HIDDEN SEMI-MARKOV MODEL FOR DETECTING APPLICATION LAYER DDOS ATTACKS

Distributed denials of Service attacks (DDoS) have become one of the major threat on the internet. Most defence methods are focused on detecting DDoS attack on IP & TCP layer instead of application layer. With profiling of web browsing behaviour, the sequence order of web page request can be used for detecting Application layer DDoS (App_DDoS) attacks. Based on Hidden semi-Markov model (HsMM) ,a novel anomaly detector is used to describe the browsing behaviour of web users. Average Information entropy (AIE) of user's HTTP request sequence used as a criterion to measure the user's normality. K-means algorithm derived for on line implementation of the model based on M-algorithm. The proposed method is experimentally confirmed with various types of new App-DDoS attack .Our experiment shows the detector and the filter that are based on the behavior model. The filter, residing between the Internet and the victim, takes in a HTTP request and decides whether to accept or reject (drop) it. If a request is accepted, it can pass through the filter and reach the victim. [PUBLICATION ABSTRACT]