Study And Implementation On The Algorithm For Application Layer DDoS Attack Detection

The Distributed Denial of Service (DDoS) attack has emerged as one of the mostserious threat to the Internet service provider-Web Server. The traditional network layerand transport layer DDoS attacks have been fully detected through the growing networkprotection methods (such as firewall, intrusion detection, etc.), and the changes ofcomputing model encourage more services interacting on the Web, which accelerate thedevelopment of the DDoS attacks to the application layer. Since the application layerDDoS attack usually adopt the real IP addresses as attacking node, use thevulnerabilities of the application layer protocol, and sends a large number of legitimaterequests based on HTTP protocol which can easily pass through the network protectionsystem to the victim server, so it has become the security issue need to be resolved forthe Web Server.However, the most researches were focused on the network layer or transport layerDDoS attack detection, which make them no longer suitable for the application layerDDoS attack detection. The existing application layer DDoS attack detection methodsaim at the HTTP flooding attacks, and detect the attacks through the statistical analysisof flow characteristics or fields of the HTTP requests, which are invalid to theasymmetric attack with normal rate of requests. Due to the contiuity and concentrationof normal user’s page browsing, this paper adopt application layer “user click behavior”as the observation angle to achieve the application layer asymmetric DDoS attacks andthe application layer DDoS attacks under flash crowds. The main ideas are as:(1)Identify the user click behavior from the huge HTTP requests on the server side.(2)Based on the user click sequence, identify the application layer asymmetric DDoSattacks through the random walk model, and detect the application layer DDoS attacksunder flash-crowd through the changes on the correlation coefficient of user clicksequence.(4) Improve the efficiency and practicality of proposed method through theprarallel architecture based on multi-core processors. The research contents are:1. The user browsing will generate a large number of Webpage clicks, such oneclick would trigger the browser automatically issuing a series of HTTP requests to theweb server. Therefore, it is difficult to identify click requests belonged to a user fromthe measured large number of HTTP requests when more users clicking. For this reason,this paper proposes a hidden semi-Markov (HsMM) model based method to identify user click behavior from huge requests at the server side, and adopts the K-meansclustering algorithm to improve the appicability for eliminating the disparity in thearchitecture and embeded objects of different Web sites.2. To address the application layer low rate and asymmetric DDoS attack, thispaper proposed a novel detecting method based on random walk model of user clicksequence in different period. First, use the training data to establish the user click model;then, constructs random walk graph from the pages that user clicks and repeat therandom walk process with the transfer probability of user click sequence in formerobservation period as the initial probability distribution vector and the ransferprobability of user click sequence in training data as the adjacent matrix; last, get thestable transition probability vector when the random walk process convergenced. Thesimilarity between user click sequences that forecasted through random walk model andcaptured in next period is used to identify the abnormal requests. Owing to thedifference of the structure, user browsing habit and page type among different web sites,these three parameters user access loyalty, link depth and link popularity are used tosimplify the types of web pages which are applied to construct the random walk graph.3. Since the web server will been suffering from the impact of massive userrequests and exhaust its resources under the flash crowd, even small amounts of attackrequests may bring a fatal blow to it at this time. This makes the application layer DDoSattack detection hidden in flash crowd in trouble, the key of detection is how to improvethe efficiency on the basis of the accuracy of the algorithm. This paper a user clicksequence based attack detection method, which uses the number of user click toconstruct the user click sequence, and identifies the attack click sequence by comparingthe correlation coefficient of the observation user click sequence to the legitimate userclick model.4. With the bandwidth growth of access network link, the network attack traffic hasincreased rapidly, which give difficult to implement the network attack detectionalgorithms which needs to process massive packets in real-time. In this respect, thispaper proposes a customized parallel architecture for implementing the network securitydetection algorithm using commodity multi-core processor which now broadlyimplemented in personal computer. The packets are dispatched with similar propertiesto same core and partitioned into several parts, which allows threads maintained in eachcore for concurrent execution.Experiments based on real network data collected from China telecom IDC and campus network evaluate the accuracy and efficiency of proposed method, and show itis valid for detecting the application layer DDoS attack under normal and flash crowd.The proposed methods not only can be deployed in the IDC for real-time protecting thevariety of Web Server, but also can provide a reference for web security design of futurenetwork.