Detection of HTTP-GET Attack with Clustering and Information Theoretic Measurements

Pawel Chwalinski, Roman Belavkin and Xiaochun Cheng (Middlesex University, London, UK)

One of the attacks observed against HTTP protocol is HTTP-GET attack using sequences of requests to limit accessibility of web-servers. This attack has been researched in this report, and a novel clustering technique has been developed to tackle it. In general, the technique uses entropy-based clustering and application of information theoretical measurements to distinguish among legitimate and attacking sequences. It has been presented that the introduced method allows for formation of recent patterns of behaviours observed at a web-server, that remain unknown for the attackers. Subsequently, statistical and information theoretical metrics are introduced to measure difference between a sequence of requests, and legitimate patterns of behaviour. The method recognises more than 80% of legitimate and attacking sequences, regardless of strategies chosen by attackers. This result is rea sonably good, comparing to other techniques that do not rely on the instances of known attacks.

FPS 2012 Program