AIGG Threshold Based HTTP GET Flooding Attack Detection

Choi, Yang‐Kyu; Kim, Ikkyun; Oh, Jihyun; Jang, Jongsoo

doi:10.1007/978-3-642-35416-8_19

Cited by 12 publications

(5 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…When the content is received, the user reads the content of the web page. After a time interval the user requests another web page based on links in the first page [35]. This time interval, called Δ , is the time gap between the end of receiving the server' response and the start of the next request in the same stream.…”

Section: Slow Header Attackmentioning

confidence: 99%

“…This enables the attacker to deny connection requests of legitimate users. Therefore, this attack type is able to cause a DoS by a small quantity of packets and in a short period of time [5,35,37]. This attack is hard to detect and mitigate because it implies that the bandwidth consumption and the Δ lie in normal ranges but generates the attack continuously and repeatedly.…”

Section: Slow Header Attackmentioning

confidence: 99%

See 1 more Smart Citation

Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest

Idhammad

Afdel

Belouch

2018

Security and Communication Networks

View full text Add to dashboard Cite

Cloud Computing services are often delivered through HTTP protocol. This facilitates access to services and reduces costs for both providers and end-users. However, this increases the vulnerabilities of the Cloud services face to HTTP DDoS attacks. HTTP request methods are often used to address web servers’ vulnerabilities and create multiple scenarios of HTTP DDoS attack such as Low and Slow or Flooding attacks. Existing HTTP DDoS detection systems are challenged by the big amounts of network traffic generated by these attacks, low detection accuracy, and high false positive rates. In this paper we present a detection system of HTTP DDoS attacks in a Cloud environment based on Information Theoretic Entropy and Random Forest ensemble learning algorithm. A time-based sliding window algorithm is used to estimate the entropy of the network header features of the incoming network traffic. When the estimated entropy exceeds its normal range the preprocessing and the classification tasks are triggered. To assess the proposed approach various experiments were performed on the CIDDS-001 public dataset. The proposed approach achieves satisfactory results with an accuracy of 99.54%, a FPR of 0.4%, and a running time of 18.5s.

show abstract

Section: Slow Header Attackmentioning

confidence: 99%

Section: Slow Header Attackmentioning

confidence: 99%

Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest

Idhammad

Afdel

Belouch

2018

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…Impenetrable prickles in direct HTTP traffic [2], [13] at a particular endpoint in cloud may be an indication of slow flooding DDOS attack especially when there is huge bounce rate and exit rate at the same time. This may be an indication of victimization of a particular cloud endpoint by distributed unknown sources which resemble DDOS characteristics due to its flooding [12], [18] nature. Detection of such scenario is a problem to be solved in this research work.…”

Section: Problem Statementmentioning

confidence: 99%

Slow flooding attack detection in cloud using change point detection approach

Singh¹,

Panda²,

Samra³

2018

IJET

View full text Add to dashboard Cite

Cloud computing is one of the high-demand services and prone to numerous types of attacks due to its Internet based backbone. Flooding based attack is one such type of attack over the cloud that exhausts the numerous resources and services of an individual or an enterprise by way of sending useless huge traffic. The nature of this traffic may be of slow or fast type. Flooding attacks are caused by way of sending massive volume of packets of TCP, UDP, ICMP traffic and HTTP Posts. The legitimate volume of traffic is suppressed and lost in traffic flooding traffics. Early detection of such attacks helps in minimization of the unauthorized utilization of resources on the target machine. Various inbuilt load balancing and scalability options to absorb flooding attacks are in use by cloud service providers up to ample extent still to maintain QoS at the same time by cloud service providers is a challenge. In this proposed technique. Change Point detection approach is proposed here to detect flooding DDOS attacks in cloud which are based on the continuous variant pattern of voluminous (flooding) traffic and is calculated by using various traffic data based metrics that are primary and computed in nature. Golden ration is used to compute the threshold and this threshold is further used along with the computed metric values of normal and malicious traffic for flooding attack detection. Traffic of websites is observed by using remote java script.

show abstract

“…The attack scenarios describe the ways in which an attacker makes use of a vulnerability to obtain the credentials . The information about the credentials are reflected in the access log file on an Apache server.…”

Section: Experimental Analysismentioning

confidence: 99%

HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce

Sree

Bhanu

2016

Security Comm Networks

View full text Add to dashboard Cite

The exponential growth in Internet usage causes cyber attack incidents. Among the various kinds of attacks, HTTP GET flooding attack is one of the major threats to the Internet services, as it depletes the resources and services in the application layer. It is difficult to distinguish between the legitimate traffic and malicious traffic from log file traces because the request patterns of attacks are similar to legitimate clients. The various techniques used for the detection of HTTP GET flooding attack are pattern analysis, entropy method, network-based access control mechanism, etc. These techniques use the predefined rules obtained from the traffic patterns to detect the attack and may result in false positives. Hence, to overcome this drawback, the rules are needed to be updated for new traffic patterns caused by the attacks that may lead to more processing time. In order to mitigate this issue, the proposed method uses web server logs instead of traffic patterns. The proposed method reads the web server logs, extracts the relevant features and uses analytical hierarchical process to predict whether the attack has occurred or not and detects the suspicious sources by using Dempster-Shafer theory of evidence. The experimental results are compared with existing approaches such as Snort Intrusion Detection System (IDS), page access behaviour, entropy method and auto-regressive model. The experimental results demonstrate that the proposed method (HADM) achieves a high detection rate, reduces false alarms and takes less processing time by using MapReduce.

show abstract

AIGG Threshold Based HTTP GET Flooding Attack Detection

Cited by 12 publications

References 9 publications

Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest

Detection System of HTTP DDoS Attacks in a Cloud Environment Based on Information Theoretic Entropy and Random Forest

Slow flooding attack detection in cloud using change point detection approach

HADM: detection of HTTP GET flooding attacks by using Analytical hierarchical process and Dempster–Shafer theory with MapReduce

Contact Info

Product

Resources

About