Loading…
A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors
Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to...
Saved in:
| Published in: | IEEE/ACM transactions on networking 2009-02, Vol.17 (1), p.54-65 |
|---|---|
| Main Authors: | , |
| Format: | Article |
| Language: | English |
| Subjects: | |
| Citations: | Items that this one cites Items that cite this one |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | cdi_FETCH-LOGICAL-c353t-51139a56e7224deea3b131a75c92879bdb839800b492278ca279c71f23b0a93 |
|---|---|
| cites | cdi_FETCH-LOGICAL-c353t-51139a56e7224deea3b131a75c92879bdb839800b492278ca279c71f23b0a93 |
| container_end_page | 65 |
| container_issue | 1 |
| container_start_page | 54 |
| container_title | IEEE/ACM transactions on networking |
| container_volume | 17 |
| creator | Xie, Yi Yu, Shun-Zheng |
| description | Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to achieve early attack detection and filtering for the application-layer-based DDoS attack. An extended hidden semi-Markov model is proposed to describe the browsing behaviors of web surfers. In order to reduce the computational amount introduced by the model's large state space, a novel forward algorithm is derived for the online implementation of the model based on the M-algorithm. Entropy of the user's HTTP request sequence fitting to the model is used as a criterion to measure the user's normality. Finally, experiments are conducted to validate our model and algorithm. |
| doi_str_mv | 10.1109/TNET.2008.923716 |
| format | article |
| fullrecord | <record><control><sourceid>proquest_ieee_</sourceid><recordid>TN_cdi_proquest_miscellaneous_875024979</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>4515888</ieee_id><sourcerecordid>875024979</sourcerecordid><originalsourceid>FETCH-LOGICAL-c353t-51139a56e7224deea3b131a75c92879bdb839800b492278ca279c71f23b0a93</originalsourceid><addsrcrecordid>eNp90U1PwkAQBuDGaCKidxMvGw96Ku5H9-sIiGICegDjcbNtp1gsXdwtGP69JRgPHkwmmTk8M8nkjaJLgnuEYH03fx7NexRj1dOUSSKOog7hXMWUC3HczliwWAhNT6OzEJYYE4ap6ERvfTSxfgHxLLMVoHGZ51CjGazKeGr9h9uiqcuhQoXzqF-7la126B4ayJrS1ait1wAeDbz7CmW9QAN4t9vS-XAenRS2CnDx07vR7GE0H47jycvj07A_iTPGWRNzQpi2XICkNMkBLEsJI1byTFMldZqnimmFcZpoSqXKLJU6k6SgLMVWs250e7i69u5zA6ExqzJkUFW2BrcJRkmOaaLlXt78K1mS6ESIpIXXf-DSbXzd_mCUIC0iVLYIH1DmXQgeCrP25cr6nSHY7OMw-zjMPg5ziKNduTqslADwyxNOuFKKfQMz0YPZ</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>861494127</pqid></control><display><type>article</type><title>A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors</title><source>IEEE Electronic Library (IEL) Journals</source><source>Association for Computing Machinery:Jisc Collections:ACM OPEN Journals 2023-2025 (reading list)</source><creator>Xie, Yi ; Yu, Shun-Zheng</creator><creatorcontrib>Xie, Yi ; Yu, Shun-Zheng</creatorcontrib><description>Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to achieve early attack detection and filtering for the application-layer-based DDoS attack. An extended hidden semi-Markov model is proposed to describe the browsing behaviors of web surfers. In order to reduce the computational amount introduced by the model's large state space, a novel forward algorithm is derived for the online implementation of the model based on the M-algorithm. Entropy of the user's HTTP request sequence fitting to the model is used as a criterion to measure the user's normality. Finally, experiments are conducted to validate our model and algorithm.</description><identifier>ISSN: 1063-6692</identifier><identifier>EISSN: 1558-2566</identifier><identifier>DOI: 10.1109/TNET.2008.923716</identifier><identifier>CODEN: IEANEP</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Algorithms ; Anomaly detection ; Browsing ; browsing behaviors ; Computer crime ; DDoS ; Design methodology ; Entropy ; Filtering ; hidden semi-Markov Model ; Large-scale systems ; M-algorithm ; Materials handling ; Mathematical models ; Protocols ; State-space methods ; Statistics ; TCP (protocol) ; TCP/IP (protocol) ; TCPIP ; Web server</subject><ispartof>IEEE/ACM transactions on networking, 2009-02, Vol.17 (1), p.54-65</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2009</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c353t-51139a56e7224deea3b131a75c92879bdb839800b492278ca279c71f23b0a93</citedby><cites>FETCH-LOGICAL-c353t-51139a56e7224deea3b131a75c92879bdb839800b492278ca279c71f23b0a93</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/4515888$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,27922,27923,54794</link.rule.ids></links><search><creatorcontrib>Xie, Yi</creatorcontrib><creatorcontrib>Yu, Shun-Zheng</creatorcontrib><title>A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors</title><title>IEEE/ACM transactions on networking</title><addtitle>TNET</addtitle><description>Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to achieve early attack detection and filtering for the application-layer-based DDoS attack. An extended hidden semi-Markov model is proposed to describe the browsing behaviors of web surfers. In order to reduce the computational amount introduced by the model's large state space, a novel forward algorithm is derived for the online implementation of the model based on the M-algorithm. Entropy of the user's HTTP request sequence fitting to the model is used as a criterion to measure the user's normality. Finally, experiments are conducted to validate our model and algorithm.</description><subject>Algorithms</subject><subject>Anomaly detection</subject><subject>Browsing</subject><subject>browsing behaviors</subject><subject>Computer crime</subject><subject>DDoS</subject><subject>Design methodology</subject><subject>Entropy</subject><subject>Filtering</subject><subject>hidden semi-Markov Model</subject><subject>Large-scale systems</subject><subject>M-algorithm</subject><subject>Materials handling</subject><subject>Mathematical models</subject><subject>Protocols</subject><subject>State-space methods</subject><subject>Statistics</subject><subject>TCP (protocol)</subject><subject>TCP/IP (protocol)</subject><subject>TCPIP</subject><subject>Web server</subject><issn>1063-6692</issn><issn>1558-2566</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2009</creationdate><recordtype>article</recordtype><recordid>eNp90U1PwkAQBuDGaCKidxMvGw96Ku5H9-sIiGICegDjcbNtp1gsXdwtGP69JRgPHkwmmTk8M8nkjaJLgnuEYH03fx7NexRj1dOUSSKOog7hXMWUC3HczliwWAhNT6OzEJYYE4ap6ERvfTSxfgHxLLMVoHGZ51CjGazKeGr9h9uiqcuhQoXzqF-7la126B4ayJrS1ait1wAeDbz7CmW9QAN4t9vS-XAenRS2CnDx07vR7GE0H47jycvj07A_iTPGWRNzQpi2XICkNMkBLEsJI1byTFMldZqnimmFcZpoSqXKLJU6k6SgLMVWs250e7i69u5zA6ExqzJkUFW2BrcJRkmOaaLlXt78K1mS6ESIpIXXf-DSbXzd_mCUIC0iVLYIH1DmXQgeCrP25cr6nSHY7OMw-zjMPg5ziKNduTqslADwyxNOuFKKfQMz0YPZ</recordid><startdate>20090201</startdate><enddate>20090201</enddate><creator>Xie, Yi</creator><creator>Yu, Shun-Zheng</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>F28</scope><scope>FR3</scope></search><sort><creationdate>20090201</creationdate><title>A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors</title><author>Xie, Yi ; Yu, Shun-Zheng</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c353t-51139a56e7224deea3b131a75c92879bdb839800b492278ca279c71f23b0a93</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2009</creationdate><topic>Algorithms</topic><topic>Anomaly detection</topic><topic>Browsing</topic><topic>browsing behaviors</topic><topic>Computer crime</topic><topic>DDoS</topic><topic>Design methodology</topic><topic>Entropy</topic><topic>Filtering</topic><topic>hidden semi-Markov Model</topic><topic>Large-scale systems</topic><topic>M-algorithm</topic><topic>Materials handling</topic><topic>Mathematical models</topic><topic>Protocols</topic><topic>State-space methods</topic><topic>Statistics</topic><topic>TCP (protocol)</topic><topic>TCP/IP (protocol)</topic><topic>TCPIP</topic><topic>Web server</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Xie, Yi</creatorcontrib><creatorcontrib>Yu, Shun-Zheng</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Xplore</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>ANTE: Abstracts in New Technology & Engineering</collection><collection>Engineering Research Database</collection><jtitle>IEEE/ACM transactions on networking</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Xie, Yi</au><au>Yu, Shun-Zheng</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors</atitle><jtitle>IEEE/ACM transactions on networking</jtitle><stitle>TNET</stitle><date>2009-02-01</date><risdate>2009</risdate><volume>17</volume><issue>1</issue><spage>54</spage><epage>65</epage><pages>54-65</pages><issn>1063-6692</issn><eissn>1558-2566</eissn><coden>IEANEP</coden><abstract>Many methods designed to create defenses against distributed denial of service (DDoS) attacks are focused on the IP and TCP layers instead of the high layer. They are not suitable for handling the new type of attack which is based on the application layer. In this paper, we introduce a new scheme to achieve early attack detection and filtering for the application-layer-based DDoS attack. An extended hidden semi-Markov model is proposed to describe the browsing behaviors of web surfers. In order to reduce the computational amount introduced by the model's large state space, a novel forward algorithm is derived for the online implementation of the model based on the M-algorithm. Entropy of the user's HTTP request sequence fitting to the model is used as a criterion to measure the user's normality. Finally, experiments are conducted to validate our model and algorithm.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TNET.2008.923716</doi><tpages>12</tpages></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 1063-6692 |
| ispartof | IEEE/ACM transactions on networking, 2009-02, Vol.17 (1), p.54-65 |
| issn | 1063-6692 1558-2566 |
| language | eng |
| recordid | cdi_proquest_miscellaneous_875024979 |
| source | IEEE Electronic Library (IEL) Journals; Association for Computing Machinery:Jisc Collections:ACM OPEN Journals 2023-2025 (reading list) |
| subjects | Algorithms Anomaly detection Browsing browsing behaviors Computer crime DDoS Design methodology Entropy Filtering hidden semi-Markov Model Large-scale systems M-algorithm Materials handling Mathematical models Protocols State-space methods Statistics TCP (protocol) TCP/IP (protocol) TCPIP Web server |
| title | A Large-Scale Hidden Semi-Markov Model for Anomaly Detection on User Browsing Behaviors |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-14T13%3A10%3A29IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_ieee_&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20Large-Scale%20Hidden%20Semi-Markov%20Model%20for%20Anomaly%20Detection%20on%20User%20Browsing%20Behaviors&rft.jtitle=IEEE/ACM%20transactions%20on%20networking&rft.au=Xie,%20Yi&rft.date=2009-02-01&rft.volume=17&rft.issue=1&rft.spage=54&rft.epage=65&rft.pages=54-65&rft.issn=1063-6692&rft.eissn=1558-2566&rft.coden=IEANEP&rft_id=info:doi/10.1109/TNET.2008.923716&rft_dat=%3Cproquest_ieee_%3E875024979%3C/proquest_ieee_%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c353t-51139a56e7224deea3b131a75c92879bdb839800b492278ca279c71f23b0a93%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=861494127&rft_id=info:pmid/&rft_ieee_id=4515888&rfr_iscdi=true |