查看文章

In a Distributed Denial of Service (DDoS) attack, a network (botnet) of dispersed agents (bots) sends requests to a website to saturate its resources. Since the requests are sent by automata, the typical way to detect them is to look for some repetition pattern or commonalities between requests of the same user or from different users. For this reason, recent DDoS variants exploit communication layers that offer broader possibility in terms of admissible request patterns, such as, e.g., the application layer. In this case, the malicious agents can pick legitimate messages from an emulation dictionary, and each individual agent sends a relatively low number of admissible requests, so as to make its activity non suspicious. This problem has been recently addressed under the assumption that all the members of the botnet use the same emulation dictionary. This situation is an idealization of what occurs in practice, since …