of legitimate request sequence to get normal user browsing behavior models. Finally, conduct simulation experiments with attack dataset to validate the models.

Keywords

IP networks; computer network security; IP layer; TCP layer; application layer ddos detection; attack dataset; average transition probability; clustering analysis; distributed denial of service attack; user browsing behavior model; application; browsing behavior; cluster; ddos;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Science and Network Technology (ICCSNT), 2012 2nd International Conference on

Conference_Location

Changchun

Print_ISBN

978-1-4673-2963-7

Type

conf

DOI

10.1109/ICCSNT.2012.6526103

Filename

6526103