RADIOELECTRONIC AND COMPUTER SYSTEMS

The subject matter of this article is the methods to detect distributed denial-of-service (DDoS) attacks at the Hypertext Transfer Protocol (HTTP) level with the purpose of justifying the requirements for creating software capable of identifying malicious web server clients. The goal of this article is to develop an information technology to evaluate the efficiency of DDoS attack detection methods, which will quantify their operating time, memory consumption, and approximate classification accuracy. In addition, this paper proposes hypotheses and a potential approach to improve existing application-layer DDoS attack detection methods with the intention of increasing their accuracy and identification speed. The tasks of this study are as follows: to analyse modern methods for detecting application-layer DDoS attacks; to investigate their features and short­comings; to develop a software system to assess DDoS attack detection methods; to programmatically implement these methods and experimentally measure their performance indicators, specifically: classification ac­curacy, operating time, and memory usage; to compare the efficiency of the investigated methods; to formulate hypotheses and propose an approach to improve existing methods and/or develop new methods based on the results obtained. The methods employed are abstraction, analysis, systematic approach, and empirical research. In particular, the datasets generated by DDoS utilities were processed using the synthetic minority oversampling technique (SMOTE) to balance them. Furthermore, the studied DDoS attack detection methods were implemented, including fitting the required parameters and training artificial neural network models for evaluation. The following results were obtained. The average classification accuracy, operating time, and random-access memory (RAM) consumption during Internet traffic classification were determined for six DDoS attack detection methods under the same conditions. This study has demonstrated that the development of a novel method to detect DDoS attacks at the HTTP level with enhanced accuracy and classification speed is strongly required. The experimental results demonstrate that the time series-based method exhibited the shortest operating time (1.33 ms for 5000 vectors), whereas the deep neural network-based method exhibited the highest average classification accuracy (ranging from 99.07% to 99.97%) and the lowest memory consumption (39.09 KB for 5000 vectors). Conclusions. In this study, a software system was developed to assess the average accuracy of DDoS attack classification methods and measure the computational resources utilized. The scientific novelty of the obtained results lies in the formulation of two hypotheses and a potential approach to the creation of a novel method for detecting DDoS attacks at the HTTP level, which will have both high classification accuracy and a short operating time to surpass previously studied analogues in these respects. The first hypothesis is based on the additional usage of HTTP request attributes during Internet traffic classification. The second hypothesis is to analyse a graph of user transitions between website pages. The article also superficially describes a potential approach that involves the implementation of the described hypotheses as well as the proposed software architecture of an application-layer DDoS attack detection system for the Kubernetes platform and the Istio framework, which addresses the issue of collecting web request parameter values for websites that use the cryptographically secured HTTPS protocol.

DDoS; DDoS attack detection; network traffic analysis; information security; AL-DDoS; HTTP; cryptography; software system; Kubernetes; Istio

Simons, G., Danyk, Y., & Maliarchuk, T. Hy¬brid war and cyber-attacks: creating legal and operational dilemmas. Global Change, Peace & Security, 2020, vol. 32, no. 3, pp. 337–342. DOI: 10.1080/14781158.2020.1732899.

Uma, M., & Padmavathi, G. A Survey on Vari¬ous Cyber Attacks and their Classification. International Journal of Network Security, 2013, vol. 15, no. 5, pp. 390–396.

Kizzee, K. Cybersecurity: Cyber Attack Statis¬tics to Know. Parachute Technology. Available at: https://parachute.cloud/cyber-attack-statistics-data-and-trends/ (accessed 01.01.2024).

Cyber Dimensions of the Armed Conflict in Ukraine: Quarterly Analysis Report Q3 from July to Sep¬tember 2023. CyberPeace Institute. Available at: https://cyberpeaceinstitute.org/wp-content/uploads/2023/12/Cyber-Dimensions_Ukraine-Q3-2023.pdf (accessed 01.01.2024).

Ohsita, Y., Ata, S., & Murata, M. Detecting dis¬tributed denial-of-service attacks by analyzing TCP SYN packets statistically. IEICE transactions on communica¬tions, 2006, vol. 89, no. 10, pp. 2868–2877. DOI: 10.1093/ietcom/e89-b.10.2868.

Bogdanoski, M., Shuminoski, T., & Risteski, A. Analysis of the SYN Flood DoS Attack. In¬ternational Journal of Computer Network and Infor¬mation Security, 2013, vol. 5, no. 8, pp. 1–11. DOI: 10.5815/ijcnis.2013.08.01.

Boro, D., Basumatary, H., Goswami, T., & Bhattacharyya, D. K. UDP flooding attack detection us¬ing information metric measure. Proceedings of Interna¬tional Conference on ICT for Sustainable Development, 2016, vol. 408, pp. 143–153. DOI: 10.1007/978-981-10-0129-1_16.

Application layer DDoS attack: an overview. Cloudflare, Inc. Available at: https://www.cloudflare.com/learning/ddos/application-layer-ddos-attack/ (accessed 01.01.2024).

Mantas, G., Stakhanova, N., Gonzalez, H., Jazi, H. H., & Ghorbani, A. A. Application-layer denial of service attacks: taxonomy and survey. International Journal of Information and Computer Security, 2015, vol. 7, no. 2-4, pp. 216–239. DOI: 10.1504/ijics.2015.073028.

Kaur, P., Kumar, M., & Bhandari, A. A review of detection approaches for distributed denial of service attacks. Systems Science & Control Engineering, 2017, vol. 5, no. 1, pp. 301–320. DOI: 10.1080/21642583.2017.1331768.

No. G., & Ra, I. An efficient and reliable DDoS attack detection using a fast entropy computation method. International Symposium on Communications and Information Technology, 2009, pp. 1223–1228. DOI: 10.1109/iscit.2009.5341118.

Zhao, Y., Zhang, W., Feng, Y., & Yu, B. A classification detection algorithm based on joint entropy vector against application-layer DDoS attack. Security and Communication Networks, 2018, vol. 2018, article no. 9463653. 8 p. DOI: 10.1155/2018/9463653.

Laptyev, O. A., Buchyk, S. S., Savchen¬ko, V. A., Nakonechnyy, V. S., Mykhal'chuk, I. I., & Shestak, Ya. V. Vyyavlennya ta blokuvannya povil'nykh DDoS-atak za dopomohoyu prohnozuvannya povedinky korystuvacha [Detecting and blocking slow DDoS at¬tacks by predicting user behaviour]. Naukoyemni tekhnolohiyi – Science-intensive technologies, 2022, vol. 3, no. 55, pp. 184–192. DOI: 10.18372/2310-5461.55.16908. (In Ukrainian).

Dong, S., & Sarem, M. DDoS Attack Detection Method Based on Improved KNN With the Degree of DDoS Attack in Software-Defined Networks. IEEE Ac¬cess, 2020, vol. 8, pp. 5039–5048. DOI: 10.1109/access.2019.2963077.

Johnson Singh, K., Thongam, K., & De, T. En¬tropy-based application layer DDoS attack detection us¬ing artificial neural networks. Entropy, 2016, vol. 18, no. 10, article no. 350. 17 p. DOI: 10.3390/e18100350.

Muraleedharan, N., & Janet, B. A deep learning based HTTP slow DoS classification approach using flow data. ICT Express, 2021, vol. 7, no. 2, pp. 210–214. DOI: 10.1016/j.icte.2020.08.005.

Ring, M., Wunderlich, S., Scheuring, D., Landes, D., & Hotho, A. A survey of network-based in¬trusion detection data sets. Computers & Security, 2019, vol. 86, pp. 146–147. DOI: 10.1016/j.cose.2019.06.005.

Kumar, V., Kumar, K., & Mahadev. Classifica¬tion of DDoS attack tools and its handling techniques and strategy at application layer. In 2nd International Con¬ference on Advances in Computing, Communication, & Automation, 2016. 6 p. DOI: 10.1109/icaccaf.2016.7749002.

RUDY attack tool to perform slow-rate attacks. GitHub, Inc. Available at: https://github.com/darkweak/rudy (accessed 01.02.2024).

Slowloris HTTP denial of service attack tool in Python. GitHub, Inc. Available at: https://github.com/gkbrk/slowloris (accessed 01.02.2024).

SlowHTTPTest application layer denial of ser¬vice attacks tool. GitHub, Inc. Available at: https://github.com/shekyan/slowhttptest (accessed 01.02.2024).

PyDDoZ: DDoS tool using application layer (L7) attack techniques. GitHub, Inc. Available at: https://github.com/ProTechEx/pyddoz (accessed 01.02.2024).

Hulk (Http Unbearable Load King) DDoS at¬tacking tool. GitHub, Inc. Available at: https://github.com/grafov/hulk (accessed 01.02.2024).

GoldenEye Layer 7 DDoS test tool. GitHub, Inc. Available at: https://github.com/jseidl/GoldenEye (ac-cessed 01.02.2024).

Kravchuk, A. Source code of website “Rapid delivery”. GitHub, Inc. Available at: https://github.com/akrava/rapid-delivery/tree/mvc-ssr (accessed 01.02.2024).

Python CICFlowMeter: CICFlowMeter Python Implementation. GitHub, Inc. Available at: https://github.com/hieulw/cicflowmeter (accessed 01.02.2024).

Pyshark: Python wrapper for tshark, allowing python packet parsing. GitHub, Inc. Available at: https://github.com/KimiNewt/pyshark (accessed 01.02.2024).

Chawla, N. V., Bowyer, K. W., Hall, L. O., & Kegelmeyer, W. P. SMOTE: synthetic minority over-sampling technique. Journal of artificial intelligence re¬search, 2002, vol. 16, pp. 321–357. DOI: 10.1613/jair.953.

Sklearn: partial port of scikit-learn to go. GitHub, Inc. Available at: https://github.com/pa-m/sklearn (accessed 01.03.2024).

Go-deep: neural network implementation for deep learning. GitHub, Inc. Available at: https://github.com/patrikeh/go-deep (accessed 01.03.2024).

Gonum: set of numeric libraries for the Go pro¬gramming language. GitHub, Inc. Available at: https://github.com/gonum/gonum (accessed 01.03.2024).

Tiwari, V. R. Developments in KD Tree and KNN Searches. International Journal of Computer Ap-plications, 2023, vol. 185, no. 17, pp. 17–23. DOI: 10.5120/ijca2023922879.

Usage statistics of Default protocol https for websites. W3Techs. Available at: https://w3techs.com/technologies/details/ce-httpsdefault (accessed 01.03.2024).

Current State and Future of the Istio Service Mesh. Tetrate. Available at: https://7637559.fs1.hubspotusercontent-na1.net/hubfs/7637559/Istio%20Book/The-Current-State-and-Future-of-the-Istio-Service-Mesh.pdf (ac¬cessed 01.03.2024).

Shurupov, D. Kubernetes and containerization trends according to reports of 2021. Palark GmbH. Available at: https://blog.palark.com/kubernetes-and-containers-market-trends-2021/ (accessed 01.03.2024).

Toader, S. How to write WASM filters for Envoy and deploy it with Istio. Outshift by Cisco Systems, Inc. Available at: https://outshift.cisco.com/blog/envoy-wasm-filter (accessed 01.03.2024).