Research On Detection Scheme And Algorithm For HTTP-flooding Attack

With the Web services becoming more and more popular, web security attractsmore attentions from the field of academic and industry. HTTP-flooding is a newDistributed-Denial-of-Service attack. It imitates normal web surfing behavior sendinglarge number of legitimate HTTP GET requests to the victim, aiming at exhausting thevictim’s precious resources (e.g., CPU, memory etc.) and paralyzing the web services.HTTP-flooding attack seriously challenges the survivability of web applications. Due tothe stealthy attacking behavior, HTTP-flooding is difficult to detect. On one hand,compared with the tremendous traffic of Bandwidth-flooding attack (e.g., the averagetraffic is162Mbps), the low traffic of HTTP-flooding (e.g.,10Mbps) usually does notcause traffic anomaly. On the other hand, unlike the bogus TCP connections ofSYN-flooding, the true TCP connections of HTTP-flooding attack do not bringsignificant changes to the statistics of TCP SYN packets. Even worse, HTTP-floodingattackers can generate HTTP GET requests as normal web surfers. Thus,HTTP-flooding attack is much harder to detect than other DDoS, and can evade thedetection approaches for the Bandwidth-flooding and the TCP SYN-flooding DDoS.Most of the existing detection schemes usually have poor detection performance. Thus,HTTP-flooding is still an open problem. This dissertation focuses on HTTP-flooding,and detects HTTP-flooding attack with the statistical learning methods.This dissertation firstly proposes a novel method to efficiently quantify websurfing preference and surfing semantics, Based on the consistency between theindividual temporal surfing preference and the overall webpage popularity, thisdissertation analyzes the personal surfing differences, and detects HTTP-floodingattackers with their behavioral difference. Furthermore, aiming at the web-crawlingtraces in the training phase, this dissertation associates more surfing features, and buildsthe reference surfing profile according to the distribution density. Specifically, thisdissertation studies the HTTP-flooding attack from the following aspects:1. Studying the quantification of individual web surfing differencesThe quantification of individual web surfing differences is critical toHTTP-flooding detection. How to select appropriate surfing features is the key problemof efficiently quantify infividual web surfing differences. With the surfing preference and surfing semantics, this dissertation analyzes the consistency between the individualsurfing behavior and the corresponding feature of website, and builds the quantificationframework with large deviation principle. Then, this dissertation primarily analyse thesurfing difference between normal users and some simple HTTP-flooding attack.2. Detecting HTTP-flooding attack with the individual surfing differenceTaking the surfing preference as the main feature, this dissertation studiesHTTP-flooding detection based on the surfing preference. Webpage popularity is thebasic of quantifing web surfing preference. Accurately computing webpage popularity isthe key problem for the surfing preference-based HTTP-flooding detection. On onehand, due to update the webpage content, webpage popularity changes dynamically. Onthe other hand, influenced by the detection-lag property, the attacking sessions beforedetected participate in the updating of webpage popularity, causing webpage popularitybiased and further degrading detection performance. Aiming at these problems, thisdissertation studies how to update webpage popularity dynamicly.3. Studying the web-crawling behavior-tolerant HTTP-flooding detectionThe accuracy of training dataset is the key factor determing the performance ofnormal web surfing behavior-based detection schemes. Web surfing logs are the maindataset of HTTP-flooding detection, which usually includes some web-crawling traces.These web-crawling traces can degrade the detection of HTTP-flooding attacks. Aimingat the web-crawling traces in the training phase, this dissertation studies the jointfeatures distribution density-based HTTP-flooding detection scheme. It builds thereference surfing profile from the noisy web logs, and detects HTTP-flooding attack bycomparing their surfing profile with the reference surfing profile.