Visible to the public User Behavior Anomaly Detection for Application Layer DDoS Attacks

TitleUser Behavior Anomaly Detection for Application Layer DDoS Attacks
Publication TypeConference Paper
Year of Publication2017
AuthorsNajafabadi, M. M., Khoshgoftaar, T. M., Calvert, C., Kemp, C.
Conference Name2017 IEEE International Conference on Information Reuse and Integration (IRI)
PublisherIEEE
ISBN Number978-1-5386-1562-1
Keywordsanomalous behavior instance detection, anomaly detection, application layer DDoS attacks, Browsers, composability, Computer crime, computer network security, Cyber Attacks, DDoS attack detection, distributed denial of service attacks, feature extraction, file servers, HTTP DDoS attacks, HTTP Web server logs, Human Behavior, Internet, legitimate application layer requests, Metrics, PCA, PCA-subspace, Penetration Testing, principal component analysis, principle component analysis, protocol characteristics, Protocols, pubcrawl, Resiliency, student resource portal, subspace anomaly detection method, user behavior anomaly detection method, Web servers, web services
Abstract

Distributed Denial of Service (DDoS) attacks are a popular and inexpensive form of cyber attacks. Application layer DDoS attacks utilize legitimate application layer requests to overwhelm a web server. These attacks are a major threat to Internet applications and web services. The main goal of these attacks is to make the services unavailable to legitimate users by overwhelming the resources on a web server. They look valid in connection and protocol characteristics, which makes them difficult to detect. In this paper, we propose a detection method for the application layer DDoS attacks, which is based on user behavior anomaly detection. We extract instances of user behaviors requesting resources from HTTP web server logs. We apply the Principle Component Analysis (PCA) subspace anomaly detection method for the detection of anomalous behavior instances. Web server logs from a web server hosting a student resource portal were collected as experimental data. We also generated nine different HTTP DDoS attacks through penetration testing. Our performance results on the collected data show that using PCAsubspace anomaly detection on user behavior data can detect application layer DDoS attacks, even if they are trying to mimic a normal user's behavior at some level.

URLhttps://ieeexplore.ieee.org/document/8102932
DOI10.1109/IRI.2017.44
Citation Keynajafabadi_user_2017