Flow‐oriented detection of low‐rate denial of service attacks

Self Cite

SUMMARYLow-rate denial-of-service (LDoS) attack sends out attack packets at low-average rate of traffic flow in short time. It is stealthier than traditional DoS attack, which makes detection of LDoS extremely difficult. In this paper, an adaptive kernel principal component analysis method is proposed for LDoS attack detection. The network traffic flow is extracted through wavelet multi-scale analysis. An adaptive kernel principal component analysis method is adopted to detect LDoS attack through the squared prediction error statistics. Key parameters such as the parameter of the radial basis function, the number of principal components, and the squared prediction error confidence limit are adaptively trained with training data and updated with the network environment. Simulation is accomplished in NS-2 environment, and results prove the favorable LDoS attack detection efficiency by the proposed approach.

Section: Comparison Of Some Detection Methodsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

An adaptive KPCA approach for detecting LDoS attack

Zhang

Chen

2015

Self Cite

“…Traffic sampling techniques presently support a wide range of network tasks. As illustrated in Figure , examples of these tasks include the following: Network management – this involves short‐term, medium‐term, and long‐term planning and management of network operation, maintenance, and provisioning of network services ; Traffic engineering – this encompasses optimization of network performance, traffic characterization, traffic modeling, and control ; Performance evaluation – this involves evaluating the performance of management tools and protocols, fault tolerance, and network reliability ; Network security – this includes the detection of intrusion and anomalies, identification of botnets, and distributed denial of service attacks ; Service level agreement compliance – this implies the use of auditing tools for measuring and reporting service levels ; QoS control ‐ this involves measuring parameters such as packet delay and delay variation and loss . …”

Section: Related Workmentioning

confidence: 99%

Inside packet sampling techniques: exploring modularity to enhance network measurements

Silva

Carvalho

Lima

2016

Summary Traffic sampling is viewed as a prominent strategy contributing to lightweight and scalable network measurements. Although multiple sampling techniques have been proposed and used to assist network engineering tasks, these techniques tend to address a single measurement purpose, without detailing the network overhead and computational costs involved. The lack of a modular approach when defining the components of traffic sampling techniques also makes difficult their analysis. Providing a modular view of sampling techniques and classifying their characteristics is, therefore, an important step to enlarge the sampling scope, improve the efficiency of measurement systems, and sustain forthcoming research in the area. Thus, this paper defines a taxonomy of traffic sampling techniques resorting to a comprehensive analysis of the inner components of existing proposals. After identifying granularity, selection scheme, and selection trigger as the main components differentiating sampling proposals, the study goes deeper on characterizing these components, including insights into their computational weight. Following this taxonomy, a general‐purpose architecture is established to sustain the development of flexible sampling‐based measurement systems. Traveling inside packet sampling techniques, this paper contributes to a clearer positioning and comparison of existing proposals, providing a road map to assist further research and deployments in the area. Copyright © 2016 John Wiley & Sons, Ltd.

“…Low‐rate denial of service (LDoS) attack is a new type of denial of service (DoS) attack, which exploits retransmission time out (RTO) mechanism of transmission control protocol. Different to DoS flooding attacks, LDoS attacks only send attack packets within a specific time interval at a relatively low rate.…”

Section: Introductionmentioning

confidence: 99%

An adaptive network traffic prediction approach for LDoS attacks detection

Zhang

et al. 2017

Self Cite

Low-rate denial of service (LDoS) attacks reduce throughput and degrade quality of service (QoS) of network services by sending out attack packets with relatively low average rate. LDoS attack flows are difficult to detect from normal traffic since it has the property of low average rate. The research on network traffic analysis and modeling shows that network traffic measurement data are irregular nonlinear time series. To characterize and analyze network traffic between attack and non-attack situations, the adaptive normal and abnormal νsupport vector regression (ν-SVR) prediction models are constructed on the basis of the reconstructed phase space. In this paper, the dimension of reconstructed phase space for ν-SVR is optimized by Bayesian information criteria method, and the parameter in the radial basis function is adaptively adjusted by minimizing the within-class distance and maximizing the between-class distance in the feature space. The nonthreshold decision function is obtained through calculating the prediction error of adaptive normal and abnormal ν-SVR prediction models, which is adopted to detect LDoS attacks. Experiments in NS-2 environment show that the adaptive ν-SVR prediction model can effectively predict the network traffic measurement time series, and the probability distribution of time series generated by the adaptive ν-SVR prediction model is quite similar to that of the network traffic measurement data. Experiments also clearly demonstrate the superiority of the proposed approach in LDoS attacks detection.KEYWORDS kernel methods, low-rate denial of service (LDoS), network traffic, nonlinear time series analysis, support vector regression (SVR) of LDoS attacks can be denoted as R × L/T. During LDoS attacking, high intensity pulses are periodically sent to a victim in a specific short interval. The attack duration is short while the time of silence in each period is long, so LDoS attacks attempt to send attack traffic flows at low average rate to elude detection by counter-DoS mechanisms. At present, LDoS detection methods can be divided into frequency domain-based methods and time domain-based methods. 7 In the frequency domain-based methods, He et al 8 proposed a detection system-based wavelet analysis against LDoS attacks, in which the wavelet multiscale analysis was used to extract 5 feature indices of LDoS flows, and back propagation (BP) neural network was used to detect LDoS attacks. Simulation results showed that the detection system-based wavelet analysis can achieve high detection rate (DR) with low computation cost. Wu et al 9 established a spectral energy distribution probability model for detecting LDoS attacks. A probabilistic model was constructed on the basis of LDoS attacks and normal transmission control protocol traffic, and the detection criterion for LDoS attack was calculated by Fourier transform. This approach achieved favorable detection effectiveness, and the DR was obtained by hypothesis test. Zhang et al 10 proposed an adaptive kernel principal component analysi...