User behavior analytics-based classification of application layer HTTP-GET flood attacks

摘要

Web services are one of the most prominent forms of web presence exercised by the businesses to connect to their possible client base. GET flood attacks, commonly known as Application Layer DDoS attacks, are widely executed exploits that challenge almost all the web servers hosting such services on the Internet. The state-of-art literature provides many security mechanisms that are designed to handle such attacks, however, attackers constantly explore unique approaches for orchestrating covert GET flood attacks. The detection of such attacks requires user level monitoring due to a high resemblance among the browsing behaviors of legitimate users and modern-day sophisticated bots. In this paper, we propose four novel behavioral features to distinguish GET flood attack sources from the legitimate normal and flash traffic. Our work distinguishes itself from previous works by providing a comprehensive solution for the detection of 12 different strategies employed by an attacker to launch GET flood attacks. We build an experimental test bed supported by well-known software tools that replay the benchmark web logs and generate emulated attack traces pertaining to GET flood attack strategies. The datasets prepared during the course of this experimentation are evaluated through an exhaustive performance comparison of the selected set of machine learning classifiers. The obtained results evidently indicate significantly high detection accuracy (97.46%) with few false alarms using the SVM classifier.