Abstract
Low-rate denial of service (LDoS) attacks send attacking bursts intermittently to the network which can severely degrade the victim system’s Quality of Service (QoS). The low-rate nature of such attacks complicates attack detection. LDoS attacks repeatedly trigger the congestion control mechanism, which can make TCP traffic extremely unstable. This paper investigates the network traffic’ characteristics, in which variance and entropy are used to evaluate the TCP traffic’s characteristics, and the ratio of UDP traffic to TCP traffic (UTR) is also analyzed. Thus, a detection method combining two-step cluster analysis and UTR analysis is proposed. Through two-step cluster analysis which is one of the machine learning algorithms, network traffic is divided into multiple clusters and then clusters subjected to LDoS attacks are determined using UTR analysis. NS2 simulation platform and test-bed network environment aim to evaluate the detection approach’s performance. To better assess the effectiveness of the method, public dataset WIDE is also utilized. Experimental results with a good performance prove that the proposed detection approach can accurately detect LDoS attacks.
Highlights
Denial of service (DoS) attack [1, 2] is a common attack vector, which generally seeks to exhaust the limited network resources, resulting in the legitimate users’ requests not being processed
This paper proposed an low-rate denial of service (LDoS) detection method using machine learning, in which two-step cluster analysis is used to evaluate TCP’s characteristics and TCP traffic with similar characteristics is divided into the same cluster
Data points representing the traffic under LDoS attacks are generally distributed in space’s upper right corner, and data points representing the traffic without LDoS attacks are generally distributed in space’s lower left corner, which is consistent with the analysis of network traffic characteristics in "Analysis of network traffic characteristics" section
Summary
Denial of service (DoS) attack [1, 2] is a common attack vector, which generally seeks to exhaust the limited network resources, resulting in the legitimate users’ requests not being processed. Aiming to combat DoS attacks, many methods have been proposed, in which a common detection method is based on abnormal statistical characteristics. Another type of DoS attack is the low-rate denial of service (LDoS) attack [10,11,12] that is hard to be accurately detected due to its low-rate nature. Many LDoS attacks have emerged, such as Shrew attacks [13], LoRDAS attacks [14], slow DoS attacks(e.g. Slow SlowComm) [15, 16], etc These attacks have the same characteristics, that is, they do not need to maintain sustained high-speed attack traffic to cause damage. To reduce the TCP’s throughput, the attacker sends packet bursts
Sign-in/Register to view highlights & summary 
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call