University of Surrey

Test tubes in the lab Research in the ATI Dance Research

Detection of denial of service attacks on application layer protocols.

Elmasri, Basil (2015) Detection of denial of service attacks on application layer protocols. Doctoral thesis, University of Surrey.

[img] Text
Detection of Denial Of Service Attacks on Application Layer Protocol.docx - Thesis (version of record)
Available under License Creative Commons Attribution Non-commercial Share Alike.

Download (6MB)
[img]
Preview
Text
Detection of Denial Of Service Attacks on Application Layer Protocol.pdf - Thesis (version of record)
Available under License Creative Commons Attribution Non-commercial Share Alike.

Download (3MB) | Preview
[img] Text
2014_08_13_Author_Deposit_Agreement-Basil Elmasri.docx - Thesis (version of record)
Available under License Creative Commons Attribution Non-commercial Share Alike.

Download (42kB)

Abstract

This research investigates Denial of Service (DoS) attacks targeting the Internet’s Application Layer protocols, namely Session Initiation Protocol (SIP), and SPDY, the proposed second version of the Hyper Text Transfer Protocol (HTTP 2.0). The attack detection methodology was set using a Statistical Process Control (SPC) technique and Monitoring charts, as well as Cumulative Summation (CUSUM) and Exponential Weighted Moving Average (EWMA). The techniques tackle different possible flooding attacks, typically through monitoring the incoming messages. The system works by sensing sudden changes and detecting abnormal traffic increases alerting for an attack, and then triggering an alarm on the DoS attack. The scenarios are designed for SIP to simulate normal traffic behaviour and attack traffic behaviour; some scenarios were set to have a large ratio of the non-acknowledged requests, and another scenario was set to simulate a slight increase in the ratio. There was a scenario in which its traffic was imported from another SIP related research. In addition, the thesis discusses the results of DoS attacks targeting the SPDY protocol; one scenario is about a large increase in the total number of the sent requests by a user towards a SPDY proxy, and another scenario is set with a slight increase. SPC was tested on all previously mentioned scenarios; they have shown significant results in detecting the attacks, either it was large sudden flooding, or slight low rate DoS flood, as the low rate DoS attacks are very difficult and sometimes impossible to detect. SPC was tested to aim in false attack alarms reduction, as they are also difficult to deal with. These techniques were applied in two approaches: in the first approach, the Offline implementation, the statistical values of the whole observations, the mean and the standard deviation, are found and then applied to the equations. In the second approach, the Online implementation, the statistical values were updated on getting a new observation and immediately applying the SPC equations; there has not been any other research that discussed such an approach. The first approach represents a system with previous knowledge and experience of the ongoing traffic. This reduces the overhead spent in finding the mean and the standard deviation every time a new observation is added to the sequence. The second approach represents a system that is newly starting with no knowledge, or a system which was reset after detecting an attack. Finally, a framework was suggested to effectively employ the previous contributions in detecting the flood of the traffic. Key words: DoS, SIP, SPDY, HTTP, SPC, CUSUM, EWMA, traffic behaviour. Email: b.elmasri@surrey.ac.uk WWW: http://www.surrey.ac.uk/

Item Type: Thesis (Doctoral)
Divisions : Theses
Authors :
AuthorsEmailORCID
Elmasri, Basilbasil.elmasri@yahoo.comUNSPECIFIED
Date : 29 May 2015
Funders : Prof. Khader Elmasri
Contributors :
ContributionNameEmailORCID
Thesis supervisorCruickshank, Haithamh.cruickshank@surrey.ac.ukUNSPECIFIED
Thesis supervisorSun, Zhiliz.sun@surrey.ac.ukUNSPECIFIED
Depositing User : Basil Elmasri
Date Deposited : 02 Jun 2015 08:38
Last Modified : 02 Jun 2015 08:38
URI: http://epubs.surrey.ac.uk/id/eprint/807702

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year


Information about this web site

© The University of Surrey, Guildford, Surrey, GU2 7XH, United Kingdom.
+44 (0)1483 300800