IEEE Access (Jan 2019)

Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices

  • Huan Lin,
  • Shoufeng Cao,
  • Jiayan Wu,
  • Zhenzhong Cao,
  • Fengyu Wang

DOI
https://doi.org/10.1109/ACCESS.2019.2950820
Journal volume & issue
Vol. 7
pp. 164480 – 164491

Abstract

Read online

Application-layer distributed denial of service (AL-DDoS) attacks are becoming critical threats to websites because the stealth of AL-DDoS attacks makes many intrusion prevention systems ineffective. To detect AL-DDoS attacks aimed at websites, we propose a novel statistical model called the RM (rhythm matrix). Although the original features from the network layer are adopted, the access trajectory, including requested objects and corresponding dwell-time values, can be abstracted and accumulated into an RM. With an RM, we can almost losslessly compress complex features into a simple structure and characterize the user access behavior. We detect AL-DDoS attacks according to the increase of the abnormality degree in the RM and further identify malicious hosts based on change-rate outliers. In the experiments, we simulate three modes of AL-DDoS attacks with the latest popular DDoS attack tools: LOIC and HOIC. The results show that our method can detect these simulated attacks and identify the malicious hosts accurately and efficiently. For an AL-DDoS detection method, the ability to distinguish flash crowds is indispensable. We also demonstrate the excellent performance of our approach in distinguishing flash crowds from AL-DDoS attacks with two reconstructed public datasets.

Keywords