Abstract
With the rapid growth of the number of Web services, the application-layer DDoS attack problem has become increasingly serious. User behavior in the application-layer is often closely related to DDoS attacks, and the abnormal behavior of users can be analyzed to identify and discover DDoS attacks at an early stage. Firstly, the feature vectors describing user behavior are extracted by using information entropy, then the deviation degree between the feature vectors describing normal user behavior and current user behavior can be described by calculating the generalized Jaccard similarity of the feature vectors. If the deviation degree exceeds the threshold we set, it is determined that the current user behavior is abnormal. Based on the above detection process, we construct an application-layer DDoS attack detection system based on user behavior anomaly detection. Besides, we test the function and performance of the system by using the actual data set on the network. The test results indicate that the system can describe user behavior well and detect DDoS attack effectively.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Somani, G., Gaur, M.S., Sanghi, D., Conti, M., Buyya, R.: DDoS attacks in cloud computing: issues, taxonomy, and future directions. Comput. Commun. 107(10), 30–48 (2017)
Somani, G., Gaur, M.S., Sanghi, D., Conti, M.: DDoS attacks in cloud computing: collateral damage to non-targets. Comput. Netw. 109, 157–171 (2016)
Cheang, C.F., Wang, Y.Q., Cai, Z.P., Xu, G.: Multi-VMs intrusion detection for cloud security using Dempster-Shafer Theory. CMC: Comput. Mater. Continua 57(2), 297–306 (2018)
Xu, J., Jiang, Z.H., Wang, A.D., Wang, C., Zhou, F.C.: Dynamic proofs of retrievability based on partitioning-based square root oblivious RAM. CMC: Comput. Mater. Continua 57(3), 589–602 (2018)
Network Infrastructure Security Report. https://www.netscout.com/report/
Lemon, J.: Resisting SYN flood DDoS attacks with a SYM cache. In: Proceedings of the BSD Conference, pp. 89–98. ACM (2002)
Tupakula, U.K., Harajan, V.V.: Counteracting DDoS attacks in multiple ISP domain using routing arbiter architecture. In: Proceedings of the 11th IEEE International Conference on Networks, pp. 155–460. IEEE (2003)
Limwiwatkul, L., Rungsawangr, A.: Distributed denial of service detection using TCP/IP header and traffic measurement analysis. In: International Symposium on Communications and Information Technology, vol. 1, pp. 605–610. IEEE (2004)
Wang, H., Zhang, D., Shin, K.: Detecting SYN flooding attacks. In: Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 3, pp. 1530–1539. IEEE (2002)
Li, D.-Q., Su, P.-R., Feng, D.G.: Notes on packet marking for IP traceback. J. Softw. 15(2), 250–258 (2004)
Zhou, L., Yu, X., Wei, Z.: Optimized detection algorithm for network intrusion based on the glowworm swarm algorithm. J. Jilin Univ. (Inf. Sci. Ed.) 33(3), 338–343 (2015)
Zheng, H., Wu, Z.: User’s abnormal behavior detection model. Comput. Syst. Appl. 18(8), 190–192 (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Li, B., Gao, M., Ma, L., Liang, Y., Chen, G. (2019). Web Application-Layer DDoS Attack Detection Based on Generalized Jaccard Similarity and Information Entropy. In: Sun, X., Pan, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2019. Lecture Notes in Computer Science(), vol 11634. Springer, Cham. https://doi.org/10.1007/978-3-030-24271-8_51
Download citation
DOI: https://doi.org/10.1007/978-3-030-24271-8_51
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-24270-1
Online ISBN: 978-3-030-24271-8
eBook Packages: Computer ScienceComputer Science (R0)