More Web Proxy on the site http://driver.im/

research-article

Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling

Authors:

Hossein Hadian Jazi,

Natalia Stakhanova,

Ali A. GhorbaniAuthors Info & Claims

Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 121, Issue C

Pages 25 - 36

https://doi.org/10.1016/j.comnet.2017.03.018

Published: 05 July 2017 Publication History

Abstract

A recent escalation of application layer Denial of Service (DoS) attacks on the Internet has quickly shifted the interest of the research community traditionally focused on network-based DoS attacks. A number of studies came forward showing the potency of attacks, introducing new varieties and discussing potential detection strategies. The underlying problem that triggered all this research is the stealthiness of application layer DoS attacks. Since they usually do not manifest themselves at the network level, these types of attacks commonly avoid traditional network-layer based detection mechanisms.In this work we turn our attention to this problem and present a novel detection approach for application layer DoS attacks based on nonparametric CUSUM algorithm. We explore the effectiveness of our detection on various types of these attacks in the context of modern web servers. Since in production environments detection is commonly performed on a sampled subset of network traffic, we also study the impact of sampling techniques on detection of application layer DoS attack. Our results demonstrate that the majority of sampling techniques developed specifically for intrusion detection domain introduce significant distortion in the traffic that minimizes a detection algorithms ability to capture the traces of these stealthy attacks.

References

[1]

S. Ali, I.U. Haq, S. Rizvi, N. Rasheed, U. Sarfraz, S.A. Khayam, F. Mirza, On mitigating sampling-induced accuracy loss in traffic anomaly detection systems, SIGCOMM Comput. Commun. Rev., 40 (2010) 4-16.

Digital Library

[2]

G. Androulidakis, V. Chatzigiannakis, S. Papavassiliou, M. Grammatikou, V. Maglaris, Understanding and evaluating the impact of sampling on anomaly detection techniques, 2006.

[3]

G. Androulidakis, S. Papavassiliou, Improving network anomaly detection via selective flow-based sampling, Commun. IET, 2 (2008) 399-409.

[4]

Arbor Networks, Worldwide infrastructure security report, 2016, (https://www.arbornetworks.com/).

[5]

H. Beitollahi, G. Deconinck, Analyzing well-known countermeasures against distributed denial of service attacks, Comput. Commun., 35 (2012) 1312-1332.

Digital Library

[6]

H. Beitollahi, G. Deconinck, Connectionscore: a statistical technique to resist application-layer ddos attacks, J. Ambi.t Intel. Human. Comput., 5 (2014) 425-442.

[7]

S. Bhatia, D. Schmidt, G. Mohay, Ensemble-based ddos detection and mitigation model, ACM, 2012.

[8]

D. Brauckhoff, B. Tellenbach, A. Wagner, M. May, A. Lakhina, Impact of packet sampling on anomaly detection metrics, ACM, New York, NY, USA, 2006.

[9]

E. Brodsky, B. Darkhovsky, Nonparametric Methods in Change Point Problems, Springer Science & Business Media.

[10]

W.O. Chee, T. Brennan, HTTP POST, 2010, (http://goo.gl/xYXh1v).

[11]

Y. Chen, K. Hwang, W.-S. Ku., Collaborative detection of DDoS attacks over multiple network domains, IEEE Trans. Parallel Distrib. Syst., 18 (2007) 1649-1662.

Digital Library

[12]

B.-Y. Choi, J. Park, Z.-L. Zhang, Adaptive random sampling for load change detection, ACM, New York, NY, USA, 2002.

[13]

A. Chonka, Y. Xiang, W. Zhou, A. Bonti, Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks, J. Netw. Comput. Appl., 34 (2011) 1097-1107.

Digital Library

[14]

CISCO, Sampled netflow, 2013, (http://goo.gl/uLi8vD).

[15]

K.C. Claffy, G.C. Polyzos, H.-W. Braun, Application of sampling methodologies to network traffic characterization, ACM, New York, NY, USA, 1993.

[16]

DDOSIM, Layer 7 DDOS simulator, 2010, (http://sourceforge.net/projects/ddosim).

[17]

N. Duffield, C. Lund, M. Thorup, Charging from sampled network usage, ACM, New York, NY, USA, 2001.

[18]

N.G. Duffield, C. Lund, M. Thorup, Learn more, sample less: control of volume and variance in network measurement., IEEE Trans. Inf. Theory, 51 (2005) 1756-1775.

Digital Library

[19]

C. Estan, G. Varghese, New directions in traffic measurement and accounting: focusing on the elephants, ignoring the mice, ACM Trans. Comput. Syst., 21 (2003) 270-313.

Digital Library

[20]

X. He, Y. Wu, Q. Wang, An adaptive traffic sampling method for anomaly detection, 2009.

[21]

N. Hohn, D. Veitch, Inverting sampled traffic, IEEE/ACM Trans. Netw., 14 (2006) 68-80.

Digital Library

[22]

HULK, Http unbearable load king, 2012, (http://goo.gl/PWhEJk).

[23]

J. Jung, B. Krishnamurthy, M. Rabinovich, Flash crowds and denial of service attacks: characterization and implications for cdns and web sites, ACM, New York, NY, USA, 2002.

[24]

Juniper, Juniper flow monitoring, 2013, (http://goo.gl/LL0zNf).

[25]

A. Kumar, J.J. Xu, Sketch guided sampling - using on-line estimates of flow size for adaptive data collection, 2006.

[26]

G. Macia-Fernandez, J. Diaz-Verdejo, P. Garcia-Teodoro, Mathematical model for low-rate DoS attacks against application servers, IEEE Trans. Inf. Forens. Security, 4 (2009) 519-529.

Digital Library

[27]

G. Maci-Fernndez, J.E. Daz-Verdejo, P. Garca-Teodoro, Assessment of a vulnerability in iterative servers enabling low-rate DOS attacks, Springer-Verlag, Berlin, Heidelberg, 2006.

[28]

G. Maci-Fernndez, J.E. Daz-Verdejo, P. Garca-Teodoro, Evaluation of a low-rate DoS attack against iterative servers, Comput. Netw., 51 (2007) 1013-1030.

Digital Library

[29]

G. Maci-Fernndez, R.A. Rodrguez-Gmez, J.E. Daz-Verdejo, Defense techniques for low-rate DoS attacks against application servers, Comput. Netw., 54 (2010) 2711-2727.

Digital Library

[30]

J. Mai, C.-N. Chuah, A. Sridharan, T. Ye, H. Zang, Is sampled data sufficient for anomaly detection?, ACM, New York, NY, USA, 2006.

[31]

J. Mai, A. Sridharan, C.-N. Chuah, H. Zang, T. Ye, Impact of packet sampling on portscan detection, Select. Areas Commun. IEEE J., 24 (2006) 2285-2298.

[32]

J. Mai, A. Sridharan, H. Zang, C.-N. Chuah, Fast filtered sampling, Comput. Netw., 54 (2010) 1885-1898.

Digital Library

[33]

M. Mehra, M. Agarwal, R. Pawar, D. Shah, Mitigating denial of service attack using CAPTCHA mechanism, ACM, New York, NY, USA, 2011.

[34]

MOD Security, What can ModSecurity do?, 2016, (https://modsecurity.org/).

[35]

G. Mori, J. Malik, Recognizing objects in adversarial clutter: breaking a visual CAPTCHA, 2003.

[36]

S.Y. Nam, T. Lee, Memory-efficient IP filtering for countering DDoS attacks, Springer-Verlag, Berlin, Heidelberg, 2009.

[37]

Q. Pan, H. Yong-feng, Z. Pei-feng, Reduction of traffic sampling impact on anomaly detection, 2012.

[38]

A. Patcha, J.-M. Park, An adaptive sampling algorithm with applications to denial-of-service attack detection, 2006.

[39]

Prolexic, Quaterly global DDoS attack report, 2013, (http://www.prolexic.com/).

[40]

M.Z. Rafique, M.A. Akbar, M. Farooq, Evaluating dos attacks against sip-based voip systems, IEEE Press, Piscataway, NJ, USA, 2009.

[41]

S. Ranjan, Ddos-resilient scheduling to counter application layer attacks under imperfect detection, 2006.

[42]

S. Ranjan, R. Swaminathan, M. Uysal, A. Nucci, E. Knightly, DDoS-shield: DDoS-resilient scheduling to counter application layer attacks, IEEE/ACM Trans. Netw., 17 (2009) 26-39.

Digital Library

[43]

R. Raz, RUDY: universal HTTP DoS - are you dead yet?, 2010, (http://goo.gl/74DoBG).

[44]

RSnake, Slowloris HTTP DoS, 2009.

[45]

J. Seidl, GoldenEye layer 7 DoS test tool, 2012.

[46]

sFlow, Configuring fortigate appliances, 2009, (http://goo.gl/SgfRtK).

[47]

A. Shiravi, H. Shiravi, M. Tavallaee, A.A. Ghorbani, Toward developing a systematic approach to generate benchmark datasets for intrusion detection, Comput. Security, 31 (2012) 357-374.

Digital Library

[48]

Slowhttptest, Application layer DoS attack simulator, 2013, (https://code.google.com/p/slowhttptest/).

[49]

SpiderLabs, Mitigation of Apache range header DoS attack, 2011, (http://goo.gl/uC6dGK).

[50]

Y. Xie, S. zheng Yu, A novel model for detecting application layer ddos attacks, 2006.

[51]

Y. Xie, S.-Z. Yu, Monitoring the application-layer DDoS attacks for popular websites, IEEE/ACM Trans. Netw., 17 (2009) 15-25.

Digital Library

[52]

Y. Xuan, I. Shin, M. Thai, T. Znati, Detecting application denial-of-service attacks: a group-testing-based approach, IEEE Trans. Parallel Distrib. Syst., 21 (2010) 1203-1216.

Digital Library

[53]

C. Ye, K. Zheng, Detection of application layer distributed denial of service, 2011.

[54]

J. Yu, Z. Li, H. Chen, X. Chen, A detection and offense mechanism to defend against application layer DDoS attacks, 2007.

Cited By

Sattarpour SBarati ABarati H(2025)EBIDS: efficient BERT-based intrusion detection system in the network and application layers of IoTCluster Computing10.1007/s10586-024-04775-y28:2Online publication date: 1-Apr-2025
https://dl.acm.org/doi/10.1007/s10586-024-04775-y
Bönninghausen PUetz RHenze M(2024)Introducing a Comprehensive, Continuous, and Collaborative Survey of Intrusion Detection DatasetsProceedings of the 17th Cyber Security Experimentation and Test Workshop10.1145/3675741.3675754(34-40)Online publication date: 13-Aug-2024
https://dl.acm.org/doi/10.1145/3675741.3675754
Wang TXie XZhang LWang CZhang LCui Y(2024)ShieldGPT: An LLM-based Framework for DDoS MitigationProceedings of the 8th Asia-Pacific Workshop on Networking10.1145/3663408.3663424(108-114)Online publication date: 3-Aug-2024
https://dl.acm.org/doi/10.1145/3663408.3663424
Show More Cited By

Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling
1. Networks
  1. Network services
2. Social and professional topics
  1. Computing / technology policy

Recommendations

A Selective Defense for Application Layer DDoS Attacks
JISIC '14: Proceedings of the 2014 IEEE Joint Intelligence and Security Informatics Conference

Distributed Denial of Service (DDoS) attacks remain among the most dangerous and noticeable attacks on the Internet. Differently from previous attacks, many recent DDoS attacks have not been carried out over the network layer, but over the application ...
Deceiving entropy based DoS detection

Denial of Service (DoS) attacks disable network services for legitimate users. As a result of growing dependence on the Internet by both the general public and service providers, the availability of Internet services has become a concern. While DoS ...
HTTP request pattern based signatures for early application layer DDoS detection: A firewall agnostic approach
Abstract
Application Layer DDoS (AL-DDoS) attacks are an extremely dangerous variety of DDoS attacks that started becoming popular recently. They are executed using very few legitimate requests, making them very difficult to detect. Since they ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computer Networks: The International Journal of Computer and Telecommunications Networking

Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 121, Issue C

July 2017

207 pages

ISSN:1389-1286

Issue’s Table of Contents

Copyright © Elsevier B.V.

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 05 July 2017

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

38
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sattarpour SBarati ABarati H(2025)EBIDS: efficient BERT-based intrusion detection system in the network and application layers of IoTCluster Computing10.1007/s10586-024-04775-y28:2Online publication date: 1-Apr-2025
https://dl.acm.org/doi/10.1007/s10586-024-04775-y
Bönninghausen PUetz RHenze M(2024)Introducing a Comprehensive, Continuous, and Collaborative Survey of Intrusion Detection DatasetsProceedings of the 17th Cyber Security Experimentation and Test Workshop10.1145/3675741.3675754(34-40)Online publication date: 13-Aug-2024
https://dl.acm.org/doi/10.1145/3675741.3675754
Wang TXie XZhang LWang CZhang LCui Y(2024)ShieldGPT: An LLM-based Framework for DDoS MitigationProceedings of the 8th Asia-Pacific Workshop on Networking10.1145/3663408.3663424(108-114)Online publication date: 3-Aug-2024
https://dl.acm.org/doi/10.1145/3663408.3663424
Sabeel UHeydari SEl-Khatib KElgazzar K(2024)Unknown, Atypical and Polymorphic Network Intrusion Detection: A Systematic SurveyIEEE Transactions on Network and Service Management10.1109/TNSM.2023.329853321:1(1190-1212)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1109/TNSM.2023.3298533
Kumar SDwivedi MKumar MGill S(2024)A comprehensive review of vulnerabilities and AI-enabled defense against DDoS attacks for securing cloud servicesComputer Science Review10.1016/j.cosrev.2024.10066153:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.cosrev.2024.100661
Guo RChen JWang YMu KLiu BLi XZhang CDuan HWu JCalandrino JTroncoso C(2023)Temporal CDN-convex lensProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620583(6185-6202)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620583
Sun GAlpcan TCamtepe SCullen ARubinstein BAgmon NAn BRicci AYeoh W(2023)An Adversarial Strategic Game for Machine Learning as a Service using System FeaturesProceedings of the 2023 International Conference on Autonomous Agents and Multiagent Systems10.5555/3545946.3598984(2508-2510)Online publication date: 30-May-2023
https://dl.acm.org/doi/10.5555/3545946.3598984
Dietmüller AFragkouli GVanbever LSchulzrinne HKohler EMaltz DMisra V(2023)Poster: Learning distributions to detect anomalies using all the network trafficProceedings of the ACM SIGCOMM 2023 Conference10.1145/3603269.3610837(1108-1110)Online publication date: 10-Sep-2023
https://dl.acm.org/doi/10.1145/3603269.3610837
Ming LDezhi HDun L(2023)A method combining improved Mahalanobis distance and adversarial autoencoder to detect abnormal network trafficProceedings of the 27th International Database Engineered Applications Symposium10.1145/3589462.3589489(161-169)Online publication date: 5-May-2023
https://dl.acm.org/doi/10.1145/3589462.3589489
Mohammed Sharif DBeitollahi H(2023)Detection of application-layer DDoS attacks using machine learning and genetic algorithmsComputers and Security10.1016/j.cose.2023.103511135:COnline publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103511
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents