Detecting the HTTP-GET Flood Attacks Based on the Access Behavior of Inline Objects in a Web-page Using NetFlow Data (웹페이지 내 인라인 오브젝트 액세스 행위 및 NetFlow 정보를 활용한 HTTP-GET Flood 공격 검출)

Koohong Kang (강구홍)

Detecting the HTTP-GET Flood Attacks Based on the Access Behavior of Inline Objects in a Web-page Using NetFlow Data

Journal of The Korea Society of Computer and Information
Abbr : JKSCI
2016, 21(7), pp.1-8
Publisher : The Korean Society Of Computer And Information
Research Area : Engineering > Computer Science

Koohong Kang ¹

¹서원대학교

Accredited

ABSTRACT

Nowadays, distributed denial of service (DDoS) attacks on web sites reward attackers financially or politically because our daily lifes tightly depends on web services such as on-line banking, e-mail, and e-commerce. One of DDoS attacks to web servers is called HTTP-GET flood attack which is becoming more serious. Most existing techniques are running on the application layer because these attack packets use legitimate network protocols and HTTP payloads; that is, network-level intrusion detection systems cannot distinguish legitimate HTTP-GET requests and malicious requests. In this paper, we propose a practical detection technique against HTTP-GET flood attacks, based on the access behavior of inline objects in a webpage using NetFlow data. In particular, our proposed scheme is working on the network layer without any application-specific deep packet inspections. We implement the proposed detection technique and evaluate the ability of attack detection on a simple test environment using NetBot attacker. Moreover, we also show that our approach must be applicable to real field by showing the test profile captured on a well-known e-commerce site. The results show that our technique can detect the HTTP-GET flood attack effectively.

KEYWORDS

HTTP-GET flood attack, Internet security, NetFlow

Citation status

* References for papers published after 2023 are currently being built.

[confproc] T. Yatagai / 2007 / Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior / Proceedings of IEEE Pacific Rim Conference : 232~235

[confproc] D. Dittrich / 2008 / P2P as botnet command and control : a deeper insight / Proceedings of the 3rd International Conference on Malicious and Unwanted Software : 41~48

[confproc] P. Chwalinkski / 2013 / Detection of Application Layer DDoS Attack with Clustering and Likelihood Analysis / Proceedings of Globecom

[web] / AhnLab TrusGuard DPX / http://download.ahnlab.com

[web] / Peakflow Threat Management System / http://www.arbornetworks.com

[web] / Introduction to Cisco IOS NetFlow / http://cisco.com

[report] B. Claise / 2013 / Specification of the IP Flow Information Export(IPFIX)Protocol for the Exchange of IP Traffic Flow Information / IETF

[confproc] B. Mah / 1997 / An Empirical Model of HTTP Network Traffic / Proceedings of INFOCOM'97 : 592~600

[confproc] W. Lu / 2006 / An HTTP Flooding Detection Method Based on Browser Behavior / Proceedings of Computational Intelligence and Security : 1151~1154

[confproc] Y. Choi / 2012 / AIGG Threshold Based HTTP GET Flooding Attack Detection / Proceedings of WISA

[journal] M. Srivatsa / 2008 / Mitigating application-level denial of service attacks on Web servers: A client-transparent approach / ACM Trans. on the Web 2(3)

[book] C. M Chen / 2006 / Tracing denial of service origin: Ant colony approach / Springer Berlin Heidelberg : 286~295

[confproc] X. Yin / 2004 / VisFlowConnect : netflow visualizations of link relationships for security situational awareness / Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security : 26~34

[confproc] D. Huistra / 2013 / Detecting Reflection Attacks in DNS Flows / Proceedings of 19th Twente Student Conference on IT

[confproc] L. Bilge / 2012 / Disclosure : detecting botnet command and control servers through large-scale netflow analysis / Proceedings of the 28th Annual Computer Security Applications Conference : 129~138

[journal] C. Estan / 2004 / Building a better NetFlow / ACM SIGCOMM Computer Communication Review 34(4) : 245~256

[confproc] H. Choi / 1999 / A Behavioral Model of Web Traffic / Proceedings of Seventh International Conference on Network Protocols : 327~334

[confproc] S. Yu / 2011 / Browsing Behavior Mimicking Attacks on Popular Web Sites for Large Botnets / Proceedings of IEEE INFOCOM WKSHPS : 947~951

[confproc] K. S. Han / 2009 / A Study on the Analysis of Netbot and Design of Detection Framework / Proceedings of Joint Workshop on Information Security : 1~12

[web] / Cisco, Cisco Catalyst 3750-X and 3560-X Series Switches Data Sheet / http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3750-x-series-switches/data_sheet_c78-584733.html

[web] / endace, EndaceFlow NetFlow Generator Appliances / http://www.endace.com/endaceflow-high-speed-netflow-generators.html

KJCKorea
Journal Central

Journal of The Korea Society of Computer and Information 2023 KCI Impact Factor : 0.65