Spectral Analysis of TCP Flows for Defense Against Reduction-of-Quality Attacks

Abstract: -The RoQ (Reduction-of-Quality) attacks are lowrate DDoS attacks that degrade the QoS to end systems stealthily but not to deny the services completely. These attacks are more difficult to detect than the flooding DDoS attacks. This paper explores the energy distributions of Internet traffic flows in frequency domain. Normal TCP traffic flows present periodicity because of protocol behavior. Our results reveal that normal TCP flows can be segregated from malicious flows according to energy distribution propert… Show more

“…Similarly, M. Thotton and C. Ji in [69] used spectral processing to detect anomalies in IP network traffic. Spectral analysis to TCP flows has also been applied by Y. Chen et al in [70] to protect from reduction of quality attacks. More cases of spectral techniques using wavelets are discussed later.…”

“…Barford P. et al [84] 4 Local variance shift using wavelets >100 DoS Magnaghi A. et al [89] 4 Locality principle measure TCP-DoS Bartlett G. et al [85] 2 Iterated filtering Low-rate Carl G. et al [86] 3 Change points in the CUSUM DoS Hamdi M. et al [87] 5 Lipschitz singularities DoS Lu W. et al [88] 15 ARX model DoS Dainotti A. et al [91] CUSUM & Adaptive Threshold DoS Li L. et al [92] 5 Energy distribution variation DDoS flood Chen Y. et al [70] 5 Gaussian distribution, DFT RoQ P*: Number of Parameters…”

Study of Self-Similarity for Detection of Rate-based Network Anomalies

“…Similarly, M. Thotton and C. Ji in [69] used spectral processing to detect anomalies in IP network traffic. Spectral analysis to TCP flows has also been applied by Y. Chen et al in [70] to protect from reduction of quality attacks. More cases of spectral techniques using wavelets are discussed later.…”

“…Barford P. et al [84] 4 Local variance shift using wavelets >100 DoS Magnaghi A. et al [89] 4 Locality principle measure TCP-DoS Bartlett G. et al [85] 2 Iterated filtering Low-rate Carl G. et al [86] 3 Change points in the CUSUM DoS Hamdi M. et al [87] 5 Lipschitz singularities DoS Lu W. et al [88] 15 ARX model DoS Dainotti A. et al [91] CUSUM & Adaptive Threshold DoS Li L. et al [92] 5 Energy distribution variation DDoS flood Chen Y. et al [70] 5 Gaussian distribution, DFT RoQ P*: Number of Parameters…”

Study of Self-Similarity for Detection of Rate-based Network Anomalies

“…It has been argued that spectrum-based approaches are adept at detecting features with near-periodic signatures, such as bottlenecks in the link layer, the TCP windowing mechanism and DoS attacks [7], traffic anomalies [1], and even for attack fingerprinting [8]. The sequential probability ratio test (SPRT), a time-adaptive detection technique, has been used to distinguish between reduction-of-quality (RoQ) flows and legitimate TCP flows in a distributed setting [4] and fast portscan detection [10].…”

“…• In contrast to [4], [6], [12], [17] and [18], we operate on aggregate traffic without flow separation, enabling analysis of encrypted traffic in a passive monitoring framework.…”

“…We propose the parametric Modeled Attack Detector (MAD) based on time-series data and modify the method of He et al [7] to a sequential version, the Periodic Attack Detector (PAD), using spectrally-based techniques [4], [7], [8].…”

Detection of low-rate attacks in computer networks

An Experimental Comparison of Collaborative Defense Strategies for Network Security