An Integrated Approach to Defence Against Degrading Application-Layer DDoS Attacks

Application layer Distributed Denial of Service (DDoS) attacks are recognized as one of the most damaging attacks on the Internet security today. In our recent work [1], we have shown that unsupervised machine learning can be effectively utilized in the process of distinguishing between regular (human) and automated (web/botnet crawler) visitors to a web site. We have also shown that with a slightly higher level of sophistication in the design of some web/botnet crawlers, their detection could become particularly challenging, requiring additional vigilance and investigation on the part of the site’s defense team. In this paper, we demonstrate an application of time series analysis in order to perform a further fine-tuned detection of suspicious visitors to a web site. Additionally, we propose a novel application-layer DDoS detection system that integrates the use of our combined unsupervised learning and time-domain webvisitor classifier with the use of standardized challenge-response tests. The system is aimed to ensure reliable detection of malicious (web/botnet crawler) visitors to a web site while being minimally intrusive towards regular (human) visitors. Keywords—system security; distributed denial of service, DDoS detection and prevention, browsing behavior model