Abstract
Distributed denial of service attacks are a serious threat in the current information society, where the Internet plays an important role as infrastructure. We have been studying ways to mitigate these attacks using a method that distinguishes between legitimate users and attacks. Our previous method was not sufficient because it only analyzed access logs after the attack. In this study, we propose a new method that can distinguish between legitimate users and attacks while the services are running. When the IDS detects an attack, a quarantine server distinguishes legitimate users using access characteristics. The access characteristics are: (1) user follows links, (2) sender accessed a popular page, and (3) the sender’s current average transmission interval. Our experiments confirmed that the proposed method can distinguish between legitimate users and attacks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Cambiaso E, Papaleo G, Chiola G, Aiello M (2016) Mobile executions of slow DoS attacks. Logic J IGPL 24(1):54–67
Duravkin I, Carlsson A, Loktionova A (2014), Method of slow-attack detection. In: Problems of infocommunications science and technology. 1st international scientific-practical conference, pp 171–172
Yatagai T, Isohara T, Sasasse I (2007) Detection of HTTP-GET flood attack based on analysis of page access behavior. In: Proceedings IEEE pacific rim conference on communications, computers and signal processing, pp 232–235
Liao Q, Li H, Kang S, Liu C (2015) Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching. Secur Commun Netw 8(17):3111–3120
Giotis K, Argyropoulos C, Androulidakis G (2014) Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments. Comput Netw 62:122–136
Mirkovic J, Reiher P (2004) A taxonomy of DDoS attack and DDoS defense mechanisms. Newsl ACM SIGCOMM Compu Commun Rev 34(2):39–53
GitHub Markus-Go/bonesi: BoNeSi—the DDoS Botnet Simulator. https://github.com/markus-go/bonesi
Acknowledgements
This work was supported by JSPS KAKENHI Grant numbers JP17H01736, JP17K00139, JP18K11268.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This work was presented in part at the 23rd International Symposium on Artificial Life and Robotics, Beppu, Oita, January 18–20, 2018.
About this article
Cite this article
Aburada, K., Arikawa, Y., Usuzaki, S. et al. Use of access characteristics to distinguish legitimate user traffic from DDoS attack traffic. Artif Life Robotics 24, 318–323 (2019). https://doi.org/10.1007/s10015-019-00527-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10015-019-00527-z