Identifying Application-Layer DDoS Attacks Based on Request Rhythm Matrices

Abstract

Application-layer distributed denial of service (AL-DDoS) attacks are becoming critical threats to websites because the stealth of AL-DDoS attacks makes many intrusion prevention systems ineffective. To detect AL-DDoS attacks aimed at websites, we propose a novel statistical model called the RM (rhythm matrix). Although the original features from the network layer are adopted, the access trajectory, including requested objects and corresponding dwell-time values, can be abstracted and accumulated into an RM. With an RM, we can almost losslessly compress complex features into a simple structure and characterize the user access behavior. We detect AL-DDoS attacks according to the increase of the abnormality degree in the RM and further identify malicious hosts based on change-rate outliers. In the experiments, we simulate three modes of AL-DDoS attacks with the latest popular DDoS attack tools: LOIC and HOIC. The results show that our method can detect these simulated attacks and identify the malicious hosts accurately and efficiently. For an AL-DDoS detection method, the ability to distinguish flash crowds is indispensable. We also demonstrate the excellent performance of our approach in distinguishing flash crowds from AL-DDoS attacks with two reconstructed public datasets.