Flash Crowd attack(FCA) is a type of distributed denial of service attack(DDoS) which floods the application server with requests generated from the bots. Its name originate from a legitimate phenomenon, known as a "flash-crowd", where many users access the server because of some popular event. Attackers mimic this by delploying a large, distributed bot network and generate legitimate application requests that overwhelm the application server. Flash-crowd attacks are extremly challenging because they requests legitimate content and at a slow rate to avoid detection. These features makes the existing defenses approaches like rate-based detection and malicious content-based detection, ineffective against Flash Crowd Attacks.
FRADE is a defense scheme to mitigate Flash Crowd Attack by distinguising humans from bots. The goal of the FRADE is to raise the bar for the number of bots needed for a succesfull Flash Crowd Attack. FRADE achieves this by three novel approaches which models the human behaviour to distinguish human users from flash-crowd bots.
This model captures the dynamics of requests sent to the application server with multiple parameters and detect bot agressiveness. A user's interaction with a web server is observed as a time series of requests. Based on the requests inter-arrival times a user's interaction is grouped into four session types: searching, browsing, long and relaxed and parameters for each of these session types are evaluated. For all users interaction these parameters are evaluated which are used as a input to the decision tree in learning process. After learning process, dynamic model is capable of distinguishing human users from attacker bots.
Web pages have an abundance of links whose content is poorly related to the page's main topic, such as copyright notice. Human rarely follow unrelated links and human interest tends to coincide, making few links on a page popular. A random browsing bot cannot repeatedly hit popular links because they are a minority of all the link's on a server's pages resulting in low probablity request sequences. On the other side, Humans mostly access popular and related links resulting in higher probablity request sequences. Bot's can hard-code the popular links but this will result in repetitions and will face detection.
This model detects bots by embedding objects with hyperlinks into server replies in an invisible manner so that probability of clicking these links by a human is very low and by a random-browsing bot is high. To achieve invisibility of embedded objects, we employ several techniques for example: by placing embedded objects beneath the front layer, by embedding very small images around the corner of a bigger image with same background colors, by placing the embedded objects in areas where users rarely click(for ex: bottom right corner of screen).
FRADE is in active development, and its beta release will be available soon.