Abstract
One of the attacks observed against HTTP protocol is HTTP-GET attack using sequences of requests to limit accessibility of webservers. This attack has been researched in this report, and a novel, off-line clustering technique has been developed to tackle it. In general, the technique uses entropy-based clustering and application of information theoretical measurements to distinguish among legitimate and attacking sequences.
It has been presented that the introduced method allows for formation of recent patterns of behaviours observed at a webserver, that remain unknown for the attackers. Subsequently, statistical and information theoretical metrics are introduced to measure difference between a sequence of requests, and legitimate patterns of behaviour.The method recognises more than 80% of legitimate and attacking sequences, regardless of strategies chosen by attackers.
Keywords: HTTP-GET Attack, Information Theory, Clustering, Intrusion Detection.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Anderson, C.R., Domingos, P., Weld, D.S.: Adaptive web navigation for wireless devices. In: Proceedings of the 17th International Joint Conference on Artificial Intelligence, vol. 2, pp. 879–884. Morgan Kaufmann Publishers Inc., San Francisco (2001)
Ariu, D., Tronci, R., Giacinto, G.: Hmmpayl: An intrusion detection system based on hidden markov models. Computers and Security 30(4), 221–241 (2011)
Barbará, D., Li, Y., Couto, J.: Coolcat: an entropy-based algorithm for categorical clustering. In: Proceedings of the Eleventh International Conference on Information and knowledge Management, CIKM 2002, pp. 582–589. ACM, New York (2002)
de Boer, P.-T., Kroese, D., Mannor, S., Rubinstein, R.: A tutorial on the cross-entropy method. Annals of Operations Research 134, 19–67 (2005), doi:10.1007/s10479-005-5724-z
Denning, D.E.: An intrusion-detection model. IEEE Trans. Softw. Eng. 13(2), 222–232 (1987)
Ingham, K.L., Somayaji, A., Burge, J., Forrest, S.: Learning dfa representations of http for protecting web applications. Computer Networks 51(5), 1239–1255 (2007); From Intrusion Detection to Self-Protection
Jalali, M., Mustapha, N., Nasir Sulaiman, M., Mamat, A.: Webpum: A web-based recommendation system to predict user future movements. Expert Systems with Applications 37(9), 6201–6212 (2010)
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of the 11th International Conference on World Wide Web, WWW 2002, pp. 293–304. ACM, New York (2002)
Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Comput. Netw. 48(5), 717–738 (2005)
Kullback, S., Leibler, R.A.: On Information and Sufficiency. The Annals of Mathematical Statistics 22(1), 79–86 (1951)
Kumar, P., Radha Krishna, P., Bapi, R.S., Kumar De, S.: Rough clustering of sequential data. Data and Knowledge Engineering 63(2), 183–199 (2007)
Lee, C.-H., Lo, Y.L., Fu, Y.-H.: A novel prediction model based on hierarchical characteristic of web site. Expert Systems with Applications 38(4), 3422–3430 (2011)
Lee, S., Kim, G., Kim, S.: Sequence-order-independent network profiling for detecting application layer ddos attacks. EURASIP Journal on Wireless Communications and Networking 2011(1), 50 (2011)
Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Trans. Inf. Syst. Secur. 3, 227–261 (2000)
Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: IEEE Symposium on Security and Privacy, pp. 130–143 (2001)
Li, T., Ma, S., Ogihara, M.: Entropy-based criterion in categorical clustering. In: Proceedings of the Twenty-First International Conference on Machine Learning, ICML 2004, pp. 68–75. ACM, New York (2004)
Mao, C.-H., Pao, H.-K., Faloutsos, C., Lee, H.-M.: Sbad: Sequence based attack detection via sequence comparison. In: PSDML, pp. 78–91 (2010)
Shannon, C.E.: A mathematical theory of communication. Bell System Technical Journal 27 (1948)
Speiser, M., Antonini, G., Labbi, A., Sutanto, J.: On nested palindromes in clickstream data. In: Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2012, pp. 1460–1468. ACM, New York (2012)
Srivatsa, M., Iyengar, A., Yin, J., Liu, L.: Mitigating application-level denial of service attacks on Web servers: A client-transparent approach. ACM Trans. Web 2, 15:1–15:49 (2008)
Stevanovic, D., Vlajic, N., An, A.: Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users. Procedia CS 5, 123–131 (2011)
Stevanovic, D., Vlajic, N., An, A.: Detection of malicious and non-malicious website visitors using unsupervised neural network learning. Applied Soft Computing (2012)
Strehl, A., Ghosh, J., Mooney, R.: Impact of Similarity Measures on Web-page Clustering. In: Proceedings of the 17th National Conference on Artificial Intelligence: Workshop of Artificial Intelligence for Web Search (AAAI 2000), Austin, Texas, USA, July 30-31, pp. 58–64. AAAI (July 2000)
Tan, Z., Jamdagni, A., He, X., Nanda, P., Liu, R.P., Jia, W., Yeh, W.-C.: A Two-Tier System for Web Attack Detection Using Linear Discriminant Method. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 459–471. Springer, Heidelberg (2010)
Ulmer, C., Gokhale, M., Gallagher, B., Top, P., Eliassi-Rad, T.: Massively parallel acceleration of a document-similarity classifier to detect web attacks. Journal of Parallel and Distributed Computing 71(2), 225–235 (2011); Data Intensive Computing
Xie, Y., Yu, S.-Z.: A Novel Model for Detecting Application Layer DDoS Attacks. In: Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences (IMSCCS 2006), vol. 2, pp. 56–63. IEEE Computer Society, Washington, DC (2006)
Xie, Y., Yu, S.-Z.: Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw. 17, 15–25 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chwalinski, P., Belavkin, R., Cheng, X. (2013). Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds) Foundations and Practice of Security. FPS 2012. Lecture Notes in Computer Science, vol 7743. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37119-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-37119-6_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37118-9
Online ISBN: 978-3-642-37119-6
eBook Packages: Computer ScienceComputer Science (R0)