Detection Methods of Slow Read DoS Using Full Packet Capture Data

Clifford Kemp, Chad L. Calvert, T. Khoshgoftaar
{"title":"Detection Methods of Slow Read DoS Using Full Packet Capture Data","authors":"Clifford Kemp, Chad L. Calvert, T. Khoshgoftaar","doi":"10.1109/IRI49571.2020.00010","DOIUrl":null,"url":null,"abstract":"Detecting Denial of Service (DoS) attacks on web servers has become extremely popular with cybercriminals and organized crime groups. A successful DoS attack on network resources reduces availability of service to a web site and backend resources, and could easily result in a loss of millions of dollars in revenue depending on company size. There are many DoS attack methods, each of which is critical to providing an understanding of the nature of the DoS attack class. There has been a rise in recent years of application-layer DoS attack methods that target web servers and are challenging to detect. An attack may be disguised to look like legitimate traffic, except it targets specific application packets or functions. Slow Read DoS attack is one type of slow HTTP attack targeting the application-layer. Slow Read attacks are often used to exploit weaknesses in the HTTP protocol, as it is the most widely used protocol on the Internet. In this paper, we use Full Packet Capture (FPC) datasets for detecting Slow Read DoS attacks with machine learning methods. All data collected originates in a live network environment. Our approach produces FPC features taken from network packets at the IP and TCP layers. Experimental results show that the machine learners were quite successful in identifying the Slow Read attacks with high detection and low false alarm rates using FPC data. Our experiment evaluates FPC datasets to determine the accuracy and efficiency of several detection models for Slow Read attacks. The experiment demonstrates that FPC features are discriminative enough to detect such attacks.","PeriodicalId":93159,"journal":{"name":"2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science : IRI 2020 : proceedings : virtual conference, 11-13 August 2020. IEEE International Conference on Information Reuse and Integration (21st : 2...","volume":"31 1","pages":"9-16"},"PeriodicalIF":0.0000,"publicationDate":"2020-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE 21st International Conference on Information Reuse and Integration for Data Science : IRI 2020 : proceedings : virtual conference, 11-13 August 2020. IEEE International Conference on Information Reuse and Integration (21st : 2...","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IRI49571.2020.00010","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 4

Abstract

Detecting Denial of Service (DoS) attacks on web servers has become extremely popular with cybercriminals and organized crime groups. A successful DoS attack on network resources reduces availability of service to a web site and backend resources, and could easily result in a loss of millions of dollars in revenue depending on company size. There are many DoS attack methods, each of which is critical to providing an understanding of the nature of the DoS attack class. There has been a rise in recent years of application-layer DoS attack methods that target web servers and are challenging to detect. An attack may be disguised to look like legitimate traffic, except it targets specific application packets or functions. Slow Read DoS attack is one type of slow HTTP attack targeting the application-layer. Slow Read attacks are often used to exploit weaknesses in the HTTP protocol, as it is the most widely used protocol on the Internet. In this paper, we use Full Packet Capture (FPC) datasets for detecting Slow Read DoS attacks with machine learning methods. All data collected originates in a live network environment. Our approach produces FPC features taken from network packets at the IP and TCP layers. Experimental results show that the machine learners were quite successful in identifying the Slow Read attacks with high detection and low false alarm rates using FPC data. Our experiment evaluates FPC datasets to determine the accuracy and efficiency of several detection models for Slow Read attacks. The experiment demonstrates that FPC features are discriminative enough to detect such attacks.
基于全抓包数据的慢读DoS检测方法
在网络犯罪分子和有组织犯罪集团中,检测网络服务器上的拒绝服务攻击(DoS)已经变得非常流行。对网络资源的成功DoS攻击会降低对网站和后端资源的服务可用性,并且很容易导致数百万美元的收入损失,这取决于公司的规模。有许多DoS攻击方法,每一种方法都对理解DoS攻击类的本质至关重要。近年来,针对web服务器的应用层DoS攻击方法有所增加,并且很难检测到。攻击可能伪装成合法的流量,但攻击目标是特定的应用数据包或功能。慢读DoS攻击是一种针对应用层的HTTP慢读攻击。慢读攻击通常用于利用HTTP协议中的弱点,因为它是Internet上使用最广泛的协议。在本文中,我们使用完整数据包捕获(FPC)数据集通过机器学习方法检测慢读DoS攻击。所有收集的数据都来源于一个实时的网络环境。我们的方法从IP和TCP层的网络数据包中产生FPC特征。实验结果表明,利用FPC数据,机器学习器能够很好地识别出检测率高、虚警率低的慢读攻击。我们的实验评估了FPC数据集,以确定几种慢读攻击检测模型的准确性和效率。实验表明,FPC特征具有足够的判别能力来检测此类攻击。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信