A Network Traffic Representation Model for Detecting Application Layer Attacks

Intrusion Detection Systems (IDS) play an important role in network security, protecting systems and infrastructures from malicious attacks. With the emerging of novel threats and offensive mechanisms, IDS require updates in order to efficiently detect new menaces. In this paper we propose an anomaly-based detection model designed for particular application protocols, exploited by emerging menaces known as Slow Denial of Service (DoS) Attacks. We define parameters characterizing network traffic and we describe in detail how to extrapolate them from a network traffic capture. We motivate the need of packet inspection in certain contexts in order to retrieve correct data. We analyze and describe how the proposed model behaves on two real scenarios involving legitimate and malicious activities, respectively. Thanks to our model, a detection framework for attacks working at the application layer of the communication protocol stack is provided, allowing and facilitating the execution of detection algorithms. Indeed, though the adoption of such framework, the design of efficient detection systems is simplified and designers work is reduced, allowing them a faster deploy of efficient detection algorithms. The aim of this paper is to provide an effective framework for application DoS attacks detection.