Abstract
Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.
Highlights
Denial of service (DoS) attacks have always been the main threats to network security [1].In February 2019, the website of the Philippine National Association of Journalists suffered a DoS attack and was closed for 12 h
Neha et al [2] proposed an algorithm for detecting and filtering Low-rate denial of service (LDoS) attack streams in the frequency domain
We analyzed that the statistic attributes of transmission control protocol (TCP) traffic in the time-frequency joint domain would be changed under LDoS attacks
Summary
Denial of service (DoS) attacks have always been the main threats to network security [1].In February 2019, the website of the Philippine National Association of Journalists suffered a DoS attack and was closed for 12 h. Nowadays cloud computing [2], software defined network [3,4], and wireless sensor networks [5,6] are widely applied The development of these technologies makes the current network structure which has higher node density, larger scale and limited resources more vulnerable to DoS attacks [7,8,9]. This situation is even worse when more and more variants of DoS attacks arise [10,11]. It sends periodical packet bursts to attack legitimate flows by exploiting the vulnerability of transmission control protocol (TCP) adaptive mechanism [12]
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
