Enhanced hypertext transfer protocol distributed denial of service detection scheme with get headers adoption

Abstract

A transaction between a user and a web server involves several layers that are known as Open Systems Interconnection (OSI) layers. The application layer is the highest layer which is vulnerable to manipulation by attackers that execute Hypertext Transfer Protocol Distributed Denial of Service (HTTP DDoS) attacks. In the event of attack traffic, this manipulation causes the HTTP DDoS traffic to appear legitimate and is therefore complex to be recognized due to the forged request headers. The attack produces various patterns which lead to the inability of the current detection to recognize HTTP DDoS attacks. The approaches that have been adopted by prior studies thus far were unable to accurately detect malicious GET request resulting the attack traffic to be predicted as genuine. Besides, the current approach is unable to detect HTTP DDoS attacks through proxies and forged request query. The purpose of this research is to enhance the detection schemes in detecting HTTP DDoS attacks. To achieve this purpose, a three-phased research methodology has been structured. The first phase is literature and problem analysis, the second phase is design and implementation while the third phase is verification and validation. The research objectives outlined in this research are parallel with the research methodology. The first objective is to improve the HTTP DDoS detection framework by adopting new components and appending new attributes in the existing component. The next objective is to enhance and develop detection algorithms by the adoption of GET headers and web browser attributes. The third objective is to improve the True Positive rate and True Negative rate and to decrease the False Positive rate and False Negative rate to detect HTTP DDoS attack. The enhanced detection scheme comprised a detection framework made up of several components to indicate the detection flow and algorithms involved in recognizing HTTP DDoS attacks. The detection framework was constructed to have a sequential inspection to detect different attack patterns produced by HTTP DDoS attacks. The source inspection algorithm was developed to improve the identification of the source initiator by adopting web browser attributes. The request headers inspection was devised to improve the detection of the authenticity of HTTP request traffic by checking the existence of GET headers. The request query inspection was designed to detect any forged query using the query attached during GET requests transaction and comparing the query with the detection rules and database. The proxy inspection was fabricated to detect HTTP DDoS attacks executed through a proxy by utilizing the proxy GET headers that were involved during GET requests. Experimental results show that an improvement of 19.72% for True Positive rate and 1.00% for True Negative rate with a reduction of 19.72% for False Negative rate and 1.00% for False Positive rate have been recorded using the detection algorithms. As a conclusion, this research has made an enhancement with regards to the proposed detection framework and has introduced three new detection algorithms as well as has modified one detection algorithm that contributes to the body of knowledge in network and security in detecting DDoS attacks executed at the application layer.