Recently trend of DDoS attack is migrating to paralysis of application level from lower layers using small amount of traffic. Its pattern is very similar with normal user’s traffic though the number of IP for attack is increasing. The representative instance for attack technologies is GET flooding causing interruption of web services that session load between web and DB server is occurred by large amount of GET requests to access dynamic contents invoking DB in web server after connection phase of TCP. Similar types of attack are CC, circle-CC, Slowloris and RUDY.
Shifting to new attack patterns, various kinds of research for DDoS attack to application layer is proceeding. Especially detection method utilizing IP list of users which characteristic is accessing identical users repetitively according patterns of web service, relatively small resource allocation method to suspicious IP analyzing pattern information concerning web services, distinction method between temporary congestion of request and DDoS attack referencing URL distribution, and threshold based method to HTTP PPS are iconic cases of research.
However the detection method utilizing IP list of users has a possibility to intercept new IP or not frequently appeared IP, and has no counter measure the attack occurring from infection PC of frequently accessing user. Relatively small resource allocation method to suspicious IP is not a fundamental interruption against attackers and threshold based method to HTTP PPS is not effective answer for GET flooding attack generating relatively small amount of traffic. Main idea of statistical detection method such as Entropy and Chi Square Test is using the threshold excess of variable value for normal traffic. Therefore similar attacks with normal traffic could not be detected.
The thesis propose normalization of searching rule in form of tree structure tracing link among web pages in order to detect GET flooding attacks effectively and collection of searching rule table learning normal web pages access based on searching rule in order to detect rapidly. Attacks are detected by comparing repetitive request for dynamic contents with attack characteristics of GET flooding after construction of session tree per each IP accessing specific site based on table information concerning normal searching rule collected and tracking of searching route. And dual trend analysis is adopted for intelligent attacks avoiding the detection method of abnormal route access. Ultimate attack IP is detected referencing reliable interval based on cost value saved in IP session tree table.
The experiment for verification of proposed detection method for DDoS attack using IP session tree was performed about Nocache GET flooding, CC attack and HTTP GET nothing utilizing BackTrack attack tool. The initiation of detection and blocking against attacks is accomplished after 4 minutes from attack beginning and blocking of attacks is completed at 9 minutes and 14 seconds after attack start. The improvement of occupation rate was confirmed. And average of detection rate was 92.51% in case of applying 99% reliable interval in experiment for detection against intelligent GET flooding attack using dual trend analysis and the proposed method was verified that it was specialized to DDoS attack detection of GET flooding type.

Because DDoS attack is evolving more intelligent and modified type gradually, the correspondence to various attack would be considered to be hard. Hereafter further studies for the construction technology of connection tree among web pages and computation method of total cost concerning static contents and dynamic contents per each IP session would be succeed for the performance enhancement of proposed methodology.