A Real-time Detection Method of LDoS Based on Shewhart Control Chart Detection Theory

Abstract

Abstract —The low-rate denial of service (LDoS) attack is a new threat to Internet security. Due to its low rate and high concealment characteristics, LDoS attack is difficult to be detected through the analysis of attack flow directly. Most present methods primarily analysis network traffic or feature of LDoS flows to determine LDoS, but they cannot get the satisfactory outcome. From the phenomenon that TCP flow exhibits special different characteristics under LDoS attack and with the superiority of Shewhart Control Chart in outlier detection, this paper proposes a real-time LDoS attack detection method based on Shewhart Control Chart theory, and devises detection criterions based on abundant experiments. This detection method can detect LDoS attack accurately and effectively. Keywords- Low-rate denial of service, Shewhart Control Chart, detection criterions I. I NTRODUCTION DoS (denial of service) attack is one of the main threats to Internet security. DoS attack usually behaves as distributed denial of service (DDoS). In 2003 Kuzmanovic and Knightly proposed a kind of DoS attack called Shrew at Rice University, and pointed out that just sending a short pulse periodically may cause TCP flow to decline seriously [1]. Afterwards Luo et al proposed another kind of DoS named LDoS (low-rate denial of service) [2] upon the basis of thorough research on the Shrew attack. In 2005, the LDoS attack was found on the Internet2 Abilene backbone network, so LDoS attack became the reality [3]. LDoS attack aims at self-adaptive mechanisms of network, such as the Congestion Control Mechanism of the TCP protocol and Active Queue Management (AQM) mechanism on routers. Periodically, in a specific short time-gap, LDoS attacker sends a massive burst attack data packet to cause the normal TCP data packet to be lost, and then induces TCP flow to congestion avoidance repeated, so as to reduce the TCP throughput. The feature of which LDoS intermittent attack makes the average rate of attack flow relatively low, is difficult to identify attack flow in the normal data flow, increases attack efficiency of LDoS significantly, and avoids detection and defense more effective than DDoS. Therefore, most DDoS detection methods impossibly work on it. Currently, many methods are used to detect LDoS, such as spectral diversity[3], Wavelet Analysis[4], DTW detection[5], HAWK detection[6], Vanguard detection[7] and so on. These methods primarily analysis network traffic or feature of LDoS flow to determine LDoS, but some insufficient exist in them, such as a high false positive rate, a large amount of computation and storage space, weak timeliness. LDoS attack data flow is difficult to be directly detected and analyzed, due to its low rate and high concealment characteristics. From the phenomenon that TCP flow will display exceptionally under LDoS attack and with the superiority of Shewhart Control Chart in outlier detection, this paper proposes a real-time LDoS attack detection method based on Shewhart Control Chart theory. II. R