Abstract
Application-layer distributed denial-of-service attacks have become a serious threat to modern high-speed computer networks and systems. Unlike network-layer attacks, application-layer attacks can be performed using legitimate requests from legitimately connected network machines that make these attacks undetectable by signature-based intrusion detection systems. Moreover, the attacks may utilize protocols that encrypt the data of network connections in the application layer, making it even harder to detect an attacker’s activity without decrypting users’ network traffic, and therefore violating their privacy. In this paper, we present a method that allows us to detect various application-layer denial-of-service attacks against a computer network in a timely fashion. We focus on detection of the attacks that utilize encrypted protocols by applying an anomaly-detection-based approach to statistics extracted from network packets. Since network traffic decryption can violate ethical norms and regulations on privacy, the detection method proposed analyzes network traffic without its decryption. The method involves construction of a model of normal user behavior by analyzing conversations between a web server and its clients. The construction algorithm is self-adaptive and allows one to update the model every time a new portion of network traffic data becomes available for analysis. Once the model has been built, it can be applied to detect various application-layer types of denial-of-service attacks, including slow attacks, computational attacks, and more advanced attacks imitating normal web user behavior. The proposed technique is evaluated with realistic end user network traffic generated in our virtual network environment. Evaluation results show that these attacks can be properly detected, while the number of false alarms remains very low.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ackermann M, Märtens M, Raupach C, Swierkot K, Lammersen C, Sohler C (2012) StreamKM++: a clustering algorithm for data streams. J. Exp. Algorithmics 17:Article 2.4, 30 pp
Aggarwal C, Han J, Wang J, Yu P (2003) A framework for clustering evolving data streams. In: Proceedings of conference on very large data bases (VLDB’03), vol 29, pp 81–92
Aiello M, Cambiaso E, Mongelli M, Papaleo G (2014) An on-line intrusion detection approach to identify low-rate DoS attacks. In: Proceedings of international carnahan conference on security technology (ICCST), pp 1–6
Arndt D, Zincir-Heywood AN (2011) A comparison of three machine learning techniques for encrypted network traffic analysis. In: Proceedings of IEEE symposium on computational intelligence for security and defense applications (CISDA), pp 107–114
Chaudhary U, Papapanagiotou I, Devetsikiotis M (2010) Flow classification using clustering and association rule mining. In: Proceedings of the 15th IEEE international workshop on computer aided modeling, analysis and design of communication links and networks (CAMAD), pp 76–80
Chen R, Wei J-Y, Yu H (2008) An improved grey self-organizing map based DOS detection. In: Proceedings of IEEE conference on cybernetics and intelligent systems, pp 497–502
Chen Y, Tu L (2007) Density-based clustering for real-time stream data. In: Proceedings of the 13th ACM SIGKDD international conference on knowledge discovery and data mining, pp 133–142
Chitta R, Jin R, Jain A (2015) Stream clustering: efficient kernel-based approximation using importance sampling. In: Proceedings of IEEE international conference on data mining workshop (ICDMW), pp 607–614
Chwalinski P, Belavkin RR, Cheng X (2013) Detection of application layer DDoS attacks with clustering and Bayes factors. In: Proceedings of IEEE international conference on systems, man, and cybernetics (SMC), pp 156–161
Domingos P, Hulten G (2001) A general method for scaling up machine learning algorithms and its application to clustering. In: Proceedings of the 8th international conference on machine learning, pp 106–113
Dunn J (1973) A fuzzy relative of the ISODATA process, and its use in detecting compact well-separated clusters. J Cybern 3(3):32–57
Durcekova V, Schwartz L, Shahmehri N (2012) Sophisticated denial of service attacks aimed at application layer. In: Proceedings of the 9th international conference ELEKTRO, pp 55–60
Gama J, Rodrigues P, Lopes L (2011) Clustering distributed sensor data streams using local processing and reduced communication. Intell Data Anal 15(1):3–28
Gartner (2015) Cybercriminals hiding in SSL traffic. White paper sponsored by Venafi
Gullo F, Tagarelli A (2012) Uncertain centroid based partitional clustering of uncertain data. VLDB Endow 5(7):610–621
Hirsimäki T, Pylkkönen J, Kurimo M (2009) Importance of high-order n-gram models in morph-based speech recognition. IEEE Trans Audio Speech Lang Process 17(4):724–732
Kaspersky Lab (2015) Statistics on botnet-assisted DDoS attacks in Q1 2015. https://www.slideshare.net/KasperskyLabGlobal/statistics-on-botnet-assisted-ddos-attacks-in-q1-2015
Ke-xin Y, Jian-qi Z (2011) A novel DoS detection mechanism. In: Proceedings of international conference on mechatronic science, electric engineering and computer (MEC), pp 296–298
Kranen P, Assent I, Baldauf C, Seidl T (2011) The ClusTree: indexing micro-clusters for anytime stream mining. Knowl Inf Syst. 29(2):249–272
Li K, Zhou W, Li P, Hai J, Liu J (2009) Distinguishing DDoS attacks from flash crowds using probability metrics. In: Proceedings of the 3rd international conference on network and system security (NSS), pp 9–17
Lloyd S (2006) Least squares quantization in PCM. IEEE Trans Inf Theory 28(2):129–137
Loh W-K, Park Y-H (2014) A survey on density-based clustering algorithms. Lecture notes in electrical engineering, vol 280. pp 775–780
Pardeshi B, Toshniwal D (2010) Improved k-medoids clustering based on cluster validity index and object density. In: Proceedings of the 2nd IEEE international advance computing conference (IACC), pp 379–384
Radware (2016) 2015-2016 Global Application & Network Security Report. https://www.radware.com/ert-report-2015/?utm_source=security_radware&utm_medium=promo&utm_campaign=2015-ERT-Report
Rafsanjani M, Varzaneh Z, Chukanlo N (2012) A survey of hierarchical clustering algorithms. J Math Comput Sci 5(3):229–240
Shah R, Krishnaswamy S, Gaber M (2005) Resource-aware very fast k-means for ubiquitous data stream mining. In: Proceedings of the 2nd international workshop on knowledge discovery in data streams, held in conjunction with the 16th European conference on machine learning
Shindler M, Wong A, Meyerson AW (2011) Fast and accurate k-means for large datasets. In: Proceedings of the conference on neural information processing systems, pp 2375–2383
Silva JA, Faria ER, Barros RC, Hruschka ER, de Carvalho AC, Gama J (2013) Data stream clustering: a survey. ACM Comput Surv 46:1–37
Stevanovic D, Vlajic N (2014) Next generation application-layer DDoS defences: applying the concepts of outlier detection in data streams with concept drift. In: Proceedings of the 13th international conference on machine learning and applications, pp 456–462
Suen CY (1979) n-gram statistics for natural language understanding and text processing. IEEE Trans Pattern Anal Mach Intell PAMI-1:162–172
Trojnara M (2011) Sslsqueeze. http://pastebin.com/AgLQzL6L
Xu C, Zhao G, Xie G, Yu S (2014) Detection on application layer DDoS using random walk model. In: Proceedings of IEEE international conference on communications (ICC), pp 707–712
Yadav S, Selvakumar S (2015) Detection of application layer DDoS attack by modeling user behavior using logistic regression. In: Proceedings of the 4th international conference on reliability, infocom technologies and optimization (ICRITO) (trends and future directions), pp 1–6
Yadav S, Selvakumar S (2016) Detection of application layer DDoS attack by feature learning using stacked autoencoder. In: Proceedings of international conference on computational techniques in information and communication technologies (ICCTICT), pp 261–266
Ye C, Zheng K, She C (2010) Application layer DDOS detection using clustering analysis. In: Proceedings of international conference on information networking and automation (ICINA), pp 67–71
Yuan J, Mills K (2005) Monitoring the macroscopic effect of DDoS flooding attacks. IEEE Trans Dependable Secur Comput 2:324–335
Zhang J, Qin Z, Ou L, Jiang P, Liu J, Liu A (2012) An advanced entropy-based DDOS detection scheme. In: Proceedings of the 2nd international conference on computer science and network technology (ICCSNT), pp 1038–1041
Zhang T, Ramakrishnan R, Livny M (1997) BIRCH: a new data clustering algorithm and its applications. Data Min Knowl Discov 1:141–182
Zolotukhin M, Hämäläinen T, Kokkonen T, Niemelä A, Siltanen J (2015) Data mining approach for detection of DDoS attacks utilizing SSL/TLS protocol. Lecture notes in computer science, vol 9247. Springer, pp 274–285
Zolotukhin M, Hämäläinen T, Kokkonen T, Siltanen J (2016) Increasing web service availability by detecting application-layer DDoS attacks in encrypted traffic. In: Proceedings of the 23rd international conference on telecommunications (ICT), pp 1–6
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Zolotukhin, M., Hämäläinen, T. (2018). Data Stream Clustering for Application-Layer DDoS Detection in Encrypted Traffic. In: Lehto, M., Neittaanmäki, P. (eds) Cyber Security: Power and Technology. Intelligent Systems, Control and Automation: Science and Engineering, vol 93. Springer, Cham. https://doi.org/10.1007/978-3-319-75307-2_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-75307-2_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75306-5
Online ISBN: 978-3-319-75307-2
eBook Packages: EngineeringEngineering (R0)