Research On Detection And Defense Methods For Slow HTTP Denial Of Service Attack On Application Layer

In recent years,an attack targeted at application layer called Slow HTTP Denial of Service(SHDoS)has emerged,which is a variant type of Low-rate Denial of Service(LDoS)attack.However,it gets worse detection effect when the LDoS attack detection method based on TCP traffic statistic feature or maximum entropy estimation method is applied to detect SHDoS,and other detection methods such as packet signature is not able to detect it.Therefore,it has big significance and practical value to research on detection and defense methods for SHDoS.In this paper,for effectively detecting and defending SHDoS attacks,two detection algorithms and a defense model is proposed based on improvements made on existing researches and is verified experimentally.The specific work is as follows:(1)For the problem that existing detection algorithms based on Discrete Fourier Transform(DFT)spectrum analysis(hereinafter referred to as DFT algorithm)has high false positives due to the limitation of the Fourier Transform that it's more suitable for analysis on stationary signals,not non-stationary signals(attack signals,etc),a detection method for SHDoS is proposed in this paper based on Short-Time Fourier Transform(STFT)spectrum analysis(hereinafter referred to as RTFA algorithm)with current achievement of DFT algorithm and the attack's characteristics in the time domain.The RTFA algorithm extracts the client's behavior as the signal sequence from logs of the Web server with a certain sampling rate and rule,and takes the ratio of time-frequency amplitude sum calculated in the signal sequence's STFT spectrum as the detection feature.In the attack duration of SHDoS,the ratio of time-frequency amplitude sum in pre-time to mid-time in frequency-band edge(Ratio of Time-Frequency Amplitude in Frequency-band,RTFA-F)is relatively stable.It does not vary with the attack rate,and is significantly higher than the value calculated under normal load conditions.The simulation results show that SHDoS attacks can be detected effectively by using the experimental data of RTFA-F as the detection threshold.Futhermore,during the attack period of each sub-type of SHDoS,the ratio of time-frequency amplitude sum in later period of time to total time(Ratio of Time-Frequency Amplitude in Time-domain,RTFA-T)has certain difference,and the value is also relatively stable.The experiment shows that by using the experimental data of this feature as another detection threshold,each sub-type of SHDoS can be further effectively identified.(2)For the problem that it is time-consuming in log extraction and detection-threshold calculation when RTFA algorithm is applied and the detection effect appears not ideal when there is a big demand for real-time detection,a detection algorithm for SHDoS based on HTTP request checking(hereinafter referred to as RC algorithm)is proposed in this paper to serve scenes where the demand for real-time detection is high,which is based on existing TCP persistent connection length detection algorithm(hereinafter referred to as TC algorithm)and combined with the unique features of the attack on application layer.The experiment results show that RC algorithm is able to detect SHDoS sub-type attacks in real time,but its detection rate is lower than that of RTFA algorithm(up to a difference of 12.40%).(3)For the problem that existing defense methods need to be manually configured and parameter threshold is not easy to be controlled,a defense model called SDN-based traffic control defense model(hereinafter referred to as SDN-FC model)is proposed in this paper.The main idea of SDN-FC model is that the SHDoS defence algorithm(hereinafter referred to as SHDoS-DA)is deployed in the central controller of SDN,and when SHDoS-DA is informed by the Web server that there are suspected attack requests,that is,when the detection algorithm deployed on the Web server detects SHDoS attacks,SHDoS-DA is allowed to block the incoming network traffic from the suspected client after applying for the flow-rule updation.The simulation results show that multipoint SHDoS can be effectively resisted by deploying SDN-FC model.