[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.9708/jksci.2016.21.7.001

Detecting the HTTP-GET Flood Attacks Based on the Access Behavior of Inline Objects in a Web-page Using NetFlow Data

Kang, Koo-Hong (Dept. of Information and Communications Engineering, Seowon University)

Publication Information

Journal of the Korea Society of Computer and Information / v.21, no.7, 2016 , pp. 1-8 More about this Journal

Abstract

Nowadays, distributed denial of service (DDoS) attacks on web sites reward attackers financially or politically because our daily lifes tightly depends on web services such as on-line banking, e-mail, and e-commerce. One of DDoS attacks to web servers is called HTTP-GET flood attack which is becoming more serious. Most existing techniques are running on the application layer because these attack packets use legitimate network protocols and HTTP payloads; that is, network-level intrusion detection systems cannot distinguish legitimate HTTP-GET requests and malicious requests. In this paper, we propose a practical detection technique against HTTP-GET flood attacks, based on the access behavior of inline objects in a webpage using NetFlow data. In particular, our proposed scheme is working on the network layer without any application-specific deep packet inspections. We implement the proposed detection technique and evaluate the ability of attack detection on a simple test environment using NetBot attacker. Moreover, we also show that our approach must be applicable to real field by showing the test profile captured on a well-known e-commerce site. The results show that our technique can detect the HTTP-GET flood attack effectively.

Keywords

HTTP-GET flood attack; Internet security; NetFlow;

Citations & Related Records

Reference

1	C.M Chen, B.C Jeng, C.R. Yang, and G.H. Lai, "Tracing denial of service origin: Ant colony approach," Applications of Evolutionary Computing, Springer Berlin Heidelberg, pp.286-295, 2006.
2	X. Yin, W. Yurcik, M. Treaster, Y. Li, and K. Lakkaraju, "VisFlowConnect: netflow visualizations of link relationships for security situational awareness," Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pp.26-34, 2004.
3	D. Huistra, "Detecting Reflection Attacks in DNS Flows," Proceedings of 19th Twente Student Conference on IT, 2013.
4	L. Bilge, D. Balzarotti, W. Robertson, E. Kirda, and C. Kruegel, "Disclosure: detecting botnet command and control servers through large-scale netflow analysis," Proceedings of the 28th Annual Computer Security Applications Conference, pp.129-138, 2012.
5	C. Estan, K. Keys, D. Moore, and G. Varghese, "Building a better NetFlow," ACM SIGCOMM Computer Communication Review, Vol. 34, No. 4, pp.245-256, 2004. DOI
6	H. Choi and J.O. Limb, "A Behavioral Model of Web Traffic," Proceedings of Seventh International Conference on Network Protocols, pp. 327-334, 1999.
7	S. Yu, G. Zhao, S. Guo, Y. Xiang, and A.V. Vasilakos, "Browsing Behavior Mimicking Attacks on Popular Web Sites for Large Botnets," Proceedings of IEEE INFOCOM WKSHPS, pp.947-951, 2011.
8	K.S. Han and E.G. Im, "A Study on the Analysis of Netbot and Design of Detection Framework," Proceedings of Joint Workshop on Information Security, pp.1-12, 2009.
9	Cisco, Cisco Catalyst 3750-X and 3560-X Series Switches Data Sheet, http://www.cisco.com/c/en/us/products/collateral/swi tches/catalyst-3750-x-series-switches/data_sheet_c78-584733.html
10	T. Yatagai, T. Isohara, and I. Sasase, "Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior," Proceedings of IEEE Pacific Rim Conference, pp. 232-235, 2007.
11	D. Dittrich and F. Sven, "P2P as botnet command and control: a deeper insight," Proceedings of the 3rd International Conference on Malicious and Unwanted Software, pp. 41-48, 2008.
12	P. Chwalinkski, R. Belavkin, and X. Cheng, "Detection of Application Layer DDoS Attack with Clustering and Likelihood Analysis," Proceedings of Globecom, 2013.
13	AhnLab TrusGuard DPX, http://download.ahnlab.com
14	Peakflow Threat Management System, http://www.arbornetworks.com
15	Introduction to Cisco IOS NetFlow, http://cisco.com
16	B. Claise, "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information," IETF working group, 2013.
17	B. Mah, "An Empirical Model of HTTP Network Traffic," Proceedings of INFOCOM'97, pp.592-600, 1997.
18	W. Lu and S. Yu, "An HTTP Flooding Detection Method Based on Browser Behavior," Proceedings of Computational Intelligence and Security, pp.1151-1154, 2006.
19	Y. Choi, I. Kim, J. Oh, and J. Jang, "AIGG Threshold Based HTTP GET Flooding Attack Detection," Proceedings of WISA, 2012.
20	M. Srivatsa, A. Iyengar, J. Yin, and L. Liu, "Mitigating application-level denial of service attacks on Web servers: A client-transparent approach," ACM Trans. on the Web, Vol. 2, No. 3, Article 15, July 2008.
21	endace, EndaceFlow NetFlow Generator Appliances, http://www.endace.com/endaceflow-high-speed-netflow-generators.html