This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach
August 2010 (vol. 21 no. 8)
pp. 1203-1216
ASCII Text
x 
 
Ying Xuan, Incheol Shin, My T. Thai, Taieb Znati, "Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach," IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 8, pp. 1203-1216, August, 2010.
 
 
BibTex
x
 
@article{ 10.1109/TPDS.2009.147,
author = {Ying Xuan and Incheol Shin and My T. Thai and Taieb Znati},
title = {Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach},
journal ={IEEE Transactions on Parallel and Distributed Systems},
volume = {21},
number = {8},
issn = {1045-9219},
year = {2010},
pages = {1203-1216},
doi = {http://doi.ieeecomputersociety.org/10.1109/TPDS.2009.147},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}
 
 
RefWorks Procite/RefMan/Endnote
x 
 
TY - JOUR
JO - IEEE Transactions on Parallel and Distributed Systems
TI - Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach
IS - 8
SN - 1045-9219
SP1203
EP1216
EPD - 1203-1216
A1 - Ying Xuan,
A1 - Incheol Shin,
A1 - My T. Thai,
A1 - Taieb Znati,
PY - 2010
KW - Application DoS
KW - group testing
KW - network security.
VL - 21
JA - IEEE Transactions on Parallel and Distributed Systems
ER -
 
Ying Xuan, University of Florida, Gainesville
Incheol Shin, University of Florida, Gainesville
My T. Thai, University of Florida, Gainesville
Taieb Znati, University of Pittsburgh, Pittsburgh
Application DoS attack, which aims at disrupting application service rather than depleting the network resource, has emerged as a larger threat to network services, compared to the classic DoS attack. Owing to its high similarity to legitimate traffic and much lower launching overhead than classic DDoS attack, this new assault type cannot be efficiently detected or prevented by existing detection solutions. To identify application DoS attack, we propose a novel group testing (GT)-based approach deployed on back-end servers, which not only offers a theoretical method to obtain short detection delay and low false positive/negative rate, but also provides an underlying framework against general network attacks. More specifically, we first extend classic GT model with size constraints for practice purposes, then redistribute the client service requests to multiple virtual servers embedded within each back-end server machine, according to specific testing matrices. Based on this framework, we propose a two-mode detection mechanism using some dynamic thresholds to efficiently identify the attackers. The focus of this work lies in the detection algorithms proposed and the corresponding theoretical complexity analysis. We also provide preliminary simulation results regarding the efficiency and practicability of this new scheme. Further discussions over implementation issues and performance enhancements are also appended to show its great potentials.

[1] S. Ranjan, R. Swaminathan, M. Uysal, and E. Knightly, "DDos-Resilient Scheduling to Counter Application Layer Attacks under Imperfect Detection," Proc. IEEE INFOCOM, Apr. 2006.
[2] S. Vries, "A Corsaire White Paper: Application Denial of Service (DoS) Attacks," http://research.corsaire.com/whitepapers 040405-application-level-dos-attacks.pdf , 2010.
[3] S. Kandula, D. Katabi, M. Jacob, and A.W. Berger, "Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds," Proc. Second Symp. Networked Systems Design and Implementation (NSDI), May 2005.
[4] S. Khattab, S. Gobriel, R. Melhem, and D. Mosse, "Live Baiting for Service-Level DoS Attackers," Proc. IEEE INFOCOM, 2008.
[5] M.T. Thai, Y. Xuan, I. Shin, and T. Znati, "On Detection of Malicious Users Using Group Testing Techniques," Proc. Int'l Conf. Distributed Computing Systems (ICDCS), 2008.
[6] M.T. Thai, P. Deng, W. Wu, and T. Znati, "Approximation Algorithms of Nonunique Probes Selection for Biological Target Identification," Proc. Conf. Data Mining, Systems Analysis and Optimization in Biomedicine, 2007.
[7] J. Mirkovic, J. Martin, and P. Reiher, "A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms," Technical Report 020018, Computer Science Dept., UCLA, 2002.
[8] M.J. Atallah, M.T. Goodrich, and R. Tamassia, "Indexing Information for Data Forensics," Proc. Int'l Conf. Applied Cryptography and Network Security (ACNS), pp. 206-221, 2005.
[9] J. Lemon, "Resisting SYN Flood DoS Attacks with a SYN Cache," Proc. BSDCON, 2002.
[10] Service Provider Infrastructure Security, "Detecting, Tracing, and Mitigating Network-Wide Anomalies," http:/www. arbornetworks.com , 2005.
[11] Y. Kim, W.C. Lau, M.C. Chuah, and H.J. Chao, "Packetscore: Statisticsbased Overload Control against Distributed Denial-of-Service Attacks," Proc. IEEE INFOCOM, 2004.
[12] F. Kargl, J. Maier, and M. Weber, "Protecting Web Servers from Distributed Denial of Service Attacks," Proc. 10th Int'l Conf. World Wide Web (WWW '01), pp. 514-524, 2001.
[13] L. Ricciulli, P. Lincoln, and P. Kakkar, "TCP SYN Flooding Defense," Proc. Comm. Networks and Distributed Systems Modeling and Simulation Conf. (CNDS), 1999.
[14] D.Z. Du and F.K. Hwang, Pooling Designs: Group Testing in Molecular Biology. World Scientific, 2006.
[15] M.T. Thai, D. MacCallum, P. Deng, and W. Wu, "Decoding Algorithms in Pooling Designs with Inhibitors and Fault Tolerance," Int'l J. Bioinformatics Research and Applications, vol. 3, no. 2, pp. 145-152, 2007.
[16] A.G. Dyachkov, A.J. Macula, D.C. Torney, and P.A. Vilenkin, "Two models of Nonadaptive Group Testing for Designing Screening Experiments," Proc. Sixth Int'l Workshop Model-Oriented Designs and Analysis, pp. 63-75, 2001.
[17] J. Kurose and K. Ross, Computer Networking: A Top Down Approach, fourth ed. Addison-Wesley, July 2007.
[18] Y. Chu and J. Ke, "Mean Response Time for a G/G/1 Queueing System: Simulated Computation," Applied Math. and Computation, vol. 186, no. 1, pp. 772-779, Mar. 2007.
[19] G. Mori and J. Malik, "Recognizing Objects in Adversarial Clutter: Breaking a Visual Captcha," Proc. IEEE Conf. Computer Vision and Pattern Recognition, 2003.
[20] P. Sharma, P. Shah, and S. Bhattacharya, "Mirror Hopping Approach for Selective Denial of Service Prevention," Proc. Int'l Workshop Object-Oriented Real-Time Dependable Systems (WORDS '03), 2003.
[21] V.D. Gligor, "Guaranteeing Access in spite of Distributed Service-Flooding Attacks," Proc. Security Protocols Workshop, 2003.
[22] T.V. Zandt, "How to Fit a Response Time Distribution," Psychonomic Bull. and Rev., vol. 7, no. 3, 2000.
[23] A.G. Dyachkov, V.V. Rykov, and A.M. Rashad, "Superimposed Distance Codes," Problems of Control and Information Theory, vol. 18, pp. 237-250, 1989.
[24] S.M. Khattab, C. Sangpachatanaruk, D. Mosse, R. Melhem, and T. Znati, "Honeypots for Mitigating Service-Level Denial-of-Service Attacks," Proc. Int'l Conf. Distributed Computing Systems (ICDCS '04), 2004.
[25] V. Sekar, N. Duffield, K. van der Merwe, O. Spatscheck, and H. Zhang, "Large-Scale Automated DDoS Detection System," Proc. USENIX Ann. Technical Conf., 2006.
[26] F. Kargl, J. Maier, and M. Weber, "Protecting Web Servers from Distributed Denial of Service Attacks," Proc. World Wide Web Conf., pp. 514-524, 2001.
[27] D. Eppstein, M.T. Goodrich, and D. Hirschberg, "Improved Combinatorial Group Testing Algorithms for Real-World Problem Sizes," Proc. Workshop Algorithms and Data Structures (WADS), pp. 86-98, 2005.

Index Terms:
Application DoS, group testing, network security.
Citation:
Ying Xuan, Incheol Shin, My T. Thai, Taieb Znati, "Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach," IEEE Transactions on Parallel and Distributed Systems, vol. 21, no. 8, pp. 1203-1216, Aug. 2010, doi:10.1109/TPDS.2009.147
Usage of this product signifies your acceptance of the Terms of Use.