Application-Layer Ddos Attacks With Multiple Emulation Dictionaries

We consider the problem of identifying the members of a botnet under an application-layer (L7) DDoS attack, where a target site is flooded with a large number of requests that emulate legitimate users' patterns. This challenging problem has been recently addressed with reference to two simplified scenarios, where either all bots pick requests from the same emulation dictionary (total overlap), or they are divided in separate clusters corresponding to distinct emulation dictionaries (no overlap at all). However, over real networks these two extreme conditions are difficult to realize, and the intermediate situation is observed where the emulation patterns of distinct bots belong to partially overlapped dictionaries. This intermediate situation introduces significant sophistication in the bot identification problem. In order to address this issue, we provide an analytical characterization of the pairwise cluster interaction, which is exploited to devise an identification rule to discriminate legitimate users from bots and to identify the individual bot clusters.