Detection of Application Layer Ddos Attacks Using Information Theory Based Metrics

Distributed Denial-of-Service (DDoS) attacks are a critical threat to the Internet. Recently, there are an increasing number of DDoS attacks against online services and Web applications. These attacks are targeting the application level. Detecting application layer DDOS attack is not an easy task. A more sophisticated mechanism is required to distinguish the malicious flow from the legitimate ones. This paper proposes a detection scheme based on the information theory based metrics. The proposed scheme has two phases: Behaviour monitoring and Detection. In the first phase, the Web user browsing behaviour (HTTP request rate, page viewing time and sequence of the requested objects) is captured from the system log during nonattack cases. Based on the observation, Entropy of requests per session and the trust score for each user is calculated. In the detection phase, the suspicious requests are identified based on the variation in entropy and a rate limiter is introduced to downgrade services to malicious users. In addition, a scheduler is included to schedule the session based on the trust score of the user and the system workload.