Web服务器有多安全?慢HTTP DoS攻击及检测的实证研究

2016 11th International Conference on Availability, Reliability and Security (ARES) Pub Date : 2016-08-01 DOI:10.1109/ARES.2016.20

Nikhil Tripathi, N. Hubballi, Yogendra Singh

{"title":"Web服务器有多安全?慢HTTP DoS攻击及检测的实证研究","authors":"Nikhil Tripathi, N. Hubballi, Yogendra Singh","doi":"10.1109/ARES.2016.20","DOIUrl":null,"url":null,"abstract":"Slow HTTP Denial of Service (DoS) is an application layer DoS attack in which large number of incomplete HTTP requests are sent. If number of such open connections in the server exhaust a preset threshold, server does not accept any new connections thus creating DoS. In this paper we make twofold contributions. We do an empirical study on different HTTP servers for their vulnerability against slow HTTP DoS attacks. Subsequently we propose a method to detect Slow HTTP Dos attack. The proposed detection system is an anomaly detection system which measures the Hellinger distance between two probability distributions generated in training and testing phases. In the training phase it creates a normal profile as a probability distribution comprising of complete and incomplete HTTP requests. In case of Slow HTTP attack the proportion of incomplete messages is increased in the overall traffic and detection system leverages this for detection by generating another probability distribution and finding difference between two probability distributions. We experiment by collecting data from a real web server and report the detection performance of proposed detection system.","PeriodicalId":216417,"journal":{"name":"2016 11th International Conference on Availability, Reliability and Security (ARES)","volume":"5 4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"42","resultStr":"{\"title\":\"How Secure are Web Servers? An Empirical Study of Slow HTTP DoS Attacks and Detection\",\"authors\":\"Nikhil Tripathi, N. Hubballi, Yogendra Singh\",\"doi\":\"10.1109/ARES.2016.20\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Slow HTTP Denial of Service (DoS) is an application layer DoS attack in which large number of incomplete HTTP requests are sent. If number of such open connections in the server exhaust a preset threshold, server does not accept any new connections thus creating DoS. In this paper we make twofold contributions. We do an empirical study on different HTTP servers for their vulnerability against slow HTTP DoS attacks. Subsequently we propose a method to detect Slow HTTP Dos attack. The proposed detection system is an anomaly detection system which measures the Hellinger distance between two probability distributions generated in training and testing phases. In the training phase it creates a normal profile as a probability distribution comprising of complete and incomplete HTTP requests. In case of Slow HTTP attack the proportion of incomplete messages is increased in the overall traffic and detection system leverages this for detection by generating another probability distribution and finding difference between two probability distributions. We experiment by collecting data from a real web server and report the detection performance of proposed detection system.\",\"PeriodicalId\":216417,\"journal\":{\"name\":\"2016 11th International Conference on Availability, Reliability and Security (ARES)\",\"volume\":\"5 4 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"42\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 11th International Conference on Availability, Reliability and Security (ARES)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ARES.2016.20\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 11th International Conference on Availability, Reliability and Security (ARES)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2016.20","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 42

摘要

慢速HTTP拒绝服务(Slow HTTP Denial of Service, DoS)是一种应用层DoS攻击，通过发送大量不完整的HTTP请求实现。如果服务器中此类打开连接的数量超过预设的阈值，则服务器不接受任何新连接，从而产生DoS。在本文中，我们做出了双重贡献。我们对不同的HTTP服务器进行了针对慢速HTTP DoS攻击的漏洞的实证研究。随后，我们提出了一种检测慢速HTTP Dos攻击的方法。该检测系统是一种测量训练阶段和测试阶段生成的两个概率分布之间的海灵格距离的异常检测系统。在训练阶段，它创建一个正常的配置文件，作为一个概率分布，包括完整和不完整的HTTP请求。在缓慢HTTP攻击的情况下，不完整消息的比例在整个流量中增加，检测系统通过生成另一个概率分布并找到两个概率分布之间的差异来利用这一点进行检测。我们从一个真实的web服务器上收集数据进行实验，并报告了所提出的检测系统的检测性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

How Secure are Web Servers? An Empirical Study of Slow HTTP DoS Attacks and Detection

Slow HTTP Denial of Service (DoS) is an application layer DoS attack in which large number of incomplete HTTP requests are sent. If number of such open connections in the server exhaust a preset threshold, server does not accept any new connections thus creating DoS. In this paper we make twofold contributions. We do an empirical study on different HTTP servers for their vulnerability against slow HTTP DoS attacks. Subsequently we propose a method to detect Slow HTTP Dos attack. The proposed detection system is an anomaly detection system which measures the Hellinger distance between two probability distributions generated in training and testing phases. In the training phase it creates a normal profile as a probability distribution comprising of complete and incomplete HTTP requests. In case of Slow HTTP attack the proportion of incomplete messages is increased in the overall traffic and detection system leverages this for detection by generating another probability distribution and finding difference between two probability distributions. We experiment by collecting data from a real web server and report the detection performance of proposed detection system.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2016 11th International Conference on Availability, Reliability and Security (ARES)

自引率

0.00%

发文量