Skip to main content
SpringerLink
Log in

HTTP-SoLDiER: An HTTP-flooding attack detection scheme with the large deviation principle

  • Research Paper
  • Published:
Science China Information Sciences Aims and scope Submit manuscript

Abstract

HTTP-flooding attack is a much stealthier distributed denial of service (DDoS) attack, challenging the survivability of the web services seriously. Observing the web access behavior, we find that the surfing preference of normal users is much more consistent with the webpage popularity than that of malicious users. Based on this observation, this paper proposes a novel detection scheme for HTTP-flooding (HTTP-SoLDiER). Specifically, HTTP-SoLDiER first quantifies the consistency between web users surfing preference and the webpage popularity with large-deviation principle. Then HTTP-SoLDiER distinguishes the malicious users from normal ones according to the large-deviation probability. In practice, the webpage popularity plays a key role in attack detection of HTTP-SoLDiER. Due to the never-ending updating of the webpage content and the disturbance induced by attackers, the webpage popularity often varies over time. Thus, it is critical for HTTP-SoLDiER to dynamically update the webpage popularity. We design a reversible exponentially weighted moving average (EWMA) algorithm to solve the problem. Finally, we evaluate the effectiveness of this scheme in terms of true positive (TP) and false positive (FP) probabilities with NS-3 simulations. The simulation results show that HTTP-SoLDiER can detect all random HTTP-flooding attackers and most of the perfect-knowledge HTTP-flooding attackers at little false positive.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Labovitz C. Botnets, DDoS and Ground-Truth One Year and 5,000 Operator Classified Attacks, NANOG50. Atlanta, 2010

    Google Scholar 

  2. Mirkovic J, Reiher P. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput Commun Rev, 2004, 34: 39–53

    Article  Google Scholar 

  3. Anderson T, Roscoe T, Wetherall D. Preventing internet denial of service with capabilities. HotNets-II, 2004. 39–44

    Google Scholar 

  4. Yang X W, Wetherall D, Anderson T. A DoS limiting network architecture. In: Proceedings of SIGCOMM, New York, 2005. 241–252

    Google Scholar 

  5. Argyraki K, Cheriton D R. Scalable network-layer defense against internet bandwidth-flooding attacks. IEEE/ACM Trans Netw, 2009, 17: 1284–1297

    Article  Google Scholar 

  6. Beaumont-Gay M. A comparison of SYN flood detection algorithms. In: Proceedings of Second International Conference on Internet Monitoring and Protection, San Jose, 2007. 9–10

    Chapter  Google Scholar 

  7. Ohsita Y, Ata S, Murata M. Detecting distributed denial-of-service attacks by analyzing TCP SYN packets statistically. IEEE Glob Telecommun Conf, 2004, 4: 2043–2049

    Google Scholar 

  8. Das A S, Datar M, Garg A, et al. Google news personalization: scalable online collaborative filtering. In: Proceedings of the 16th International Conference on World Wide Web, New York, 2007. 271–280

    Chapter  Google Scholar 

  9. Billsus D, Pazzani M J. A hybrid user model for news story classification. In: Proceedings of the 7th International Conference on User Modeling, Corfu, 1999. 99–108

    Google Scholar 

  10. Liu J H, Dolan P, Pedersen E R. Personalized news recommendation based on click behavior. In: Proceedings of the 15th International Conference on Intelligent User Interfaces, New York, 2010. 31–40

    Chapter  Google Scholar 

  11. Oikonomou G, Mirkovic J. Modeling human behavior for defense against flash-crowd attacks. In: Proceedings of IEEE International Conference on Communications, Dresden, 2009. 1–6

    Google Scholar 

  12. Yu S, Zhao G F, Guo S, et al. Browsing behavior mimicking attacks on popular web sites for large botnets. In: Proceedings of IEEE Conference on Computer Communications Workshops, Shanghai, 2011. 947–951

    Google Scholar 

  13. Wang J, Yang X L, Long K P. Web DDoS detection schemes based on measuring user’s access behavior with large deviation. In: Proceedings of IEEE Conference on Global Telecommunications, Houston, 2011. 1–5

    Google Scholar 

  14. Sekar R, Gupta A, Frullo J, et al. Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, New York, 2002. 265–274

    Chapter  Google Scholar 

  15. Kandula S, Katabi D, Jacob M, et al. Botz-4-Sale: Surviving Organized DDoS Attacks that Mimic Flash Crowds. Technical Report: TR-969, MIT, 2004

    Google Scholar 

  16. Srivatsa M, Iyengar A, Yin J, et al. Mitigating application-level denial of service attacks on web servers: a clienttransparent approach. ACM Trans Web, 2008, 2: 15

    Article  Google Scholar 

  17. Ying X, Incheol S, Thai M T, et al. Detecting application denial-of-service attacks: a group-test-based approach. IEEE Trans Parall Distr Syst, 2010, 21: 1203–1216

    Article  Google Scholar 

  18. Khattab S, Gobriel S, Melhem R, et al. Live baiting for service-level DoS attackers. In: Proceedings of 27th IEEE Conference on Computer Communications, Phoenix, 2008. 682–690

    Google Scholar 

  19. Walfish M, Vutukuru M, Balakrishnan H, et al. DDoS defense by offense. ACM SIGCOMM Comput Commun Rev, 2006, 36: 303–314

    Article  Google Scholar 

  20. Jung J, Krishnamurthy B, Rabinovich M. Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of the 11th International Conference on World Wide Web, New York, 2002. 293–304

    Google Scholar 

  21. Yi X, Yu S Z. Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans Netw, 2009, 17: 15–25

    Article  Google Scholar 

  22. Ranjan S, Swaminathan R, Uysal M, et al. DDoS-resilient scheduling to counter application layer attacks under imperfect detecting. In: Proceedings of 25th IEEE International Conference on Computer Communications, Barcelona, 2006. 1–13

    Google Scholar 

  23. Xie Y, Yu S Z. A large-scale hidden semi-markov model for anomaly detection on user browsing behaviors. IEEE/ACM Trans Netw, 2009. 17: 54–65

    Article  Google Scholar 

  24. Stevanovic D, Vlajic N, An A. Detection of malicious and non-malicious website visitors using unsupervised neural network learning. Appl Soft Comput, 2013, 13: 698–708

    Article  Google Scholar 

  25. Dembo A, Zeitouni O. Large-Deviations Techniques and Applications. 2nd ed. New York: Springer-Verlag, 1998

    Book  MATH  Google Scholar 

  26. Paschalidis I C, Smaragdakis G. Spatio-temporal network anomaly detection by assessing deviations of empirical measures. IEEE/ACM Trans Netw, 2009, 17: 685–697

    Article  Google Scholar 

  27. Dhyani D, Bhowmick S S, Wee Keong Ng. Modelling and predicting a web page accesses using Markov processes. In: Proceedings of 14th IEEE International Workshop on Database and Expert Systems Applications, Prague, 2003. 332–336

    Google Scholar 

  28. Yu S Z. Macro behavior of web workload. Pattern Recogn Artif Intell, 2005, 18: 31–37

    Google Scholar 

  29. Cao J, Li L, Bu T, et al. Tracking quantiles of network data streams with dynamic operations. In: Proceedings of IEEE INFOCOM, San Diego, 2010. 1–5

    Google Scholar 

  30. Fawcett T. ROC Graphs: Notes and Practical Considerations for Data Mining Researchers. Intelligent Enterprise Technologies Laboratory, HP Laboratories, Palo Alto. HPL-2003-4. 2003

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Research Center for Optical Internet and Mobile Information Network, University of Electronic Science and Technology of China, Chengdu, 611731, China

    Jin Wang & Jie Xu

  2. School of Computer and Communications Engineering, University of Science and Technology Beijing, Beijing, 100083, China

    XiaoLong Yang, Min Zhang & KePing Long

  3. Network Center of Chengdu University, Chengdu, 610106, China

    Jin Wang

Authors
  1. Jin Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. XiaoLong Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Min Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. KePing Long
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jie Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to XiaoLong Yang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wang, J., Yang, X., Zhang, M. et al. HTTP-SoLDiER: An HTTP-flooding attack detection scheme with the large deviation principle. Sci. China Inf. Sci. 57, 1–15 (2014). https://doi.org/10.1007/s11432-013-5015-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11432-013-5015-2

Keywords

Search

Navigation