Zhijun Wu

Low-Rate DoS Attacks Detection Based on Network Multifractal

Low-rate denial of service (LDoS) attacks send periodic pulse sequences with relative low rate to form aggregation flows at the victim end. LDoS attack flows have the characteristics of low average rate and great concealment. It is hard to detect LDoS attack flows from normal traffic due to low rate property. Network traffic measurement shows that aggregate network traffic is multifractal. In order to characterize and analyze network traffic, researchers have developed concise mathematical models to explore complex multifractal structure. Although the LDoS attack flows are very small, it will inevitably lead to the change of multifractal characteristics of network traffic. This paper targets at exploiting and estimating the changes in multifractal characteristics of network traffic for detecting LDoS attack flows. The algorithm of multifractal detrended fluctuation analysis (MF-DFA) is used to explore the change in terms of multifractal characteristics over a small scale of network traffic due to LDoS attacks. Through wavelet analysis, the singularity and bursty of network traffic under LDoS attacks are estimated by using Hölder exponent. The difference values (D-value) of Hölder exponent of network traffic between normal and under LDoS attack situations are calculated. The D-value is used as the basis to determine LDoS attacks. A detection threshold is set based on the statistical results. The presence of LDoS attacks can be confirmed through comparing D-value with detection threshold. Experiments on detection performance have been performed in the test-bed network and simulation platform. The extensive experimental results are congruent with the theoretical analysis.

SEDP-based detection of low-rate DoS attacks

Low-rate Denial of Service LDoS is a new type of TCP-targeted attacks, which attempt to deny bandwidth to TCP flows while sending at sufficiently low-average rate to elude detection of DoS defense system. Therefore, LDoS attacks are difficult to be detected by routers and counter-DoS mechanisms. In this paper, an approach of detecting LDoS attacks is proposed by using the technology of signal processing based on the model of spectral energy distribution probability. The proposed approach calculates variances between the incoming traffic of normal TCP and attack flows to a server by using packet sampling sequence within a certain period. The network traffic is converted from the time domain to the frequency domain forming a spectral signal, and the distribution probability of spectral energy is estimated based on spectrum characteristics of rectangular pulses. This approach explores that the energy of LDoS attacks is mostly distributed in the main lobe width while that of normal TCP traffic is just concentrated near zero in frequency domain. Both the spectral energy of normal TCP traffic and LDoS attacks distributed in main lobe are calculated, and an energy threshold is set as decision value based on statistical results according to energy distribution properties. The existence of LDoS attacks is determined and detected by comparing calculated variances with the preset decision threshold value. Tests on the detection performance of the proposed approach were performed in NS-2 simulation environment, and detection rate was obtained by Hypothesis test. Experiment results show that the proposed approach has higher detection accuracy and less computation consuming. Copyright

Chaos-based detection of LDoS attacks

A low-rate denial of service (LDoS) attack behaves as a small signal in periodic pulses with low average rate, which hides in normal TCP traffic stealthily. LDoS attacks reduce link throughput and degrade QoS of a target. An approach of detecting LDoS attacks is proposed based on Duffing oscillator in chaos systems. The approach detects LDoS attacks by adopting the technology of digital signal processing (DSP), which takes an LDoS attack as a small signal and normal TCP traffic as background noise. Duffing oscillator is used to detect LDoS attacks in normal TCP traffic. Simulations show that the LDoS attacks can be detected through diagram of the chaotic state, and the period and pulse width of LDoS attacks can be estimated.

Flow-oriented detection of low-rate denial of service attacks

In this paper, an approach of detecting low-rate denial of service attack is proposed on the basis of principal component analysis algorithm. The proposed approach analyzes low-rate denial of service attack flows and handles complicated network flows by using principal component analysis algorithm to establish the network traffic matrix model, which is established on the basis of a large number of data acquisitions. Simulation results show that the proposed approach can predigest the high dimension vector, which is composed of networks flows, guarantee the detection precision, and reduce the computation consuming. Copyright

Identifying LDoS attack traffic based on wavelet energy spectrum and combined neural network

Summary As a special type of denial of service (DoS) attacks, the TCP-targeted low-rate denial of service (LDoS) attacks have the characteristics of low average rate and strong concealment, so it is difficult to identify such attack traffic. As multifractal characteristics exist in network traffic, a new identification approach based on wavelet transform and combined neural network is proposed to classify normal network traffic and LDoS attack traffic. Wavelet energy spectrum coefficients extracted from the sampled traffic are used for multifractal analysis of traffic over different time scale. The combined neural network is designed to classify these multiscale spectrum coefficients that show different multifractal characteristics belonging to normal network traffic and LDoS attack traffic. Test results of test-bed experiments indicate that the proposed approach can identify LDoS attack traffic accurately.

An adaptive KPCA approach for detecting LDoS attack

SUMMARY Low-rate denial-of-service (LDoS) attack sends out attack packets at low-average rate of traffic flow in short time. It is stealthier than traditional DoS attack, which makes detection of LDoS extremely difficult. In this paper, an adaptive kernel principal component analysis method is proposed for LDoS attack detection. The network traffic flow is extracted through wavelet multi-scale analysis. An adaptive kernel principal component analysis method is adopted to detect LDoS attack through the squared prediction error statistics. Key parameters such as the parameter of the radial basis function, the number of principal components, and the squared prediction error confidence limit are adaptively trained with training data and updated with the network environment. Simulation is accomplished in NS-2 environment, and results prove the favorable LDoS attack detection efficiency by the proposed approach. Copyright