LDoS Attack Research Articles

EXCLF: A LDoS attack detection & mitigation model based on programmable data plane

The SDN architecture decouples control plane from data plane, making it more susceptible to various abnormal traffic and network attacks, with LDoS attack being one of them. LDoS attackers periodically send short-duration pulses with high rate to bottleneck links to preempt legitimate TCP traffic bandwidth, severely disrupting the transmission of TCP traffic. Current researches on LDoS attacks are mostly implemented in SDN environments, making them exhibit poor portability during deployment and unavoidable time delays. This paper proposes EXCLF, a LDoS attack detection and mitigation model fully deployed on programmable data plane. To identify LDoS attacks, the model gathers features of the traffic going through the switch and feeds them into a decision tree. Once LDoS attack happens, the model collects data at flow level to pinpoint the attacker and initiates corresponding mitigation measures. Extensive experiments were conducted to evaluate the proposed model, and the results indicate that EXCLF achieves a correct rate of 96.39%, with false positive and false negative rates both below 3%. Additionally, the model demonstrates low detection latency and can quickly respond to attacks. The model proves to be an attack detection and mitigation method with good portability and efficiency.

Synchronizing real-time and high-precision LDoS defense of learning model-based in AIoT with programmable data plane, SDN

The availability of SD-AIoT is currently under complicated and serious cyber threats, especially Low-rate Denial-of-Service attacks. However, traditional defense schemes for such attacks with characteristics of high concealability and periodicity suffer from serious challenges with high detection difficulty, low accuracy of detection models, and inefficiency of mitigation approaches. In this paper, one novel cooperative defense scheme against hybrid LDoS attacks is proposed, which consists of a timely-response hardware-based Renyi Entropy edge checkpoint intent detection algorithm, the high-precision detection mechanism based on a hybrid deep learning model, and a Markov-chain-based differential rate-limiting mitigation strategy. The detection algorithm deployed at the edge checkpoint activates a hybrid CNN-RF-based deep learning model after filtering the intent information of the flows to detect which are malicious LDoS flows with high accuracy, where the multi-stage detection scheme not only extracts and learns the hidden features of the flow data, but also has better representation capabilities. Enhanced dynamic threshold-based whitelisting automatically adapts to the real-time state of the network environment to improve mitigation flexibility. Markov chain-based differential rate-limiting mitigation strategy reduces the packet loss error rate to mitigate network attacks promptly and ensures the continuation of network services. The results of several comparative experiments show that the proposed scheme detects LDoS attacks more accurately and mitigates them more effectively than traditional schemes.

A Method for Detecting Ldos Attacks Based on Hilbert-Huang Transform and Convolutional Neural Network

A Method for Detecting Ldos Attacks Based on Hilbert-Huang Transform and Convolutional Neural Network

LDoS attack traffic detection based on feature optimization extraction and DPSA-WGAN

LDoS attack traffic detection based on feature optimization extraction and DPSA-WGAN

An approach for detecting LDoS attack based on cloud model

An approach for detecting LDoS attack based on cloud model

A novel LDoS attack detection method based on reconstruction anomaly

A novel LDoS attack detection method based on reconstruction anomaly

A new detection method for LDoS attacks based on data mining

The serving capabilities of networks are reduced by low-rate denial of service (LDoS) attacks that periodically send high-intensity pulse data flows. This type of attack shows a harmful effect similar to that of traditional DoS attacks, but their attack modes differ greatly. The high concealment of LDoS attacks makes it extremely difficult for traditional DoS detection methods to detect LDoS attacks. Meanwhile, the state-of-art detection methods for LDoS attacks have low-efficiency and resource-intensive and time complexity issues. We propose a novel detection method with analysis of abnormal network traffic under LDoS attacks that combines data mining technology. The judgement benchmarks were also established. The results from the experimental simulation on the simulated environment, physical environment and public datasets prove that the developed method can effectively detect LDoS attacks with optimal detection cost and low complexity, and has a high accuracy, a low false-negative rate, and a low false-positive rate.

Early Detection of LDoS Attack using SNMP MIBs

Early detection of Denial of Service (DoS) attacks are given more emphasizing due to its adverse effects on disrupting the services of legitimate users. LDoS attack is one among the DoS category which floods the target at ideal rate to keep the connections open for longer duration. Traditional defense measures are inadequate to filter due to its less traffic volume. The current works focus on either empirical studies or signal processing models to capture the behavioural characteristics of LDoS based on TCP’s congestion control and timeout mechanism but none carries out detection at a faster timestamp. Early detection solutions are the main focus as it could scale up the revenue losses in today’s online application issues. Hence our model is based on Simple Network Management Protocol (SNMP), through which the early detection of LDoS attacks is carried out. The relevant detection metrics are identified through theoretical validation of SNMP MIBs and existing dataset analysis. Experimental simulations illustrate the LDoS detection efficiency and the same has been validated for theoretically.

An adaptive network traffic prediction approach for LDoS attacks detection

SummaryLow‐rate denial of service (LDoS) attacks reduce throughput and degrade quality of service (QoS) of network services by sending out attack packets with relatively low average rate. LDoS attack flows are difficult to detect from normal traffic since it has the property of low average rate. The research on network traffic analysis and modeling shows that network traffic measurement data are irregular nonlinear time series. To characterize and analyze network traffic between attack and non‐attack situations, the adaptive normal and abnormal ν‐support vector regression (ν‐SVR) prediction models are constructed on the basis of the reconstructed phase space. In this paper, the dimension of reconstructed phase space for ν‐SVR is optimized by Bayesian information criteria method, and the parameter in the radial basis function is adaptively adjusted by minimizing the within‐class distance and maximizing the between‐class distance in the feature space. The nonthreshold decision function is obtained through calculating the prediction error of adaptive normal and abnormal ν‐SVR prediction models, which is adopted to detect LDoS attacks. Experiments in NS‐2 environment show that the adaptive ν‐SVR prediction model can effectively predict the network traffic measurement time series, and the probability distribution of time series generated by the adaptive ν‐SVR prediction model is quite similar to that of the network traffic measurement data. Experiments also clearly demonstrate the superiority of the proposed approach in LDoS attacks detection.

A threat perception method for inter-domain routing systems based on weighted similarity

BGP (border gateway protocol) based inter-domain routing systems play an important role in the Internet. However, the BGP has certain design flaws, which result in many serious security problems for inter-domain routing systems. Compared to traditional attacks, such as prefix hijacking, large-scale LDoS attacks against inter-domain routing systems are extremely hard to detect, which is reflected in its attack traffic and reactions appearing to be legal. The concealment of such attacks makes existing security solutions insufficient. In this paper, we first analyze the feasibility of utilizing similarity theory for assessing the security situations in inter-domain routing systems. We then propose a similarity-theory-based method for evaluating the security situations in inter-domain routing systems. It uses multiple characteristics to describe the system security situation collectively and evaluates the security situation by measuring the deviation degree of the security characteristics to their norms. Because the ability of each characteristic to represent different attacks is not the same, we make use of weighted similarity to assess the deviation of the fusion characteristics from their normal state at various times. Experimental results show that our method can perceive threats in their early stages, regardless of an inter-domain routing system suffering from control plan attacks or data plan attacks.

MAF-SAM: An effective method to perceive data plane threats of inter domain routing system

The BGP-based inter-domain routing system plays an important role in the Internet. However, the BGP has some design flaws, which result in many serious security problems for the inter-domain routing system. Recently there has been a new kind of LDoS attack against BGP sessions from data plane. Compared to traditional control plane threats, such as prefix hijacking, the new attack, BGP-LDoS exploits the vulnerability of adaptive mechanism of BGP and would trigger a wild range of cascading failure in inter domain routing system. Unfortunately, existing methods are difficult to detect this threat. To end this, we propose a method based on adaptive fusion of multi features to perceive security threats of inter domain routing system. Several statistics attributes of BGP routing information are firstly chosen to be security features. Then we establish a normal state sub-model for each security features and fuse them together to describe the normal state of the system by linear weighting. Since the fusion model represents the system security state very well, we can obtain the threat probability by computing the deviation of security features from their normal values. The experimental results show that the method can perceive not only control plane threats but also data plane threats of inter domain routing system.

LAAEM: A Method to Enhance LDoS Attack

Based on LDoS, we propose bots multiplexing in multitargets attack scenario, and then present the LDoS attack ability enhancing method. In simulation, the method shows good performance and adaptability, it can enhance attack ability effectively under variety of correlated parameters. With this method, the attacker may use a small botnet to cause very great harm, which only large botnet can cause by traditional method. Furthermore, aimed to this threat, we discuss two mitigation strategies.

An adaptive KPCA approach for detecting LDoS attack

SummaryLow‐rate denial‐of‐service (LDoS) attack sends out attack packets at low‐average rate of traffic flow in short time. It is stealthier than traditional DoS attack, which makes detection of LDoS extremely difficult. In this paper, an adaptive kernel principal component analysis method is proposed for LDoS attack detection. The network traffic flow is extracted through wavelet multi‐scale analysis. An adaptive kernel principal component analysis method is adopted to detect LDoS attack through the squared prediction error statistics. Key parameters such as the parameter of the radial basis function, the number of principal components, and the squared prediction error confidence limit are adaptively trained with training data and updated with the network environment. Simulation is accomplished in NS‐2 environment, and results prove the favorable LDoS attack detection efficiency by the proposed approach. Copyright © 2015 John Wiley & Sons, Ltd.

SEDP‐based detection of low‐rate DoS attacks

SummaryLow‐rate Denial of Service (LDoS) is a new type of TCP‐targeted attacks, which attempt to deny bandwidth to TCP flows while sending at sufficiently low‐average rate to elude detection of DoS defense system. Therefore, LDoS attacks are difficult to be detected by routers and counter‐DoS mechanisms. In this paper, an approach of detecting LDoS attacks is proposed by using the technology of signal processing based on the model of spectral energy distribution probability. The proposed approach calculates variances between the incoming traffic of normal TCP and attack flows to a server by using packet sampling sequence within a certain period. The network traffic is converted from the time domain to the frequency domain forming a spectral signal, and the distribution probability of spectral energy is estimated based on spectrum characteristics of rectangular pulses. This approach explores that the energy of LDoS attacks is mostly distributed in the main lobe width while that of normal TCP traffic is just concentrated near zero in frequency domain. Both the spectral energy of normal TCP traffic and LDoS attacks distributed in main lobe are calculated, and an energy threshold is set as decision value based on statistical results according to energy distribution properties. The existence of LDoS attacks is determined and detected by comparing calculated variances with the preset decision threshold value. Tests on the detection performance of the proposed approach were performed in NS‐2 simulation environment, and detection rate was obtained by Hypothesis test. Experiment results show that the proposed approach has higher detection accuracy and less computation consuming. Copyright © 2014 John Wiley & Sons, Ltd.

Modeling and Simulation of Low Rate of Denial of Service Attacks

The low-rate denial of service attack is more applicable to the network in recent years as a means of attack, which is different from the traditional field type DoS attacks at the network end system or network using adaptive mechanisms exist loopholes flow through the low-rate periodic attacks on the implementation of high-efficiency attacked by an intruder and not be found, resulting in loss of user data or a computer deadlock. LDos attack since there has been extensive attention of researchers, the attack signature analysis and detection methods to prevent network security have become an important research topic. Some have been proposed for the current attacks were classified LDoS describe and model, and then in NS-2 platform for experimental verification, and then LDoS attack detection to prevent difficulties are discussed and summarized for the future such attacks detection method research work to provide a reference.

A novel distributed LDoS attack scheme against internet routing

A novel distributed LDoS attack scheme against internet routing

Defending Against LDoS Attacks Using Fair AQM

According to the instant high rate and high intensity of LDoS attacks, this paper explores using fair queue management mechanism to mitigate their effect. We perform simulation experiments to evaluate the performance of fair AQM FRED and CHOKe under LDoS attacks. The simulation results show that they are able to reduce the impact of the attacks in various degrees. FRED outperforms CHOKe in throttling the attacks, but it is slightly inferior to CHOKe in time performance.

Software based Low Rate DoS Attack Detection Mechanism

Existing DoS attack detection tools are unable to detect Low rate DoS (LDoS) attacks. Many researchers have proposed mechanisms to detect LdoS attack. But they require modifications to the existing infrastructure or protocols which is not practical. There should be a lightweight mechanism which could be integrated with existing Intrusion Detection Systems. This paper proposes a lightweight software-based approach for LdoS detection which could be integrated with existing Intrusion detection system and does not require any change in existing infrastructure and protocol.Experimental results are provided to support the effectiveness and efficiency of proposed mechanism.

Robustness of RED in Mitigating LDoS Attack

The Random Early Detection algorithm is widely used in the queue management mechanism of the router. We find that the parameters of the RED algorithm have a significant influence on the defense performance of the random early detection algorithm and discuss the robust of the algorithm in mitigating Low-rate Denial-of-Service attack in details. Simulation results show that the defense performance can be effectively improved by adjusting the parameters of Q min andQ max . Some suggestions are given for mitigating the LDoS attack at the end of this paper.