Research Of Detection Of Application Layer DDoS Attacks Based On Rhythm Matrix

Over the past two decades, Distributed denial of service (DDoS) attack keeps being a critical threat to the Internet, and has been occurring for more than two decades. The first DDoS attack appeared in 1995-1996, when it was discovered that floods of TCP packets with only the SYN flag could overwhelm network equipments and many servers and services. However, the variety and types of DDoS attacks are changing in the recent years. While most traditional attacks are still active, such as primarily SYN Floods, ICMP and UDP traffic, more and more application-layer traffics are emerging, such as primarily HTTP, HTTPS and DNS queries. We adopt the taxonomy in[l] to call these attacks application-layer DDoS (AL-DDoS).Because more tools are available to easily perpetrate DDoS attacks and new types of criminal activity are being related to DDoS attacks, two recent DDoS Threat Reports[2,3] show that:the majority of DDoS attacks are becoming short in duration (e.g. over 90% of DDoS attacks lasted less than 30 minutes). The attacks repeat frequently, in parallel, high-volume and high-rate DDoS attacks were on the upswing. As such, in order to thwart a DDoS attack, the detection of the event must be completed during the manifestation phase where the attack develops and reaches a threshold which compromises the availability of a legitimate service.In order to detect DDoS attack during a short time, our research drew on the experi-ence of[4,5] who extracted rhythm patterns to represent the characteristics of short music clips. We selected the features (i.e. packet-size and inter-arrival time between consecutive packets) from the network layer rather than IP address and other "informative" features. We explored a linear conversion of two selected features and constructed rhythm matrices to represent the statistical characteristics of traffic clips. The matrix has none implications for users’privacy which benefits from the network layer features, and it not only depicts the distribution of hot contents requested by users during a certain time period by the information of packet-size, but also characterizes the way users access to the server, by the information of inter-arrival time. Furthermore, we observed that the rhythm matrix performs high similarity between the same kind of traffics and dissimilarity between dif-ferent ones from a given server. Therefore, with the help of the on-line machine learning algorithm Transductive Confidence Machines for K-Nearest Neighbors (TCM-KNN), the malicious traffic can be dynamically checked against traffic flows crossing the network boundaries. The experimental results show that our approach could identify the traffic with a high accuracy when a substantial part of flows was produced by DDoS attack-tools.The main contributions of this paper are listed as follows,· We defined a new gathered profile (named by rhythm matrix) from network layer to describe the legitimate traffic accurately. It has the advantage to distinguish the DDoS attack traffic from the normal traffic.· We exploited an on-line machine learning method with rhythm matrix to discrimi-nate whether an AL-DDoS attack was happening in real time. Simple modification of the method brings more flexibility to our system and significantly reduce the rate of false positive while not increasing the detect-time too much.· A series of experiments were carried out on real network data sets to evaluate the effectiveness of the proposed technique for beating three modes of AL-DDoS attacks.· Two reconstructed data sets from public data sets were used to demonstrate that our method held very low false positive ratio in the case of flash crowd.