The detection of low-rate DoS attacks using the SADBSCAN algorithm

Abstract

Low-rate denial-of-service (DoS) attacks, which can exploit vulnerabilities in Internet protocols to deteriorate the quality of service, are variants of DoS attacks. It is challenging to identify low-rate DoS attacks using traditional DoS defence mechanisms due to their low attack rate and stealthy nature. Most of the existing attack detection techniques are based on statistical analysis and signal processing. They usually show a high false negative rate and are only applicable to small-scale data. We propose a new low-rate DoS attack detection scheme based on the self-adaptive density-based spatial clustering of applications with noise (SADBSCAN) algorithm. The SADBSCAN algorithm provides a solution to adaptively identify clusters in multidensity datasets. We use the SADBSCAN algorithm to group network traffic according to the characteristics of the network traffic subject to low-rate DoS attacks. Then, we use cosine similarity to determine whether the groups contain low-rate DoS attacks. To evaluate performance, we conducted experiments and compared the results with those of other detection solutions. The experimental data include data generated by the NS-2 and TestBed simulations and the WIDE public dataset. The results show that our scheme improves the detection accuracy, reduces the false negative rate, and can be adapted to large-scale complex network environments.