Web DDoS Detection Schemes Based on Measuring User's Access Behavior with Large Deviation

Distributed denial-of-service (DDoS) attack seriously threatens the survivability of web services. It attempts to exhaust a server's resources (e. g., I/O bandwidth, CPU, and memory resources) to the extent that no resource is available for requests from legitimate users. Recently, some attackers launch web DDoS attack from the application layer (i.e., web app-DDoS), which can evade most of the existing detection approaches that mainly focused on Bandwidth-Flooding DDoS and TCP SYN-Flooding DDoS. This paper discusses the detection of web app-DDoS, and present two different models to characterize user's web access behavior, i.e., click-ratio based model and Markov process based model. With these characterizations as reference, we adopt large deviation theory to estimate the probability that each ongoing user's access behavior is "consistent" with the corresponding reference characterization, and propose two different detection schemes, LD-IID and LD-MP, respectively. We also validate our schemes with simulations, and the simulation results show that LD-IID can detect attackers accurately, yet LD-MP has high false negatives.