Browse > Article
http://dx.doi.org/10.3837/tiis.2017.04.018

Vulnerable Path Attack and its Detection  

She, Chuyu (School of Data and Computer Science, Sun Yat-sen University)
Wen, Wushao (School of Data and Computer Science, Sun Yat-sen University)
Ye, Quanqi (School of Data and Computer Science, Sun Yat-sen University)
Zheng, Kesong (School of Data and Computer Science, Sun Yat-sen University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.11, no.4, 2017 , pp. 2149-2170 More about this Journal
Abstract
Application-layer Distributed Denial-of-Service (DDoS) attack is one of the leading security problems in the Internet. In recent years, the attack strategies of application-layer DDoS have rapidly developed. This paper introduces a new attack strategy named Path Vulnerabilities-Based (PVB) attack. In this attack strategy, an attacker first analyzes the contents of web pages and subsequently measures the actual response time of each webpage to build a web-resource-weighted-directed graph. The attacker uses a Top M Longest Path algorithm to find M DDoS vulnerable paths that consume considerable resources when sequentially accessing the pages following any of those paths. A detection mechanism for such attack is also proposed and discussed. A finite-state machine is used to model the dynamical processes for the state of the user's session and monitor the PVB attacks. Numerical results based on real-traffic simulations reveal the efficiency of the attack strategy and the detection mechanism.
Keywords
Application-layer DDoS attack; Path vulnerabilities-based attack; Web-resource-weighted-directed graph; Top M longest path algorithm; Finite-state machine;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 S. Ranjan, R. Swaminathan, M. Uysal and A Nucci, "DDoS-Shield: DDoS-Resilient Scheduling to Counter Application Layer Attacks," IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp.26-39, February, 2009.   DOI
2 V. Durcekova, L. Schwartz and N. Shahmehri, "Sophisticated Denial of Service attacks aimed at application layer," ELEKTRO, pp. 55-60, 2012.
3 D. Gavrilis, J. Chatzis and E. Dermatasb, "Flash Crowd Detection Using Decoy Hyperlinks," in Proc. of IEEE Conf. on Networking, Sensing and Control, London, pp 466-470, April 15-17, 2007.
4 J. Nazario, "DDoS attack evolution," Network Security, vol. 2008, no. 7, pp. 7-10, July, 2008.   DOI
5 K. Sourav and D.P. Mishra, "DDoS detection and defense: client termination approach," in Proc. of 12th CUBE International Information Technology Conference (CUBE '12), pp.749-752, September 3-5, 2012.
6 D. Hayes, M. Welzl, G. Armitage and M. Rossi, "Improving HTTP performance using 'stateless' TCP," in Proc. of the 21st international workshop on Network and operating systems support for digital audio and video (NOSSDAV '11), pp. 57-62, June 1-3, 2011.
7 A. Raghunath, S. Ramachandran, S. Subramanian and S. Vaidyanathan, "Data rate based adaptive thread assignment solution for combating the SlowPOST denial of service attack," ACM SIGSOFT Software Engineering Notes, vol. 38, no. 5, pp. 1-5, September, 2013.
8 S. McGregory, "Preparing for the next DDoS attack," Network Security, vol. 2013, no. 5, pp.5-6, May, 2013.   DOI
9 S. Y. Nam and S. Djuraev, "Defending HTTP Web Servers against DDoS Attacks through Busy Period-based Attack Flow Detection," KSII Transactions on Internet and Information Systems, vol. 8, no. 7, pp. 2512-2531, 2014.   DOI
10 M.K Yoon, "Using Whitelisting to Mitigate DDoS Attacks on Critical Internet Sites," IEEE Communications Magazine, vol. 48, no. 7, pp. 110-115, July, 2010.   DOI
11 J. Jung, B. Krishnamurthy and M. Rabinovich, "Flash crowds and denial of service attacks: Characterization and implications for CDNs and websites," in Proc. of 11th IEEE Conf. on World Wide Web, Honolulu, Ha-waii, USA, ACM, pp.293-304, May 7-11, 2002.
12 A. Ramamoorthi, T. Subbulakshmi, and S.M. Shalinie, "Real Time Detection and Classification of DDoS Attacks using Enhanced SVM with String Kernels," in Proc. of IEEE Conf. on Recent Trends in Information Technology, ICRTIT, pp. 91-96, June 3-5, 2011.
13 K. Ioannidou, G. Mertzios and S. Nikolopoulos, "The longest path problem has a polynomial solution on interval graphs," Algorithmica, vol. 61, no. 2, pp.320-341, October, 2011.   DOI
14 H. Beitollahi and G. Deconinck, "Tackling Application-layer DDoS Attacks," Procedia Computer Science, vol. 10, no. 1, pp. 432-441, 2012.   DOI
15 A. Alvarez-Alvarez, G. Trivino and O. Cordon, "Human Gait Modeling Using a Genetic Fuzzy Finite State Machine," IEEE Transactions on Fuzzy Systems, vol. 20, no. 2, pp. 205-223, April, 2012.   DOI
16 SpiderLabs, "ModSecutity," https://github.com/fengxuangit/ModSecurity.
17 Y.Xiang, K. Li, and W. Zhou, "Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics," IEEE Transactions on Information Forensics and Security, vol. 6, no. 2, pp.426-437, June, 2011.   DOI
18 Y. Xie and S.Z. Yu, "Monitoring the application-layer DDoS attacks for popular website," IEEE/ACM Transactions on Networking, vol. 17, no. 1, pp.15-25, February, 2009.   DOI
19 F. Simmross-Wattenberg, J.I. Asensio-Perez, P. Casaseca-de-la-Higuera et al., "Anomaly Detection in Network Traffic Based on Statistical Inference and ${\alpha}$-Stable Modeling," IEEE Transations on Dependable and Secure Computing, vol. 8, no. 4, pp. 494-509, July/August, 2011.   DOI
20 N.A. Mohammed and J.R. Martin, "Uniform DoS traceback," Computers & Security, vol. 45, no. 3, pp. 17-26, September, 2014.   DOI
21 S.N. Shiaeles, V. Katos, A.S. Karakos, and B.k. Papadopoulos, "Real time DDoS detection using fuzzy estimators," Computers & Security, vol. 31, no. 6, pp.782-790, September, 2012.   DOI
22 H.S.Kang and S.R.Kim, "sShield: small DDoS defense system using RIP-based traffic deflection in autonomous system," The Journal of Supercomputing, vol. 67, no. 3, pp.820-836, March, 2014.   DOI
23 I.C.Paschalidis and G. Smaragdakis, "Spatio-Temporal Network Anomaly Detection by Assessing Deviations of Empirical Measures," IEEE/ACM Transactions on Networking, vol. 17, no. 3, pp. 685-697, June, 2009.   DOI
24 C.Y. Chou, B. Lin, S. Sen and O. Spatscheck, "Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks," IEEE/ACM Transactions on Networking, vol.17, no.6, pp.1711-1723, December, 2009.   DOI
25 C. Cattani, "Harmonic Wavelet Approximation of Random, Fractal and High Frequency Signals," Telecommunication Systems, vol. 43, no. 3, pp.207-217, April, 2010.   DOI