• The KIPS Transactions:PartC
• /
• v.18C no.3
• /
• pp.127-134
• /
• 2011

Malicious botnet has been used for more malicious activities, such as DDoS attacks, sending spam messages, steal personal information, etc. To prevent this, many studies have been preceded. But malicious botnets have evolved and evaded detection systems. In particular, HTTP GET Request attack that exploits the vulnerability of the application layer is used. ALAB of ALADDIN proposed by ETRI is DDoS attack detection system that HTTP GET, Incomplete GET request flooding attack detection algorithm is applied. In this paper, we extend Incomplete GET detection algorithm of ALAB and derive the optimal configuration parameters to verify the validity of the algorithm ALAB by the study of the normal and attack packets.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.1
• /
• pp.39-52
• /
• 2011

An application-layer attack can effectively achieve its objective with a small amount of traffic, and detection is difficult because the traffic type is very similar to that of legitimate users. We have discovered a unique characteristic that is produced by a difference in client intention: Both a legitimate user and DDoS attacker establish a session through a 3-way handshake over the TCP/IP layer. After a connection is established, they request at least one HTTP service by a Get request packet. The legitimate HTTP user waits for the server's response. However, an attacker tries to terminate the existing session right after the Get request. These different actions can be interpreted as a difference in client intention. In this paper, we propose a detection algorithm for application layer DDoS attacks based on this difference. The proposed algorithm was simulated using traffic dump files that were taken from normal user networks and Botnet-based attack tools. The test results showed that the algorithm can detect an HTTP-Get flooding attack with almost zero false alarms.

• Journal of Institute of Control, Robotics and Systems
• /
• v.10 no.9
• /
• pp.847-854
• /
• 2004

In this paper, It is studied to control and to monitor the remote system state using HTTP(Hyper Text Transfer Protocol) object communication. The remote control system is controlled by using a web browser or a application program. This system is organized by three different part depending on functionality-server part, client part, controller part. The java technology is used to composite the server part and the client part and C language is used for a controller. The server part is waiting for the request of client part and then the request is reached, the server part saves client data to the database and send a command set to the client part. The administrator can control the remote system just using a web browser. Remote part is worked by timer that is activated per 1 second. It gets the measurement data of the controller part, and then send the request to the server part and get a command set in the command repository of server part using the client ID. After interpreting the command set, the client part transfers the command set to the controller part. Controller part can be activated by the client part. If send command is transmitted by the client part, it sends sensor monitoring data to the client part and command set is transmitted then setting up the value of the controlled system.