User Behavior Anomaly Detection for Application Layer DDoS Attacks
Title | User Behavior Anomaly Detection for Application Layer DDoS Attacks |
Publication Type | Conference Paper |
Year of Publication | 2017 |
Authors | Najafabadi, M. M., Khoshgoftaar, T. M., Calvert, C., Kemp, C. |
Conference Name | 2017 IEEE International Conference on Information Reuse and Integration (IRI) |
Publisher | IEEE |
ISBN Number | 978-1-5386-1562-1 |
Keywords | anomalous behavior instance detection, anomaly detection, application layer DDoS attacks, Browsers, composability, Computer crime, computer network security, Cyber Attacks, DDoS attack detection, distributed denial of service attacks, feature extraction, file servers, HTTP DDoS attacks, HTTP Web server logs, Human Behavior, Internet, legitimate application layer requests, Metrics, PCA, PCA-subspace, Penetration Testing, principal component analysis, principle component analysis, protocol characteristics, Protocols, pubcrawl, Resiliency, student resource portal, subspace anomaly detection method, user behavior anomaly detection method, Web servers, web services |
Abstract | Distributed Denial of Service (DDoS) attacks are a popular and inexpensive form of cyber attacks. Application layer DDoS attacks utilize legitimate application layer requests to overwhelm a web server. These attacks are a major threat to Internet applications and web services. The main goal of these attacks is to make the services unavailable to legitimate users by overwhelming the resources on a web server. They look valid in connection and protocol characteristics, which makes them difficult to detect. In this paper, we propose a detection method for the application layer DDoS attacks, which is based on user behavior anomaly detection. We extract instances of user behaviors requesting resources from HTTP web server logs. We apply the Principle Component Analysis (PCA) subspace anomaly detection method for the detection of anomalous behavior instances. Web server logs from a web server hosting a student resource portal were collected as experimental data. We also generated nine different HTTP DDoS attacks through penetration testing. Our performance results on the collected data show that using PCAsubspace anomaly detection on user behavior data can detect application layer DDoS attacks, even if they are trying to mimic a normal user's behavior at some level. |
URL | https://ieeexplore.ieee.org/document/8102932 |
DOI | 10.1109/IRI.2017.44 |
Citation Key | najafabadi_user_2017 |
- legitimate application layer requests
- web services
- Web servers
- user behavior anomaly detection method
- subspace anomaly detection method
- student resource portal
- Resiliency
- pubcrawl
- Protocols
- protocol characteristics
- principle component analysis
- principal component analysis
- Penetration Testing
- PCA-subspace
- PCA
- Metrics
- anomalous behavior instance detection
- internet
- Human behavior
- HTTP Web server logs
- HTTP DDoS attacks
- file servers
- feature extraction
- distributed denial of service attacks
- DDoS attack detection
- Cyber Attacks
- computer network security
- Computer crime
- composability
- Browsers
- application layer DDoS attacks
- Anomaly Detection