Mouse Features for DDoS Attacks Detection in the Application Layer

Bravo, Silvia; Mauricio, David; Moreno, Ángel H.

doi:10.1145/3149572.3149609

Cited by 2 publications

(1 citation statement)

References 59 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The keystroke rhythms of a user, in terms of time, are measured to develop a unique biometric template of the user's typing pattern for future authentication. In [20] they evaluated the characteristics of the mouse to identify real users of DDOS attacks. Checking that the dynamism of the mouse provides unique characteristics to identify this type of attack.…”

Section: B User Dynamismmentioning

confidence: 99%

Agile method for detecting DDoS attacks in the application layer based on user’s dynamism

Bravo¹,

Mauricio²

2018

IJET

Self Cite

View full text Add to dashboard Cite

Abstract-DDoS attacks are one of the most damaging computer attacks of recent times. Attackers send large number of requests to saturate a victim machine and it stops providing its services to legitimate users. In general attacks are directed to the network layer and the application layer, the latter has been increasing due mainly to its easy execution and difficult detection. The present work proposes a low cost detection approach that consists of two steps: first, user characteristics are extracted in real time while browsing the web application; second, each extracted feature is used by an order sorter O(1) to differentiate a real user from a DDoS attack. A real user is identified by making requests using peripherals for navigation (user dynamism), while DDoS attacks are requests sent by robots and do not require the use of peripherals to make requests, therefore the characteristics of the user's dynamism are used for the detection of a DDoS attack. The results on the attack tests using the attack tools LOIC, OWASP and GoldenEye, show that the proposed method has a detection efficiency of 100%, and that the characteristics of the web user allow to differentiate between a real user and a robot.Keyword -Application layer, DDoS, user's dynamism, detection attacks, use of peripherals I. INTRODUCTION DDoS attacks have become one of the threats with the greatest impact on the security of computer systems. These attacks are aimed at consuming bandwidth or server resources, preventing legitimate users from accessing the services. These attacks can be in the network layer (protocols, hubs, switch) and in the application layer (system, CPU, resources), the latter has increased in recent years due to its easy execution and difficult detection, thus, the efforts in the mechanisms of detection are focusing to this type of attack. The attacks directed to the application layer are considered sophisticated because they mimic the requests of real users, so it is more difficult to detect them. The methods consider information of user requests, and some logic that allows to relate these with an attack or a user. The logic is given by techniques such as neural networks, genetic algorithms, support vector machine and statistical models that in general consume considerable resources. The excessive consumption of resources means that the detection process is slower and even more so with large amounts of information. The slowness of the process impacts the system causing saturation of the bandwidth and consumption of server resources. In addition, the mentioned techniques have a waiting time before detection, to know if it is an attack, which affects the productivity of the services. The most difficult task that detection methods have is to differentiate a request to identify it as a real user or attack. In [1] they introduces the characteristics of the user's dynamism, indicating that they come from the interaction between the user and the system. In [2] they specify that the characteristics of the user's dynamism allow differentia...

show abstract

Section: B User Dynamismmentioning

confidence: 99%

Agile method for detecting DDoS attacks in the application layer based on user’s dynamism

Bravo¹,

Mauricio²

2018

IJET

Self Cite

View full text Add to dashboard Cite

show abstract

Efficient Based on Improved Random Forest Defense System Against Application‐Layer DDoS Attacks

He,

Fang,

Lan

et al. 2024

International Journal of Intelligent Systems

View full text Add to dashboard Cite

Application‐layer distributed denial of service (DDoS) attacks have become the main threat to Web server security. Because application‐layer DDoS attacks have strong concealability and high authenticity, intrusion detection technologies that rely solely on judging client authenticity cannot accurately detect such attacks. In addition, application‐layer DDoS attacks are periodic and repetitive, and attack targets suddenly in a short period. In this study, we propose an efficient application‐layer DDoS detection system based on improved random forest. Firstly, the Web logs are preprocessed to extract the user session characteristics. Subsequently, we propose a Session Identification based on Separation and Aggregation (SISA) method to accurately capture user sessions. Lastly, we propose an improved random forest classification algorithm based on feature weighting to address the issue of an increasing number of features leading to prolonged calculation times in the random forest algorithm, and as the feature dimension increases, there might be instances where no subfeature is related to the category to be classified. More importantly, we compare the request source IP with the malicious IP in the threat intelligence library to deal with the periodicity and repetition of application‐layer DDoS attacks. We conducted a comprehensive experiment on the publicly available Web log dataset and the threat intelligence database of the laboratory as well as the simulated generated attack log dataset in the laboratory environment. The experimental results show that the proposed detection system can control the false alarm rate and false alarm rate within a reasonable range, improving the detection efficiency further, the detection rate is 99.85%. In secondary attack detection experiments, our proposed detection method achieves a higher detection rate in a shorter time.

show abstract

Mouse Features for DDoS Attacks Detection in the Application Layer

Cited by 2 publications

References 59 publications

Agile method for detecting DDoS attacks in the application layer based on user’s dynamism

Agile method for detecting DDoS attacks in the application layer based on user’s dynamism

Efficient Based on Improved Random Forest Defense System Against Application‐Layer DDoS Attacks

Contact Info

Product

Resources

About