Fingerprinting Crowd Events in Content Delivery Networks: A Semi-supervised Methodology - Archive ouverte HAL Access content directly
Conference Papers Year : 2018

Fingerprinting Crowd Events in Content Delivery Networks: A Semi-supervised Methodology

(1) , (1) , (2) , (3)
Amine Boukhtouta
  • Function : Author
  • PersonId : 1040498
Makan Pourzandi
  • Function : Author
  • PersonId : 1040499
Richard Brunner
  • Function : Author
  • PersonId : 1040500
Stéphane Dault
  • Function : Author
  • PersonId : 1040501


Crowd events or flash crowds are meant to be a voluminous access to media or web assets due to a popular event. Even though the crowd event accesses are benign, the problem of distinguishing them from Distributed Denial of Service (DDoS) attacks is difficult by nature as both events look alike. In contrast to the rich literature about how to profile and detect DDoS attack, the problem of distinguishing the benign crowd events from DDoS attacks has not received much interest. In this work, we propose a new approach for profiling crowd events and segregating them from normal accesses. We use a first selection based on semi-supervised approach to segregate between normal events and crowd events using the number of requests. We use a density based clustering, namely, DBSCAN, to label patterns obtained from a time series. We then use a second more refined selection using the resulted clusters to classify the crowd events. To this end, we build a XGBoost classifier to detect crowd events with a high detection rate on the training dataset (99%). We present our initial results of crowd events fingerprinting using 8 days log data collected from a major Content Delivery Network (CDN) as a driving test. We further prove the validity of our approach by applying our models on unseen data, where abrupt changes in the number of accesses are detected. We show how our models can detect the crowd event with high accuracy. We believe that this approach can further be used in similar CDN to detect crowd events.
Fichier principal
Vignette du fichier
470961_1_En_20_Chapter.pdf (1.03 Mo) Télécharger le fichier
Origin : Files produced by the author(s)

Dates and versions

hal-01954410 , version 1 (13-12-2018)


Attribution - CC BY 4.0



Amine Boukhtouta, Makan Pourzandi, Richard Brunner, Stéphane Dault. Fingerprinting Crowd Events in Content Delivery Networks: A Semi-supervised Methodology. 32th IFIP Annual Conference on Data and Applications Security and Privacy (DBSec), Jul 2018, Bergamo, Italy. pp.312-329, ⟨10.1007/978-3-319-95729-6_20⟩. ⟨hal-01954410⟩
36 View
44 Download



Gmail Facebook Twitter LinkedIn More