HTTP-SoLDiER: An HTTP-flooding attack detection scheme with the large deviation principle  被引量：3

作　　者：WANG Jin YANG XiaoLong ZHANG Min LONG KePing XU Jie 

机构地区：[1]Research Center for Optical Internet and Mobile Information Network, University of Electronic Science and Technology of China [2]Network Center of Chengdu University [3]School of Computer and Communications Engineering, University of Science and Technology Beijing

出　　处：《Science China(Information Sciences)》2014年第10期1-15,共15页中国科学（信息科学）（英文版）

基　　金：supported by National Basic Research Program of China(Grant No.2012CB315905);NationalNatural Science Foundation of China(Grant No.60932005,61172048,61100184,61201128);National Hightech R&D Program(Grant No.2013AA01A209);Fundamental Research Funds for the Central Universities(GrantNo.ZYGX2011J007)

摘　　要：HTTP-flooding attack is a much stealthier distributed denial of service （DDoS） attack, challenging the survivability of the web services seriously. Observing the web access behavior, we find that the surfing preference of normal users is much more consistent with the webpage popularity than that of malicious users. Based on this observation, this paper proposes a novel detection scheme for HTTP-flooding （HTTP-SoLDiER）. Specifically, HTTP-SoLDiER first quantifies the consistency between web users surfing preference and the web- page popularity with large-deviation principle. Then HTTP-SoLDiER distinguishes the malicious users from normal ones according to the large-deviation probability. In practice, the webpage popularity plays a key role in attack detection of HTTP-SoLDiER. Due to the never-ending updating of the webpage content and the disturbance induced by attackers, the webpage popularity often varies over time. Thus, it is critical for HTTP-SoLDiER to dynamically update the webpage popularity. We design a reversible exponentially weighted moving average （EWMA） algorithm to solve the problem. Finally, we evaluate the effectiveness of this scheme in terms of true positive （TF） and false positive （FP） probabilities with NS-3 simulations. The simulation results show that HTTP-SoLDiER can detect all random HTTP-flooding attackers and most of the perfect-knowledge HTTP-flooding attackers at little false positive.HTTP-flooding attack is a much stealthier distributed denial of service （DDoS） attack, challenging the survivability of the web services seriously. Observing the web access behavior, we find that the surfing preference of normal users is much more consistent with the webpage popularity than that of malicious users. Based on this observation, this paper proposes a novel detection scheme for HTTP-flooding （HTTP-SoLDiER）. Specifically, HTTP-SoLDiER first quantifies the consistency between web users surfing preference and the web- page popularity with large-deviation principle. Then HTTP-SoLDiER distinguishes the malicious users from normal ones according to the large-deviation probability. In practice, the webpage popularity plays a key role in attack detection of HTTP-SoLDiER. Due to the never-ending updating of the webpage content and the disturbance induced by attackers, the webpage popularity often varies over time. Thus, it is critical for HTTP-SoLDiER to dynamically update the webpage popularity. We design a reversible exponentially weighted moving average （EWMA） algorithm to solve the problem. Finally, we evaluate the effectiveness of this scheme in terms of true positive （TF） and false positive （FP） probabilities with NS-3 simulations. The simulation results show that HTTP-SoLDiER can detect all random HTTP-flooding attackers and most of the perfect-knowledge HTTP-flooding attackers at little false positive.

关 键 词：IP network distributed denial of service （DDoS） the large deviation principle exponential weightmoving average Ns-3 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]