Low-Rate DDoS Attack Detection Using Expectation of Packet Size

Lu Zhou,Mingchao Liao,Haoyu Zhang,Cao Yuan

doi:10.1155/2017/3691629

Lu Zhou, Mingchao Liao + Show 2 more

Open Access

https://doi.org/10.1155/2017/3691629

Copy DOI

Abstract

Low-rate Distributed Denial-of-Service (low-rate DDoS) attacks are a new challenge to cyberspace, as the attackers send a large amount of attack packets similar to normal traffic, to throttle legitimate flows. In this paper, we propose a measurement—expectation of packet size—that is based on the distribution difference of the packet size to distinguish two typical low-rate DDoS attacks, the constant attack and the pulsing attack, from legitimate traffic. The experimental results, obtained using a series of real datasets with different times and different tolerance factors, are presented to demonstrate the effectiveness of the proposed measurement. In addition, extensive experiments are performed to show that the proposed measurement can detect the low-rate DDoS attacks not only in the short and long terms but also for low packet rates and high packet rates. Furthermore, the false-negative rates and the adjudication distance can be adjusted based on the detection sensitivity requirements.

Highlights

Distributed Denial-of-Service (DDoS) attacks are a great threat on the Internet
Algorithm 1: Low-rate DDoS attack detection using the expectation of packet size
We propose a low-rate DDoS attack-detection measurement based on expectation of packet size

Summary

Introduction

Distributed Denial-of-Service (DDoS) attacks are a great threat on the Internet. Traditional DDoS attacks exhaust the bandwidth, CPU power, or memory of the victim host by flooding an overwhelming number of packets from thousands of compromised computers (zombies) to deny legitimate flows. A low-rate DDoS attacker exploits the vulnerability of TCP’s congestioncontrol mechanism by periodically sending burst attack packets over short periods of time repeatedly (pulsing attack) or continuously launching attack packets at a constant lowrate (constant attack) As these attacks reduce the average number of attack packets to avoid being detected by existing detection schemes, it is difficult to distinguish such attacks from legitimate traffic with a large measurable distance gap and a low false-negative rate. (ii) We propose an EPS-based approach to measure the distribution difference of the packet size, and the proposed measurement can distinguish the low-rate DDoS attacks from the legitimate traffic.

Detection Algorithm

Experimental Results

Performance Evaluations

Related Work

Summary and Future Work