User Behavior Anomaly Detection for Application Layer DDoS Attacks

Najafabadi, Maryam M.; Khoshgoftaar, Taghi M.; Calvert, Chad; Kemp, Clifford

doi:10.1109/iri.2017.44

Cited by 32 publications

(11 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Tripathi and Hubballi [33] proposed the use of chi-square test in order to detect slow rate denial of service attacks against HTTP/2 protocol. In [34], Najafabadi et al proposed a detection method for the application layer DDoS attacks that worked extracting instances of user behaviors requesting resources from HTTP web server logs and using Principal Component Analysis (PCA) in order to detect anomalous behavior instances. Zolotukhin and Kokkonen [35] focused on detection of application-layer DoS attacks that utilize encrypted protocols by applying an anomaly-detection-based approach to statistics extracted from network packets headers using the stacked autoencoder algorithm.…”

Section: Specific Attack Detection/preventionmentioning

confidence: 99%

Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Riera

Higuera

et al. 2020

Sustainability

View full text Add to dashboard Cite

Numerous techniques have been developed in order to prevent attacks on web servers. Anomaly detection techniques are based on models of normal user and application behavior, interpreting deviations from the established pattern as indications of malicious activity. In this work, a systematic review of the use of anomaly detection techniques in the prevention and detection of web attacks is undertaken; in particular, we used the standardized method of a systematic review of literature in the field of computer science, proposed by Kitchenham. This method is applied to a set of 88 papers extracted from a total of 8041 reviewed papers, which have been published in notable journals. This paper discusses the process carried out in this systematic review, as well as the results and findings obtained to identify the current state of the art of web anomaly detection.

show abstract

Section: Specific Attack Detection/preventionmentioning

confidence: 99%

Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Riera

Higuera

et al. 2020

Sustainability

View full text Add to dashboard Cite

show abstract

“…By comparing the anomaly score with a threshold, the system detected the anomaly behavior. Najafabadi et al [12] proposed PCA subspace anomaly detection method for application layer DDoS attacks, where the web server log was analyzed such as client IP field, URL field, and time field. TargetVue [19] detected anomalous users via an unsupervised learning model and visualized the results by analyzing time-adaptive local outlier factor and communication features as user behavior.…”

Section: User Behavior Anomaly Detectionmentioning

confidence: 99%

“…Moreover, Legg et al [10] proposed a tree-structure profiling approach to assess the user and role-based profile by obtaining the consistent representation of features. Principle Component Analysis (PCA) also was used for detecting anomalous behavior instances [11,12]. However, these methods only focused on using user behavior information for identifying anomaly but ignored the concept drift of user behavior; That is, user behavior changes over time, and the detection model based on user behavior needs to be updated regularly.…”

Section: Introductionmentioning

confidence: 99%

Network Anomaly Detection by Using a Time-Decay Closed Frequent Pattern

Zhao

Chen

et al. 2019

Information

View full text Add to dashboard Cite

Anomaly detection of network traffic flows is a non-trivial problem in the field of network security due to the complexity of network traffic. However, most machine learning-based detection methods focus on network anomaly detection but ignore the user anomaly behavior detection. In real scenarios, the anomaly network behavior may harm the user interests. In this paper, we propose an anomaly detection model based on time-decay closed frequent patterns to address this problem. The model mines closed frequent patterns from the network traffic of each user and uses a time-decay factor to distinguish the weight of current and historical network traffic. Because of the dynamic nature of user network behavior, a detection model update strategy is provided in the anomaly detection framework. Additionally, the closed frequent patterns can provide interpretable explanations for anomalies. Experimental results show that the proposed method can detect user behavior anomaly, and the network anomaly detection performance achieved by the proposed method is similar to the state-of-the-art methods and significantly better than the baseline methods.

show abstract

“…More recently attention has been brought to solutions specific to cloud and software‐defined networks . An important part of the research has been focused on anomaly intrusion detection techniques . Anomaly‐based detection techniques build on the principle that the traffic distribution of a service will deviate from its normal pattern under an attack.…”

Section: Introductionmentioning

confidence: 99%

Mitigating DDoS using weight‐based geographical clustering

Kongshavn¹,

Haugerud

Yazidi

et al. 2020

Concurrency and Computation

View full text Add to dashboard Cite

Distributed denial of service (DDoS) attacks have for the last two decades been among the greatest threats facing the internet infrastructure. Mitigating DDoS attacks is a particularly challenging task as an attacker tries to conceal a huge amount of traffic inside a legitimate traffic flow. This article proposes to use data mining approaches to find unique hidden data structures which are able to characterize the normal traffic flow. This will serve as a mean for filtering illegitimate traffic under DDoS attacks. In this endeavor, we devise three algorithms built on previously uncharted areas within mitigation techniques where clustering techniques are used to create geographical clusters in regions which are likely to contain legitimate traffic. We argue through extensive experimental results that establishing clusters around this narrative is a superior solution to clustering algorithms which rely on bitwise distances between IP addresses. In addition, the DDoS filtering algorithm is deployed in a virtual Linux environment using Nfqueue and tested in a simulated real-life DDoS attack.

show abstract

User Behavior Anomaly Detection for Application Layer DDoS Attacks

Cited by 32 publications

References 15 publications

Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Prevention and Fighting against Web Attacks through Anomaly Detection Technology. A Systematic Review

Network Anomaly Detection by Using a Time-Decay Closed Frequent Pattern

Mitigating DDoS using weight‐based geographical clustering

Contact Info

Product

Resources

About