Use this URL to cite or link to this record in EThOS:
Title: Detection of denial of service attacks on application layer protocols
Author: Elmasri, Basil
ISNI:       0000 0004 5347 7275
Awarding Body: University of Surrey
Current Institution: University of Surrey
Date of Award: 2015
Availability of Full Text:
Access from EThOS:
Access from Institution:
This research investigates Denial of Service (DoS) attacks targeting the Internet’s Application Layer protocols, namely Session Initiation Protocol (SIP), and SPDY, the proposed second version of the Hyper Text Transfer Protocol (HTTP 2.0). The attack detection methodology was set using a Statistical Process Control (SPC) technique and Monitoring charts, as well as Cumulative Summation (CUSUM) and Exponential Weighted Moving Average (EWMA). The techniques tackle different possible flooding attacks, typically through monitoring the incoming messages. The system works by sensing sudden changes and detecting abnormal traffic increases alerting for an attack, and then triggering an alarm on the DoS attack. The scenarios are designed for SIP to simulate normal traffic behaviour and attack traffic behaviour; some scenarios were set to have a large ratio of the non-acknowledged requests, and another scenario was set to simulate a slight increase in the ratio. There was a scenario in which its traffic was imported from another SIP related research. In addition, the thesis discusses the results of DoS attacks targeting the SPDY protocol; one scenario is about a large increase in the total number of the sent requests by a user towards a SPDY proxy, and another scenario is set with a slight increase. SPC was tested on all previously mentioned scenarios; they have shown significant results in detecting the attacks, either it was large sudden flooding, or slight low rate DoS flood, as the low rate DoS attacks are very difficult and sometimes impossible to detect. SPC was tested to aim in false attack alarms reduction, as they are also difficult to deal with. These techniques were applied in two approaches: in the first approach, the Offline implementation, the statistical values of the whole observations, the mean and the standard deviation, are found and then applied to the equations. In the second approach, the Online implementation, the statistical values were updated on getting a new observation and immediately applying the SPC equations; there has not been any other research that discussed such an approach. The first approach represents a system with previous knowledge and experience of the ongoing traffic. This reduces the overhead spent in finding the mean and the standard deviation every time a new observation is added to the sequence. The second approach represents a system that is newly starting with no knowledge, or a system which was reset after detecting an attack. Finally, a framework was suggested to effectively employ the previous contributions in detecting the flood of the traffic.
Supervisor: Cruickshank, Haitham; Sun, Zhili Sponsor: Not available
Qualification Name: Thesis (Ph.D.) Qualification Level: Doctoral
EThOS ID:  DOI: Not available