Research On HTTP-based Application Layer DDoS Attack Detection

With the development of the Internet,distributed denial of service(DDoS)attacks have gradually become a major threat to network security.Attackers control a large number of compromised hosts to cooperatively send large amounts of malicious packets that similar to normal requests to a target server.Thus,the bandwidth of the target network and the resources of the target system are exhausted instantaneously.Finally,the target server denial of service.In recent years,the most prevalent attack is the HTTP-based application layer DDoS.It uses application layer protocol to attack a web service.There is no difference between normal traffic and attack traffic in terms of flow characteristics and packet characteristics.Thus,it is more difficult to detect than other DDoS attacks.Due to the simple operation,low cost and good attack effect,it has gradually become one of the most popular attack.At present,the academic community has a large number of approaches that detect DDoS attacks.The mechanisms can be categorized as statistics methods and machine learning methods.For HTTP-based application layer DDoS attacks,we propose a realtime detection method which refers to statistics and machine learning.We also design a four-phase detection process that includes data statistics,preliminary detection,deep detection,and defense.The preliminary detection phase uses information entropy to detect the attack window.Then,the deep detection phase divides the data in each attack window into samples,and uses a machine learning model to classify the samples as normal or attack,finally marks suspicious clients.This paper selects different sample standards and features for two different types of detection stages,which greatly improves the detection accuracy.In addition,this paper also provides an effective cleaning strategy.On the one hand,this method reduces the huge computational overhead by directly using the machine learning classification algorithm for detection.On the other hand,it improves the adaptability,scalability and accuracy of the detection system based on statistics only.We validate the reliability and availability of the detection method using a simulated dataset and a cloud platform dataset.In the preliminary detection process,we compare two kinds of information entropy.We also compare three machine learning two-classification algorithms in the deep detection process,and analyze each algorithm on the real-time performance.Experiments show that Shannon entropy is better than Renyi entropy.Random forest and decision tree are more suitable for realtime detection.On each data set,the method achieve an attack detection rate higher than 98.5% and a false alarm rate less than 0.5%.