Skip to main content
SpringerLink
Log in

Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements

  • Conference paper
Foundations and Practice of Security (FPS 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7743))

Included in the following conference series:

Abstract

One of the attacks observed against HTTP protocol is HTTP-GET attack using sequences of requests to limit accessibility of webservers. This attack has been researched in this report, and a novel, off-line clustering technique has been developed to tackle it. In general, the technique uses entropy-based clustering and application of information theoretical measurements to distinguish among legitimate and attacking sequences.

It has been presented that the introduced method allows for formation of recent patterns of behaviours observed at a webserver, that remain unknown for the attackers. Subsequently, statistical and information theoretical metrics are introduced to measure difference between a sequence of requests, and legitimate patterns of behaviour.The method recognises more than 80% of legitimate and attacking sequences, regardless of strategies chosen by attackers.

Keywords: HTTP-GET Attack, Information Theory, Clustering, Intrusion Detection.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, C.R., Domingos, P., Weld, D.S.: Adaptive web navigation for wireless devices. In: Proceedings of the 17th International Joint Conference on Artificial Intelligence, vol. 2, pp. 879–884. Morgan Kaufmann Publishers Inc., San Francisco (2001)

    Google Scholar 

  2. Ariu, D., Tronci, R., Giacinto, G.: Hmmpayl: An intrusion detection system based on hidden markov models. Computers and Security 30(4), 221–241 (2011)

    Article  Google Scholar 

  3. Barbará, D., Li, Y., Couto, J.: Coolcat: an entropy-based algorithm for categorical clustering. In: Proceedings of the Eleventh International Conference on Information and knowledge Management, CIKM 2002, pp. 582–589. ACM, New York (2002)

    Chapter  Google Scholar 

  4. de Boer, P.-T., Kroese, D., Mannor, S., Rubinstein, R.: A tutorial on the cross-entropy method. Annals of Operations Research 134, 19–67 (2005), doi:10.1007/s10479-005-5724-z

    Article  MathSciNet  MATH  Google Scholar 

  5. Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)

    Article  Google Scholar 

  6. Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning dfa representations of http for protecting web applications. Computer Networks 51(5), 1239–1255 (2007); From Intrusion Detection to Self-Protection

    Article  MATH  Google Scholar 

  7. Jalali, M., Mustapha, N., Nasir Sulaiman, M., Mamat, A.: Webpum: A web-based recommendation system to predict user future movements. Expert Systems with Applications 37(9), 6201–6212 (2010)

    Article  Google Scholar 

  8. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of the 11th International Conference on World Wide Web, WWW 2002, pp. 293–304. ACM, New York (2002)

    Google Scholar 

  9. Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Comput. Netw. 48(5), 717–738 (2005)

    Article  Google Scholar 

  10. Kullback, S., Leibler, R.A.: On Information and Sufficiency. The Annals of Mathematical Statistics 22(1), 79–86 (1951)

    Article  MathSciNet  MATH  Google Scholar 

  11. Kumar, P., Radha Krishna, P., Bapi, R.S., Kumar De, S.: Rough clustering of sequential data. Data and Knowledge Engineering 63(2), 183–199 (2007)

    Article  Google Scholar 

  12. Lee, C.-H., Lo, Y.L., Fu, Y.-H.: A novel prediction model based on hierarchical characteristic of web site. Expert Systems with Applications 38(4), 3422–3430 (2011)

    Article  Google Scholar 

  13. Lee, S., Kim, G., Kim, S.: Sequence-order-independent network profiling for detecting application layer ddos attacks. EURASIP Journal on Wireless Communications and Networking 2011(1), 50 (2011)

    Article  Google Scholar 

  14. Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Trans. Inf. Syst. Secur. 3, 227–261 (2000)

    Article  Google Scholar 

  15. Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: IEEE Symposium on Security and Privacy, pp. 130–143 (2001)

    Google Scholar 

  16. Li, T., Ma, S., Ogihara, M.: Entropy-based criterion in categorical clustering. In: Proceedings of the Twenty-First International Conference on Machine Learning, ICML 2004, pp. 68–75. ACM, New York (2004)

    Chapter  Google Scholar 

  17. Mao, C.-H., Pao, H.-K., Faloutsos, C., Lee, H.-M.: Sbad: Sequence based attack detection via sequence comparison. In: PSDML, pp. 78–91 (2010)

    Google Scholar 

  18. Shannon, C.E.: A mathematical theory of communication. Bell System Technical Journal 27 (1948)

    Google Scholar 

  19. Speiser, M., Antonini, G., Labbi, A., Sutanto, J.: On nested palindromes in clickstream data. In: Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2012, pp. 1460–1468. ACM, New York (2012)

    Chapter  Google Scholar 

  20. Srivatsa, M., Iyengar, A., Yin, J., Liu, L.: Mitigating application-level denial of service attacks on Web servers: A client-transparent approach. ACM Trans. Web 2, 15:1–15:49 (2008)

    Google Scholar 

  21. Stevanovic, D., Vlajic, N., An, A.: Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users. Procedia CS 5, 123–131 (2011)

    Google Scholar 

  22. Stevanovic, D., Vlajic, N., An, A.: Detection of malicious and non-malicious website visitors using unsupervised neural network learning. Applied Soft Computing (2012)

    Google Scholar 

  23. Strehl, A., Ghosh, J., Mooney, R.: Impact of Similarity Measures on Web-page Clustering. In: Proceedings of the 17th National Conference on Artificial Intelligence: Workshop of Artificial Intelligence for Web Search (AAAI 2000), Austin, Texas, USA, July 30-31, pp. 58–64. AAAI (July 2000)

    Google Scholar 

  24. Tan, Z., Jamdagni, A., He, X., Nanda, P., Liu, R.P., Jia, W., Yeh, W.-C.: A Two-Tier System for Web Attack Detection Using Linear Discriminant Method. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 459–471. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  25. Ulmer, C., Gokhale, M., Gallagher, B., Top, P., Eliassi-Rad, T.: Massively parallel acceleration of a document-similarity classifier to detect web attacks. Journal of Parallel and Distributed Computing 71(2), 225–235 (2011); Data Intensive Computing

    Article  Google Scholar 

  26. Xie, Y., Yu, S.-Z.: A Novel Model for Detecting Application Layer DDoS Attacks. In: Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS 2006), vol. 2, pp. 56–63. IEEE Computer Society, Washington, DC (2006)

    Chapter  Google Scholar 

  27. Xie, Y., Yu, S.-Z.: Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw. 17, 15–25 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Engineering and Information Sciences, Middlesex University, London, UK

    Pawel Chwalinski, Roman Belavkin & Xiaochun Cheng

Authors
  1. Pawel Chwalinski
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roman Belavkin
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiaochun Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. TELECOM SudParis, 9 rue Charles Fourier, 91011, Evry, CEDEX, France

    Joaquin Garcia-Alfaro

  2. TELECOM Bretagne, 2 rue de la Châtaigneraie, 35512, Cesson Sévigné, CEDEX, France

    Frédéric Cuppens  & Nora Cuppens-Boulahia  & 

  3. Ryerson University, 245 Church Street, M5B 2K3, Toronto, ON, Canada

    Ali Miri

  4. Université Laval, 1065 avenue de la médecine, G1V 0A6, Quebec, Canada

    Nadia Tawbi

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chwalinski, P., Belavkin, R., Cheng, X. (2013). Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds) Foundations and Practice of Security. FPS 2012. Lecture Notes in Computer Science, vol 7743. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37119-6_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-37119-6_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-37118-9

  • Online ISBN: 978-3-642-37119-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation