Agile method for detecting DDoS attacks in the application layer based on user’s dynamism

— DDoS attacks are one of the most damaging computer attacks of recent times. Attackers send large number of requests to saturate a victim machine and it stops providing its services to legitimate users. In general attacks are directed to the network layer and the application layer, the latter has been increasing due mainly to its easy execution and difficult detection. The present work proposes a low cost detection approach that consists of two steps: first, user characteristics are extracted in real time while browsing the web application; second, each extracted feature is used by an order sorter O(1) to differentiate a real user from a DDoS attack. A real user is identified by making requests using peripherals for navigation (user dynamism), while DDoS attacks are requests sent by robots and do not require the use of peripherals to make requests, therefore the characteristics of the user's dynamism are used for the detection of a DDoS attack. The results on the attack tests using the attack tools LOIC, OWASP and GoldenEye, show that the proposed method has a detection efficiency of 100%, and that the characteristics of the web user allow to differentiate between a real user and a robot.


II. RELATED WORK
The review of the literature regarding the detection methods of DDoS attacks in the application layer records nine proposed methods. Hidden semi-Markov Model is a method that analyses the statistics of the user's search process and access to web objects [4] [5]. However, it has been proven that robots are able to emulate search patterns and access statistics recorded in a session [6]. A mechanism that counts the requests made by a user in a session called Counter Mechanism was implemented to detect attacks [7]. However, robots can simulate statistics by mimicking requests from real users [8]. A Fuzzy Estimator implemented in an attack detection mechanism allows analysing the number of requests, number of users and access patterns in order to establish statistics to identify anomalies in the system [9]. Attackers have developed robots that are capable of generating requests by imitating the number of requests and users, as well as patterns of access to the system [5]. The correlation analysis has also been used in the detection of attacks, indicating the statistical probability of sending requests from the same group of IP addresses [10]. When the attackers have a group of computers under their control, they can make requests from different places avoiding correlation of the points where the request arises. [11] Support vector machine is used to analyse the statistics of the sessions of each client to later identify the anomalies [12]. For this, in this method the characteristics are used: strings of client, paths of client, all clients of domain, connections of client, response times, request type, payload of all clients. However, these characteristics correspond to statistics of user sessions that have to be processed by SVM, which implies a high computational cost and consumption of server resources. For the detection of attacks, prototype systems were also used, such as the mechanism called intrusion detection system (IDS) [13]. In this mechanism statistics of incoming requests were used as: duration of the conversation, number of packets, number of bytes, average packet size, size of TCP window, average time, percentage of packets, and percentage of encrypted packets. Despite being an innovative proposal, being built in Python, becoming an application aimed at detecting anomalies, resource costs turn out to be high. The Hellinger metric has also been used in the detection of computer attacks [14]. Two techniques have been used for attack detection, Neural Networks and Genetic algorithm. These techniques use the characteristics of incoming requests, analysing the entropy and variance of the captured characteristics. It should be noted that these mechanisms employ features that can be easily simulated by attackers (web page requested, request count) by employing robots that issue requests from lowspeed users.  [14] Neural Networks Genetic algorithm HTTP GET request count Entropy of the requests Variance of the entropy [15] Table I shows the methods and features used by the DDoS attack detection mechanisms in the application layer. In total nine methods and thirty characteristics are observed. It is also observed that SVM uses the greatest number of features for the detection of attacks, which implies high computational costs. The detection mechanisms [13] [15] are the ones with the highest degree of detection, 98.5% and 98.32% respectively. This is mainly due to the fact that in the first case, a system is implemented for the exclusive detection of anomalies, it is implemented in Python. While in the second case, two techniques for data analysis are merged. However, in none of the two cases are the characteristics of user dynamism considered.
III. PROPOSED METHOD In this work we present a low cost detection method that allows detecting DDoS attacks oriented to the application layer. For this, it uses characteristics of the dynamism of the user extracted in real time. These characteristics show the user's interaction with the system. Figure 1 shows the architecture used for the implementation of the DDoS attack detection method. In the same it is observed the entrance of the requests coming from the Internet to the interface of the web application. The requests made generate a data bank where the established connections and the processes performed are recorded. The data bank generated in the application layer is analysed by an interaction detector. At the application level, the processes that the user generates are recorded (links, resources, forms, etc.). The detector records the activity between the user and the mouse and keyboard peripherals. The characteristics of Table I are extracted in real time by programming in PHP and Javascript. These characteristics are stored until the user executes the next request. Both the request and the characteristics of the user are sent to the detection algorithm of Figure 1 for evaluation. As indicated in the previous section, this algorithm is responsible for determining the existence of requests and interactions with the system, taking a decision between real user or computer attack.

B. User Dynamism
The present work considers the characteristics of the dynamism of the user in the computer system. The dynamism of the user arises when the user interacts with the system. In [16], mentions that the user's dynamics are the interests of the users and their preferences. The model of user requests and server responses provide limited knowledge about user behaviour. For better compression it is better to move to the client side. To do this, collect information such as mouse move, click, blur, or resize. In [17] they mentions that an alternative to predict the next web page to be opened by a user, comes from the dynamism of the movement of the mouse with the direction it takes in the graphical interface. In [18] they proposes a technique to identify users by grouping keystroke dynamics. In [19] they used the pulse dynamics, which uses the rhythm and the way in which an individual writes characters on the keyboard, it is used as behavioural biometrics. The keystroke rhythms of a user, in terms of time, are measured to develop a unique biometric template of the user's typing pattern for future authentication. In [20] they evaluated the characteristics of the mouse to identify real users of DDOS attacks. Checking that the dynamism of the mouse provides unique characteristics to identify this type of attack.

C. Characteristics of the User's Dynamism
The characteristics of user behaviour are extracted from the processes between the peripherals used and the interaction with the system. In this work, the dynamism of the user is observed through the transactions that are made with the mouse and keyboard peripherals. Table II shows the user characteristics that are extracted and used in the proposed DDoS attack detection method. It is worth mentioning that these features are extracted using PHP and Javascript functions in real time.

Id Features
Description f1 Mouse move The mouse is moved to a location on the screen to perform an action. f2 Mouse click When a user presses and releases a mouse button and there are five types of click events that are recorded: left click, right click, and double left click. f3 Mouse highlight This action begins with a left mouse click/hold to begin the highlighting and ends with the mouse release. f4 Mouse drag When an object is dragged and dropped. This action begins with a left mouse click/hold and ends with the mouse release f5 Mouse drop f6 Mouse scroll The Mouse Wheel or Scroll is an event when the movement of the wheel or scroll has a net up or down effect. The resultant effect is based on the consecutive wheel or scroll movements. f7 Mouse wheel f8 Key press This happens when a user presses a key and slides the touch device (finger or stylus) Figure 2 shows the algorithm used to capture the characteristics of the user's dynamism. The algorithm works every time the user performs an operation with the mouse or keyboard and its interaction with the graphical interface. When a user interacts with the mouse and keyboard it is registered by means of a Javascript function. The captured characteristics are stored in a register to be sent in the following to be checked by the detection algorithm. When a user requests a service, the user is forced to use a peripheral to make the request. The capture of the user's characteristics consists of taking the pulsations that the user is making with the peripherals. When a user interacts with a peripheral it is registered by a Javascript function in a data bank or registry.

D. Architecture of the detection method
1. begin catch 2. when interaction then 3. id = operation 4. if request then 5. submit id 6. end catch

E. Detection and mitigation algorithm
The main idea of the algorithm is to verify if the request made to the system presents any of the characteristics of the web user to differentiate a real user from a computer attack in real time.
1. Input request 2. begin verification 3. for i equal 1 to 8 4. if fi stores true then id stored true 5. end verification 6. begin send each request 7. when id stores true then execute query request 8. when id stores false then execute message 9. end send In Figure 3 the proposed attack detection algorithm is presented, it uses the characteristics of the dynamism of the web user that are shown in Table I and verifies if they are active or not. For this purpose, 1) a request is made to the system, 2) the verification of the captured characteristics begins, 3) a repetitive loop is used that goes from one to the total of characteristics used in this work, 4) if the analysed characteristic they have been activated, the activations performed will be stored in another variable, 5) and the verification of the characteristics of the user's dynamism is completed. 6) When a request is made, the characteristics of the user's dynamism must be verified. 7) When the variable that stores the verification is active, the request is made. 8) When the variable that stores the verification is inactive, a message is sent that must be answered by the user otherwise the request will not be given. This last step is in mitigating the algorithm that requests from attackers are sent to the server.

IV. NUMERICAL EXPERIMENTS A. Experimental Design
To validate the proposed algorithm, the web services of a hotel in the city of Detroit in the United States were considered. It receives 3100 passengers annually. The hotel has a restaurant service and the information of it is in a dedicated server, it uses Linux CentOS, 4-core processor, 8 GB memory, 1TB disk space. Figure 4 shows the built-in validation environment that allows the incorporation of three levels for the detection of DDoS attacks. The first level involves the user interface, where the user interacts with the system making requests for links, videos, graphics, etc. In the second level are located the functions that load of information to all the applications of the system. In this level are the functions that perform the call to the ACF algorithm. Finally, on the third level is the ADDA algorithm. The response of the algorithm has two outputs, execute the request made by the user or send a verification message. The server used in this work has been subjected to a series of simulated attacks to verify the efficiency of the proposed method. The results obtained have been extracted using the same attack tools for later analysis.

B. Simulation of Attacks
To generate DDoS attacks LOIC software (Low Orbit Ion Canon) [21], OWASP DOS HTTP POST [22] and GoldenEye HTTP [23] were used. It is worth mentioning that these tools were selected because they are the most used for the generation of this type of attacks, due to their simplicity and effectiveness [23]. To do this, several attacks were made with each tool towards the hotel server (victim), in order to evaluate the attack rate needed to overload the server. In each attack, the overload values were obtained, which would then be evaluated using the proposed detection algorithm. Table III shows the tools that were used to simulate the attack on the web system, the amount of solitudes generated and the time it took the system to overload. The results of Table III show that the computer attacks generated by the LOIC, OWASP and GoldenEye software use about two minutes to overload the system, causing inaccessibility to resources and services for real users. It is also observed that the number of requests used to overcharge the system varies between 4000 and 5300. Table IV shows the results obtained using the proposed detection method. It shows 100% of attacks generated by the tools have been detected effectively. The time used in the detection was on average 60 milliseconds and the same amounts of simulation requests were used to generate the attack. It is worth mentioning that there are no dataset related to DDoS attacks for tests. In addition, the works with the highest detection rate in the application layer [13] and [14] do not show the tools that were used to evaluate the proposed methods.  Table IV shows that the detection mechanism developed through the use of web user dynamism features is effective with a 100% detection rate for the three attack generation tools. In addition, the time spent is around 60 milliseconds. These results show the effectiveness of the detection method through user interaction with the system through the peripherals used. It should be mentioned that with the improvement of the detection mechanisms, the attackers also improve their attack strategies, so the possibility that the input values of the user characteristics evaluated in this work can be supplanted is not ruled out.

C. Results
V. CONCLUSION This paper presents an agile and effective detection mechanism based on the characteristics of the web user's dynamism for the detection of DDoS attacks in the application layer. This mechanism employs eight new characteristics of user behavior that have not been used in any other similar work. The method of detecting DDoS attacks using the characteristics of user behavior has a 100% effectiveness in detection. This result shows the influence of the characteristics that identify a user when interacting with the system. The tests in a real-time platform and the application of the attack tools LOIC, OWASP and GoldenEye allow to evaluate the algorithm under a simulated attack environment. These simulations allowed to verify that the algorithm reaches an optimal result when processing large quantities of requests.