Diagnosing the start of a slow HTTP DDoS attack based on two-parameter traffic correlation analysis

Abstract

The article investigates the problem of detecting slow DDoS attacks based on network traffic analysis. Detecting a slow HTTP attack is a significant challenge because the attacker's behavior can mimic that of a legitimate user with slow resources. The authors proposed a four-zone attack detection architecture based on the analysis of two parameters: the number of connections to the server and the average client response delay time. A technique for detecting slow DDOS attacks based on correlation analysis and parameter forecasting is proposed. The author's approach uses an original two-parameter correlation analysis model based on the number of connections and the average real delay in the network. An algorithm for detecting a slow DDoS attack based on the prediction of two parameters has been developed. These parameters are used both for analysis and for short-term prediction of traffic behavior. The forecasting algorithm uses the method of calculating the posterior trajectory of the time series depending on a priori statistical observations. Prediction of user behavior parameters allows early detection of slow DDoS attacks based on an algorithm for searching for unknown future values for a time series of parameters. Using the relative values of NC and ARNL as prediction parameters makes it possible to build a flexible recognition system adapted to the specifics of a particular system. Simulation of the two-parameter algorithm for detecting slow DDOS attacks based on prediction was carried out and its effectiveness was evaluated. The proposed method is a combination of artificial intelligence and statistical analysis and uses a self-learning algorithm with sufficient attack statistics. Experimental results show that the method is suitable for early detection of attacks such as Slow HTTP Headers, Slow HTTP Body, Slow HTTP Read. Simulation of traffic parameters confirms the method's ability to detect slow attacks at different time intervals, since the accuracy of the forecast depends on the timeliness of the observations. With sufficient statistics of observations, the deviation of the forecast curve can be less than 5%.

Keywords: slow HTTP DDOS attack, user behavior, correlation analysis, individual trajectory, prediction model.

References
1. Mohammad Fakrul Alam, "Application Layer DDoS, A Practical Approach & Mitigation Techniques, “South Asian network Operators Group (SANOG) -23 Conference, Thimpu, Bhutan, 2014.
2. G. Agosta, S. Chiocchio, E. Cinque, P. Fezzardi, M. Mongelli, A. Persia, M. Pratesi, and F. Valentini. Toward a v2i-based solution for traffic lights optimization. In 2019 11th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), pages 1--6, 2019.
3. Hong, Kiwon & Kim, Younjun & Choi, Hyungoo & Park, Jinwoo. (2017). SDN-Assisted Slow HTTP DDoS Attack Defense Method. IEEE Communications Letters. PP. 1-1. 10.1109/LCOMM.2017.2766636.
4. Y. -C. Wang and R. -X. Ye, "Credibility-Based Countermeasure Against Slow HTTP DoS Attacks by Using SDN," 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC), 2021, pp. 0890-0895, doi: 10.1109/CCWC51732.2021.9375911.
5. L. Calvert, and T. M. Khoshgoftaar. Impact of class distribution on the detection of slow HTTP DoS attacks using Big Data. Journal of Big Data, 6 (2019). doi:10.1186/s40537-019-0230-3.
6. Ie. V. Duravkin, A. Carlsson, and A. S. Loktionova. Method of Slow-Attack Detection. Information processing systems, 8 (2014), pp. 102-106. URL: http://nbuv.gov.ua/UJRN/soi_2014_8_24
7. A. Bhardwaj, A. Sharma, V. Mangat, K. Kumar and R. Vig. Experimental Analysis of DDoS Attacks on OpenStack Cloud Platform, in: Proceedings of 2nd International Conference on Communication, Computing and Networking, Lecture Notes in Networks and Systems, 46 (2019). doi:10.1007/978-981-13-1217-5_1.
8. I.V. Ruban, D.W. Pribylnov, and Е.С. Loshakov. A method of detecting a low-speed denial-of-service attack. Science and technology of the Air Force of the Armed Forces of Ukraine, 4 (2013) 85‒88. URL: http://www.hups.mil.gov.ua/periodic-app/article/549/nitps_2013_4_21.pdf
9. A. Dhanapal, and P. Nithyanandam. An OpenStack based cloud testbed framework for evaluating HTTP flooding attacks, Wireless Networks, (2019) 570–575. doi:10.1007/s11276-019-01937-4.
10. A. Dhanapal, and P. Nithyanandam. The slow HTTP Distributed Denial of Service Attack Detection in Cloud, Scalable Computing, 20/2 (2019) 285–297. doi:10.12694/scpe.v20i2.1501.
11. A. Dhanapal and P. Nithyanandam. The Slow HTTP DDOS Attacks: Detection, Mitigation and Prevention in the Cloud Environment. Scalable Computing: Practice and Experience, 20/4 (2019) 669–685. doi:10.12694/scpe.v20i4.1569. 12. Detection of Slow DDoS Attacks based on Time Delay Forecasting / Vitalii Savchenko, Valeriia Savchenko, Oleksandr Laptiev, Oleksander Matsko, Ivan Havryliuk, Kseniia Yerhidzei and Iryna Novikova // Міжнародна науково-практична конференція «Інформаційна безпека та інформаційні технології». 13-19 вересня 2021 року. Forum “DIGITAL REALITY”, September 13 − 19, 2021, Odesa, Ukraine. 13. Development of a method for detecting deviations in the nature of traffic from the elements of the communication network / Oleksandr Laptiev, Nataliia Lukova-Chuiko, Serhii Laptiev, Vitaliy Savchenko, Tetiana Laptieva and Serhii Yevseiev // Міжнародна науково-практична конференція «Інформаційна безпека та інформаційні технології». 13-19 вересня 2021 року. Forum “DIGITAL REALITY”, September 13 − 19, 2021, Odesa, Ukraine.
14. V. Savchenko, O. Ilin, N. Hnidenko, O. Tkachenko, O. Laptiev, S. Lehominova. Detection of Slow DDoS Attacks based on User’s Behavior Forecasting. International Journal of Emerging Trends in Engineering Research (IJETER), 8/5 (2020) 2019–2025. doi:10.30534/ijeter/2020/90852020. 15. V. Savchenko, O. Matsko, O. Vorobiov, Y. Kizyak, L. Kriuchkova, Y. Tikhonov, and A. Kotenko. Network traffic forecasting based on the canonical expansion of a random process. Eastern European Journal of Enterprise Technologies, 3/2(93) (2018) 33‒41. doi:10.15587/1729-4061.2018.131471.