SlowTrack: detecting slow rate Denial of Service attacks against HTTP with behavioral parameters

Denial of Service (DoS) attacks have evolved from volumetric attacks to target specific applications and can cripple different services with very limited effort. Hypertext Transfer Protocol (HTTP) is vulnerable to a slow rate DoS attack generated through prolonged connections which deliberately send incomplete requests to server. Simple detection methods which use x number of such connections in y time can be easily evaded. In this paper, we present SlowTrack which can detect slow rate DoS attacks against HTTP using a set of behavioral parameters. SlowTrack uses eight behavioral parameters which are validated to be useful in identifying the attack. We correlate these parameters to understand how their values change when attack is launched and subsequently use these observations to propose detection methods. SlowTrack is composed of three detection algorithms which make use of these observations for detecting attacks. We evaluate the detection performance of SlowTarck using experiments done in a testbed and also in a live network to show that these algorithms can detect the slow rate attacks effectively.