Detecting latent attack behavior from aggregated Web traffic

Indirect attack mode has been a serious threat to server security due to the covert nature. This paper focuses on a new application-layer indirect attack which exploits the communication mechanism of proxy server to attack the targets. Such type of attacks is not easy to be discovered by most existing defense systems since malicious traffic hides in the aggregated traffic. Moreover, the sources of the attack traffic and normal traffic are indistinguishable, because both of them share the same IP of the last proxy server. In this paper a novel server-side defense scheme is proposed to resist such covert indirect attacks. An improved semi-Markov model is proposed to describe the dynamic behavior process of aggregated traffic. The model includes two stochastic processes. The observable process represents the changes in the appearance features of the observed traffic, while the unobservable process is a semi-Markov chain which represents the underlying time-varying patterns used to generate the outgoing traffic by a proxy server. An algorithm is proposed to estimate the model parameters. An objective function is defined to evaluate the normality of a proxy server’s access behavior. Numerical results based on real traffic demonstrate the performance of the proposed method.