A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors

Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to...

Full description

Saved in:
Bibliographic Details
Published in:IEEE/ACM transactions on networking 2009-02, Vol.17 (1), p.54-65
Main Authors: Xie, Yi, Yu, Shun-Zheng
Format: Article
Language:English
Subjects:
Algorithms
Anomaly detection
Browsing
browsing behaviors
Computer crime
DDoS
Design methodology
Entropy
Filtering
hidden semi-Markov Model
Large-scale systems
M-algorithm
Materials handling
Mathematical models
Protocols
State-space methods
Statistics
TCP (protocol)
TCP/IP (protocol)
TCPIP
Web server
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to achieve early attack detection and filtering for the application-layer-based DDoS attack. An extended hidden semi-Markov model is proposed to describe the browsing behaviors of web surfers. In order to reduce the computational amount introduced by the model's large state space, a novel forward algorithm is derived for the online implementation of the model based on the M-algorithm. Entropy of the user's HTTP request sequence fitting to the model is used as a criterion to measure the user's normality. Finally, experiments are conducted to validate our model and algorithm.
ISSN:1063-6692
1558-2566
DOI:10.1109/TNET.2008.923716