Monitoring the application-layer DDoS attacks for popular websites
Citations
221 citations
206 citations
Additional excerpts
...[77] using the concept of document popularity....
[...]
194 citations
[...]
181 citations
144 citations
References
6,144 citations
"Monitoring the application-layer DD..." refers methods in this paper
...Our contributions in this paper are fourfold: 1) we define the Access Matrix (AM) to capture spatial-temporal patterns of normal flash crowd and to monitor App-DDoS attacks during flash crowd event; 2) based on our previous work [6], [7], we use hidden semi-Markov model (HsMM) [8] to describe the dynamics of AM and to achieve a numerical and automatic detection; 3) we apply principal component analysis (PCA) [9] and independent component analysis (ICA) [10], [11] to deal with the multidimensional data for HsMM; and 4) we design the monitoring architecture and validate it by a real flash crowd traffic and three emulated App-DDoS attacks....
[...]
...This paper applies the FastICA [11] which has been widely used for its good performance and fast convergence during estimation of the parameters....
[...]
...This paper applies the FastICA [11] which has been widely used for its good performance and fast convergence during estimation of the...
[...]
...We use the iterative algorithms proposed in [11] to achieve...
[...]
...The FastICA algorithm is based on negentropy....
[...]
5,567 citations
"Monitoring the application-layer DD..." refers result in this paper
...In contrast to existing anomaly detection methods developed in biosurveillance [37], the nonstationary and the non-Markovian properties of HsMM can best describe the self-similarity or long-range dependence of network traffic that has been proved by vast observations on the Internet [32], [ 33 ]....
[...]
1,926 citations
1,231 citations
"Monitoring the application-layer DD..." refers background or methods in this paper
...Our contributions in this paper are fourfold: 1) we de.ne the Access Matrix (AM) to capture spatial-temporal patterns of normal .ash crowd and to monitor App-DDoS attacks during .ash crowd event; 2) based on our previous work [6], [7], we use hidden semi-Markov model (HsMM) [8] to describe the dynamics of AM and to achieve a numerical and automatic detection; 3) we apply principal component analysis (PCA) [9] and independent component analysis (ICA) [10], [11] to deal with the multidimensional data for HsMM; and 4) we design the monitoring architecture and validate it by a real .ash crowd traf.c and three emulated App-DDoS attacks....
[...]
...Different algorithms [10] have been proposed to achieve this objective....
[...]
...In contrast to the PCA which is sensitive to high-order relationships, the basic idea of ICA is to represent a set of random variables using basis function, where the components are statistically independent and as non-Gaussian as possible....
[...]
...Our contributions in this paper are fourfold: 1) we define the Access Matrix (AM) to capture spatial-temporal patterns of normal flash crowd and to monitor App-DDoS attacks during flash crowd event; 2) based on our previous work [6], [7], we use hidden semi-Markov model (HsMM) [8] to describe the dynamics of AM and to achieve a numerical and automatic detection; 3) we apply principal component analysis (PCA) [9] and independent component analysis (ICA) [10], [11] to deal with the multidimensional data for HsMM; and 4) we design the monitoring architecture and validate it by a real flash crowd traffic and three emulated App-DDoS attacks....
[...]
...The ICA task is brie.y described as follows....
[...]
747 citations
"Monitoring the application-layer DD..." refers background or methods or result in this paper
...This conclusion is the same as [5] and is similar to those of other HTTP traces, e....
[...]
...On the other hand, a new special phenomenon of network traffic called flash crowd [4], [5] has been noticed by researchers during the past several years....
[...]
...’s work [5] is most closely related to our own, as they used two properties to distinguish the DoS and normal flash crowd: 1) a DoS event is due to an increase in the request rates for a small group of clients while flash crowds are due to increase in the number of clients...
[...]
...[5] may not help in this scenario since: 1) it is difficult to associate the amount of resources consumed to a client machine and 2) attack nodes consisting of a large number of geographically widespread machines are increasingly likely to belong to known client clusters....
[...]