HTTP-SoLDiER: An HTTP-flooding attack detection scheme with the large deviation principle

HTTP-flooding attack is a much stealthier distributed denial of service (DDoS) attack, challenging the survivability of the web services seriously. Observing the web access behavior, we find that the surfing preference of normal users is much more consistent with the webpage popularity than that of malicious users. Based on this observation, this paper proposes a novel detection scheme for HTTP-flooding (HTTP-SoLDiER). Specifically, HTTP-SoLDiER first quantifies the consistency between web users surfing preference and the webpage popularity with large-deviation principle. Then HTTP-SoLDiER distinguishes the malicious users from normal ones according to the large-deviation probability. In practice, the webpage popularity plays a key role in attack detection of HTTP-SoLDiER. Due to the never-ending updating of the webpage content and the disturbance induced by attackers, the webpage popularity often varies over time. Thus, it is critical for HTTP-SoLDiER to dynamically update the webpage popularity. We design a reversible exponentially weighted moving average (EWMA) algorithm to solve the problem. Finally, we evaluate the effectiveness of this scheme in terms of true positive (TP) and false positive (FP) probabilities with NS-3 simulations. The simulation results show that HTTP-SoLDiER can detect all random HTTP-flooding attackers and most of the perfect-knowledge HTTP-flooding attackers at little false positive.