Application Layer DDoS Defense Model Based On User Loyalty

Distributed Denial of Service attack is one of the most serious security issues faced by the Internet. In recent years, with the emerging Web services, DDoS attacks began to turn from the underlying layer to the application layer. Application layer DDoS(Application DDoS, App-DDoS) attacks become more frequent, and the impact is growing.The requests, which the attackers in the App-DDoS attack send, are legitimate requests as well as in the underlying layer. Therefore, the traditional method of defense is not valid to App-DDoS attacks. At the application layer, the clients always send a small number of messages which can consume many resources by doing large number of computation. Therefore App-DDoS attacks are more aggressive. In summary, it’s more urgent to find effective defensive methods for App-DDoS attacks.In the App-DDoS attack, the main difference between the attackers and the normal user is the purpose of accessing. In order to achieve the purpose of consuming the server’s resources, the attackers will change their behavior. So, the attackers are different from the normal users in their behavior. In this article, we will detect the App-DDoS attack by analyzing the user’s behavior.For the application-layer DDoS attacks, firstly, we extract the requested rate and the load ratio of the requests to detect user behavior. Secondly, we presents the concept of the user loyalty that represents a comprehensive assessment of the user behavior and propose an effective methods to assess the loyalty. When we evaluate the loyalty, we not only consider the user’s behavior among the process of the access, but also with the user’s historical behavior. Therefore, we can conduct a more accurate assessment of the user’s behavior. We give every new user a low initial loyalty value and make the loyalty increase slowly and decrease quickly, which can make the attacks always have lower values of loyalty and the normal users always have higher values of loyalty. This method of loyalty assessment can improve the attack detection rate and reduce the false alarm rate effectively. Thirdly, in order to statistic the user’s history behavior, we propose detection and filtering by the client. We use Cookie technology to identify the client, then we will detect attack by assessing whether the host is attacking host. In this way, the attackers can’t discard the old identity easily, we can statistic the host’s history behavior better. Finally, for the App-DDoS attacks, we designed and implemented the ULDM defense model based on the user loyalty. In this model, we assess whether the host is attacking host by calculating the host’s user loyalty. Experiments show that the defense model can detect and filter App-DDoS attacks effectively, and has a high detection rate and low false detection rate.