Journal of Network and Computer Applications ( IF 8.7 ) Pub Date : 2020-10-31 , DOI: 10.1016/j.jnca.2020.102871 Norberto Garcia , Tomas Alcaniz , Aurora González-Vidal , Jorge Bernal Bernabe , Diego Rivera , Antonio Skarmeta
SlowDoS attacks exploit slow transmissions on application-level protocols like HTTP to carry out denial of service against web-servers. These attacks are difficult to be detected with traditional signature-based intrusion detection approaches, even more when the HTTP traffic is encrypted. To cope with this challenge, this paper describes and AI-based anomaly detection system for real-time detection of SlowDoS attacks over application-level encrypted traffic. Our system monitors in real-time the network traffic, analyzing, processing and aggregating packets into conversation flows, getting valuable features and statistics that are dynamically analyzed in streaming for AI-based anomaly detection. The distributed AI model running in Apache Spark-streaming, combines clustering analysis for anomaly detection, along with deep learning techniques to increase detection accuracy in those cases where clustering obtains ambiguous probabilities. The proposal has been implemented and validated in a real testbed, showing its feasibility, performance and accuracy for detecting in real-time different kinds of SlowDoS attacks over encrypted traffic. The achieved results are close to the optimal precision value with a success rate 98%, while the false negative rate takes a value below 0.5%.
中文翻译:
使用人工智能对加密流量进行分布式实时SlowDoS攻击检测
SlowDoS攻击利用HTTP等应用程序级协议上的慢速传输来对Web服务器执行拒绝服务。使用传统的基于签名的入侵检测方法很难检测到这些攻击,甚至在对HTTP通信进行加密时也是如此。为了应对这一挑战,本文介绍了一种基于AI的异常检测系统,用于对应用程序级别的加密流量进行SlowDoS攻击的实时检测。我们的系统实时监控网络流量,分析,处理数据包并将其聚集到对话流中,获得有价值的功能和统计信息,这些信息和统计信息将在流中动态分析以用于基于AI的异常检测。在Apache Spark流中运行的分布式AI模型,结合了聚类分析以进行异常检测,以及深度学习技术,以在聚类获得歧义概率的情况下提高检测准确性。该提议已在一个真实的测试平台上得到实施和验证,显示了它的可行性,性能和准确性,可用于实时检测加密流量上的各种SlowDoS攻击。所获得的结果接近于最佳精度值,成功率为98%,而假阴性率为低于0.5%的值。