Distributed denial of service (DDoS) attacks are ever threatening to the developers and users of the Internet. DDoS attacks targeted at the application layer are especially difficult to be detected since they mimic the legitimate users' requests. The situation becomes more serious when they occur during flash events. A more sophisticated algorithm is required to detect such attacks during a flash crowd. A few existing works make use of flow similarity for differentiating flash crowds and DDoS, but flow characteristics alone cannot be used for effective detection. In this paper, we propose a novel mechanism for discriminating DDoS and flash crowds based on the combination of the parameters reflecting their behavioral differences. Flow similarity, client legitimacy, and web page requested are identified as the principal parameters and are used together for effective discrimination. The proposed mechanism is implemented on resilient proxies in order to protect the server from direct flooding and to improve the overall performance. The real datasets are used for simulation, and the results are presented to evaluate the performance of the proposed system. The results show that the proposed mechanism does effective detection with fewer false positives and false negatives.
SARAVANAN, RENUKADEVI; SHANMUGANATHAN, SARASWATHI; and PALANICHAMY, YOGESH
"Behavior-based detection of application layer distributed denial of service attacks during flash events,"
Turkish Journal of Electrical Engineering and Computer Sciences: Vol. 24:
2, Article 13.
Available at: https://journals.tubitak.gov.tr/elektrik/vol24/iss2/13