International Journal of Intelligent Systems and Applications(IJISA)

ISSN: 2074-904X (Print), ISSN: 2074-9058 (Online)

Published By: MECS Press

IJISA Vol.10, No.4, Apr. 2018

Fuzzy-based User Behavior Characterization to Detect HTTP-GET Flood Attacks

Full Text (PDF, 1242KB), PP.29-40

Views:55   Downloads:2


Karanpreet Singh, Paramvir Singh, Krishan Kumar

Index Terms

GET flooding;application layer;anomaly detection;denial of service


Internet was designed to serve the basic requirement of data transfer between systems. The security perspectives were therefore overlooked due to which the Internet remains vulnerable to a variety of attacks. Among all the possible attacks, Distributed Denial of Service (DDoS) attack is one of the eminent threats that target the availability of the online services to the intended clients. Now-a-days, attackers target application layer of the network stack to orchestrate attacks having a high degree of sophistication. GET flood attacks have been very much prevalent in recent years primarily due to advancement of bots allowing impersonating legitimate client behavior. Differentiating between a human client and a bot is therefore necessary to mitigate an attack. This paper introduces a mitigation framework based on Fuzzy Control System that takes as input two novel detection parameters. These detection parameters make use of clients' behavioral characteristic to measure their respective legitimacy. We design an experimental setup that incorporates two widely used benchmark web logs (Clarknet and WorldCup) to build legitimate and attack datasets. Further, we use these datasets to assess the performance of the proposed through well-known evaluation metrics. The results obtained during this work point towards the efficiency of our proposed system to mitigate a wide range of GET flood attack types.

Cite This Paper

Karanpreet Singh, Paramvir Singh, Krishan Kumar, "Fuzzy-based User Behavior Characterization to Detect HTTP-GET Flood Attacks", International Journal of Intelligent Systems and Applications(IJISA), Vol.10, No.4, pp.29-40, 2018. DOI: 10.5815/ijisa.2018.04.04


[1]K. Kumar, R. C. Joshi, and K. Singh, “A Distributed Approach using Entropy to Detect DDoS Attacks in ISP Domain,” In Proceedings of the International Conference on Signal Processing, Communications and Networking, 2007, pp. 331–337.

[2]“C2DF: High Rate DDOS filtering method in Cloud Computing - Semantic Scholar.” [Online]. Available: /paper/C2DF-High-Rate-DDOS-filtering-method-in-Cloud-Shamsolmoali-Hamdard/5171336c8b0a5e4fb79cb5721f83ee72f28ffb36. [Accessed: 24-Feb-2017].

[3]A. Bhandari, A. L. Sangal, and K. Kumar, “Destination Address Entropy based Detection and Traceback Approach against Distributed Denial of Service Attacks,” Int. J. Comput. Netw. Inf. Secur., vol. 7, no. 8, pp. 9-20, Jul. 2015.

[4]“The 5 Most Significant DDoS Attacks of 2016,” The State of Security, 29-Nov-2016. [Online]. Available: [Accessed: 27-Feb-2017].

[5]K. Singh, P. Singh, and K. Kumar, “Impact analysis of application layer DDoS attacks: A simulation study,” Int. J. Intell. Eng. Informatics, vol. 5, no. 1, pp. 80–100, 2017.

[6]K. Singh, P. Singh, and K. Kumar, “A systematic review of IP traceback schemes for denial of service attacks,” Comput. Secur., vol. 56, pp. 111–139, Feb. 2016.

[7]W. Zhou, W. Jia, S. Wen, Y. Xiang, and W. Zhou, “Detection and defense of application-layer DDoS attacks in backbone web traffic,” Future Gener. Comput. Syst., vol. 38, pp. 36–46, Sep. 2014.

[8]M. Srivatsa, A. Iyengar, J. Yin, and L. Liu, “Mitigating application-level denial of service attacks on Web servers: A client-transparent approach,” ACM Trans Web, vol. 2, no. 3, pp. 15:1–15:49, Jul. 2008.

[9]Y. Xie and S.-Z. Yu, “Monitoring the application-layer DDoS attacks for popular websites,” IEEE/ACM Trans. Netw., vol. 17, no. 1, pp. 15–25, 2009.

[10]S. Lee, G. Kim, and S. Kim, “Sequence-order-independent network profiling for detecting application layer DDoS attacks,” EURASIP J. Wirel. Commun. Netw., vol. 2011, no. 1, p. 50, Aug. 2011.

[11]K. Singh, P. Singh, and K. Kumar, “Application layer HTTP-GET flood DDoS attacks: research landscape and challenges,” Comput. Secur., vol. 65, pp. 344-372, Mar. 2017.

[12]J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites,” In Proceedings of the International Conference on World Wide Web, New York, USA, 2002, pp. 293–304.

[13]L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, “CAPTCHA: Using Hard AI Problems for Security,” In Advances in Cryptology — EUROCRYPT 2003, E. Biham, Ed. Springer Berlin Heidelberg, 2003, pp. 294–311.

[14]S. Kandula, D. Katabi, M. Jacob, and A. Berger, “Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds,” In Proceedings of the Symposium on Networked Systems Design & Implementation - Volume 2, Berkeley, USA, 2005, pp. 287–300.

[15]W. Yen and M.-F. Lee, “Defending application DDoS with constraint random request attacks,” In Proceedings of the Asia-Pacific Conference on Communications, 2005, pp. 620–624.

[16]S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, “DDoS-Resilient Scheduling to Counter Application Layer Attacks Under Imperfect Detection,” In Proceedings of the IEEE International Conference on Computer Communications, 2006, pp. 1–13.

[17]J. Yu, Z. Li, H. Chen, and X. Chen, “A Detection and Offense Mechanism to Defend Against Application Layer DDoS Attacks,” In Proceedings of the Third International Conference on Networking and Services, 2007, pp. 54–54.

[18]G. Oikonomou and J. Mirkovic, “Modeling Human Behavior for Defense Against Flash-crowd Attacks,” In Proceedings of the IEEE International Conference on Communications, Piscataway, USA, 2009, pp. 625–630.

[19]S. Wen, W. Jia, W. Zhou, W. Zhou, and C. Xu, “CALD: Surviving Various Application-Layer DDoS Attacks That Mimic Flash Crowd,” In Proceedings of the 4th International Conference on Network and System Security (NSS), 2010, pp. 247–254.

[20]D. Das, U. Sharma, and D. K. Bhattacharyya, “Detection of HTTP Flooding Attacks in Multiple Scenarios,” In Proceedings of the International Conference on Communication, Computing and Security, NY, USA, 2011, pp. 517–522.

[21]S. B. Ankali and D. V. Ashoka, “Detection architecture of application layer DDoS attack for internet,” Int J Adv. Netw. Appl., vol. 3, no. 01, pp. 984–990, 2011.

[22]M. I. Ak, L. George, K. Govind, and S. Selvakumar, “Threshold Based Kernel Level HTTP Filter (TBHF) for DDoS Mitigation,” Int. J. Comput. Netw. Inf. Secur., vol. 4, no. 12, pp. 31-39, Nov. 2012.

[23]S. Limkar and R. K. Jha, “An Effective Defence Mechanism for Detection of DDoS Attack on Application Layer Based on Hidden Markov Model,” In Proceedings of the International Conference on Information Systems Design and Intelligent Applications, 2012, pp. 943–950.

[24]S. Sivabalan and P. J. Radcliffe, “A novel framework to detect and block DDoS attack at the application layer,” In Proceedings of the IEEE TENCON Spring Conference, 2013, pp. 578–582.

[25]J. Wang, M. Zhang, X. Yang, K. Long, and C. Zhou, “HTTP-sCAN: Detecting HTTP-flooding attaCk by modeling multi-features of web browsing behavior from noisy dataset,” In Proceedings of the 19th Asia-Pacific Conference on Communications (APCC), 2013, pp. 677–682.

[26]J. Wang, X. Yang, and K. Long, “Web DDoS Detection Schemes Based on Measuring User’s Access Behavior with Large Deviation,” In Proceedings of the IEEE Global Telecommunications Conference , 2011, pp. 1–5.

[27]L. C. Giralte, C. Conde, I. M. de Diego, and E. Cabello, “Detecting denial of service by modelling web-server behaviour,” Comput. Electr. Eng., vol. 39, no. 7, pp. 2252–2262, Oct. 2013.

[28]Y. Xie, S. Tang, Y. Xiang, and J. Hu, “Resisting Web Proxy-Based HTTP Attacks by Temporal and Spatial Locality Behavior,” IEEE Trans. Parallel Distrib. Syst., vol. 24, no. 7, pp. 1401–1410, 2013.

[29]J. Wang, X. Yang, M. Zhang, K. Long, and J. Xu, “HTTP-SoLDiER: An HTTP-flooding attack detection scheme with the large deviation principle,” Sci. China Inf. Sci., pp. 1–15, Apr. 2014.

[30]Q. Liao, H. Li, S. Kang, and C. Liu, “Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching,” Secur. Commun. Networks, vol. 8, no. 17, pp. 3111–3120, Nov. 2015.

[31]P. Xiao, W. Qu, H. Qi, and Z. Li, “Detecting DDoS attacks against data center with correlation analysis,” Comput. Commun., vol. 67, pp. 66 – 74, 2015.

[32]D. Kshirsagar and S. Kumar, “HTTP Flood Attack Detection Using Ontology,” In Proceedings of the International Conference on Advances in Information Communication Technology & Computing, NY, USA, 2016, pp. 15:1–15:4.

[33]R. Kobayashi, G. Otani, T. Yoshida, and M. Kato, “Defense Method of HTTP GET Flood Attack by Adaptively Controlling Server Resources Depending on Different Attack Intensity,” J. Inf. Process., vol. 24, no. 5, pp. 802–815, 2016.

[34]T. Miu, C. Wang, D. X. Luo, and J. Wang, “Modeling User Browsing Activity for Application Layer DDoS Attack Detection,” In Proceedings of the International Conference on Security and Privacy in Communication Networks, 2016, pp. 747–750.

[35]F. Pukelsheim, “The Three Sigma Rule,” Am. Stat., vol. 48, no. 2, pp. 88–91, 1994.

[36]Z. Hu, Y. V. Bodyanskiy, O. K. Tyshchenko, and V. M. Tkachov, “Fuzzy Clustering Data Arrays with Omitted Observations,” Int. J. Intell. Syst. Appl., vol. 9, no. 6, pp. 24–32, 2017.

[37]Z. Hu, Y. V. Bodyanskiy, O. K. Tyshchenko, and V. O. Samitova, “Fuzzy Clustering Data Given on the Ordinal Scale Based on Membership and Likelihood Functions Sharing,” Int. J. Intell. Syst. Appl., vol. 9, no. 2, pp. 1–9, 2017.

[38]L. Abdullah and A. Otheman, “A New Entropy Weight for Sub-Criteria in Interval Type-2 Fuzzy TOPSIS and Its Application,” Int. J. Intell. Syst. Appl., vol. 5, no. 2, p. 25, Jan. 2013.

[39]H. Beitollahi and G. Deconinck, “Tackling Application-layer DDoS Attacks,” Procedia Comput. Sci., vol. 10, pp. 432–441, Jan. 2012.

[40]H. Beitollahi and G. Deconinck, “ConnectionScore: a statistical technique to resist application-layer DDoS attacks,” J. Ambient Intell. Humaniz. Comput., vol. 5, no. 3, pp. 425–442, Jul. 2013.

[41]T. Chaira and A. K. Ray, “Threshold selection using fuzzy set theory,” Pattern Recognit. Lett., vol. 25, no. 8, pp. 865–874, Jun. 2004.

[42]Q. Liao, H. Li, S. Kang, and C. Liu, “Feature extraction and construction of application layer DDoS attack based on user behavior,” In Proceedings of the Chinese Control Conference (CCC), 2014, pp. 5492–5497.

[43]S. Yadav and S. Subramanian, “Detection of Application Layer DDoS attack by feature learning using Stacked AutoEncoder,” In Proceedings of the International Conference on Computational Techniques in Information and Communication Technologies, 2016, pp. 361–366.