Sequence alignment detection of TCP-targeted synchronous low-rate DoS attacks

Abstract

TCP-targeted Low-rate Denial of Service (LDoS) attack launches periodic flows at a sufficiently low average rate that completely spread into large network traffic at the attack end. Hence, LDoS attack traffic has significant periodicity, low transmission rate, and wide distribution. This paper investigates the characteristics of LDoS attacks from a sequence matching perspective. Based on the analysis of sequence similarity between distributed LDoS attack pulses at the victim end, we find that the technique of sequence alignment detection in bioinformatics can be used to detect LDoS attack flows. We presented an approach of LDoS attack detection by using the Smith-Waterman local sequence alignment algorithm that obtaining the similarity score of two sequences. Through this approach, the locally constructed detection sequence is compared with the background flow, especially the three characteristics of the pulse period, length and amplitude of the constructed detection sequence are used as benchmarks to accurately estimate the characteristic parameters of the LDoS attack. A double threshold rule is designed and compared with the calculated maximum similarity score value. Thereby achieving the purpose of detecting an LDoS attack. We build a simulation platform and test-bed to validate the proposed approach. We designed the simulation platform and built the test-bed separately to test and verify the performances of the proposed approach. Experimental results show that this proposed approach has high accuracy and F1 score.