A Novel Model for Detecting Application Layer DDoS Attacks

Countering distributed denial of service (DDoS) attacks is becoming ever more challenging with the vast resources and techniques increasingly available to attackers. DDoS attacks are typically carried out at the network layer. However, there is evidence to suggest that application layer DDoS attacks can be more effective than the traditional ones. In this paper, we consider sophisticated attacks that utilize legitimate application layer HTTP requests from legitimately connected network machines to overwhelm Web server. Since the attack signature of each application layer DDoS is represented in abnormal user behavior, we propose a counter-mechanism based on Web user browsing behavior to protect the servers from these attacks. In contrast to prior works, we explore hidden semi-Markov model to describe the browsing behaviors of Web users and apply it to implement the anomaly detection for the application layer DDoS attacks which simulate the Web request behaviors of browser and use HTTP requests to launch attacks. By conducting an experiment with a real traffic data, the model shows that it is effective in measuring the user behaviors and detecting the application layer DDoS attacks