Sorry, you need to enable JavaScript to visit this website.

Application-Layer DDoS Attacks with Multiple Emulation Dictionaries

Primary tabs

Citation Author(s):
Michele Cirillo, Mario Di Mauro, Vincenzo Matta, Marco Tambasco
Submitted by:
Mario Di Mauro
Last updated:
22 June 2021 - 4:28pm
Document Type:
Document Year:
Presenters Name:
Vincenzo Matta
Paper Code:



We consider the problem of identifying the members of a botnet under an application-layer (L7) DDoS attack, where a target site is flooded with a large number of requests that emulate legitimate users’ patterns. This challenging problem has been recently addressed with reference to two simplified scenarios, where either all bots pick requests from the same emulation dictionary (total overlap), or they are divided in separate clusters corresponding to distinct emulation dictionaries (no overlap at all). However, over real networks these two extreme conditions are difficult to realize, and the intermediate situation is observed where the emulation patterns of distinct bots belong to partially overlapped dictionaries. This intermediate situation introduces significant sophistication in the bot identification problem. In order to ad- dress this issue, we provide an analytical characterization of the pairwise cluster interaction, which is exploited to devise an identification rule to discriminate legitimate users from bots and to identify the individual bot clusters.

0 users have voted:

Dataset Files