Towards Lightweight and Efficient DDoS Attacks Detection for Web Server

Presented at: 18th International World Wide Web Conference (WWW2009)

by Yang Li, Tian-Bo Lu, Li Guo, Zhi-Hong Tian, Qin-Wu Nie

Webpage: http://www2009.eprints.org/150/1/p1139.pdf

In this poster, based on our previous work in building a lightweight DDoS (Distributed Denial-of-Services) attacks detection mechanism for web server using TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) and genetic algorithm based instance selection methods, we further propose a more efficient and effective instance selection method, named E-FCM (Extend Fuzzy C-Means). By using this method, we can obtain much cheaper training time for TCM-KNN while ensuring high detection performance. Therefore, the optimized mechanism is more suitable for lightweight DDoS attacks detection in real network environment. In our previous work, we proposed an effective anomaly detection method based on TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) algorithm to fulfill DDoS attacks detection task towards ensuring the QoS of web server. The method is good at detecting network anomalies with high detection rate, high confidence and low false positives than traditional methods, because it combines "strangeness" with "p-values" measures to evaluate the network traffic compared to the conventional ad-hoc thresholds based detection and particular definition based detection. Secondly, we utilize the new objective measurement as the input feature spaces of TCM-KNN, to effectively detect DDoS attack against web server. Finally, we introduce Genetic Algorithm (GA) based instance selection method to boost the real-time detection performance of TCM-KNN and thus make it be an effective and lightweight mechanism for DDoS detection for web servers [4, 5]. However, we found the computational cost for GA is expensive, which results in high training time for TCM-KNN.

Keywords: Poster Session


Resource URI on the dog food server: http://data.semanticweb.org/conference/www/2009/paper/150


Explore this resource elsewhere: