Low-Rate DoS Attacks Detection Based on Network Multifractal

Abstract

Low-rate denial of service (LDoS) attacks send periodic pulse sequences with relative low rate to form aggregation flows at the victim end. LDoS attack flows have the characteristics of low average rate and great concealment. It is hard to detect LDoS attack flows from normal traffic due to low rate property. Network traffic measurement shows that aggregate network traffic is multifractal. In order to characterize and analyze network traffic, researchers have developed concise mathematical models to explore complex multifractal structure. Although the LDoS attack flows are very small, it will inevitably lead to the change of multifractal characteristics of network traffic. This paper targets at exploiting and estimating the changes in multifractal characteristics of network traffic for detecting LDoS attack flows. The algorithm of multifractal detrended fluctuation analysis (MF-DFA) is used to explore the change in terms of multifractal characteristics over a small scale of network traffic due to LDoS attacks. Through wavelet analysis, the singularity and bursty of network traffic under LDoS attacks are estimated by using Holder exponent. The difference values (D-value) of Holder exponent of network traffic between normal and under LDoS attack situations are calculated. The D-value is used as the basis to determine LDoS attacks. A detection threshold is set based on the statistical results. The presence of LDoS attacks can be confirmed through comparing D-value with detection threshold. Experiments on detection performance have been performed in the test-bed network and simulation platform. The extensive experimental results are congruent with the theoretical analysis.