Approach of detecting low-rate DoS attack based on combined features

LDoS (low-rate denial of service) attack is a kind of RoQ (reduction of quality) attack which has the characteristics of low average rate and strong concealment.These characteristics pose great threats to the security of cloud computing platform and big data center.Based on network traffic analysis,three intrinsic characteristics of LDoS attack flow were extracted to be a set of input to BP neural network,which is a classifier for LDoS attack detection.Hence,an approach of detecting LDoS attacks was proposed based on novel combined feature value.The proposed approach can speedily and accurately model the LDoS attack flows by the efficient self-organizing learning process of BP neural network,in which a proper decision-making indicator is set to detect LDoS attack in accuracy at the end of output.The proposed detection approach was tested in NS2 platform and verified in test-bed network environment by using the Linux TCP-kernel source code,which is a widely accepted LDoS attack generation tool.The detection probability derived from hypothesis testing is 96.68%.Compared with available researches,analysis results show that the performance of combined features detection is better than that of single feature,and has high computational efficiency.     

An adaptive network traffic prediction approach for LDoS attacks detection

Low‐rate denial of service (LDoS) attacks reduce throughput and degrade quality of service (QoS) of network services by sending out attack packets with relatively low average rate. LDoS attack flows are difficult to detect from normal traffic since it has the property of low average rate. The research on network traffic analysis and modeling shows that network traffic measurement data are irregular nonlinear time series. To characterize and analyze network traffic between attack and non‐attack situations, the adaptive normal and abnormal ν‐support vector regression (ν‐SVR) prediction models are constructed on the basis of the reconstructed phase space. In this paper, the dimension of reconstructed phase space for ν‐SVR is optimized by Bayesian information criteria method, and the parameter in the radial basis function is adaptively adjusted by minimizing the within‐class distance and maximizing the between‐class distance in the feature space. The nonthreshold decision function is obtained through calculating the prediction error of adaptive normal and abnormal ν‐SVR prediction models, which is adopted to detect LDoS attacks. Experiments in NS‐2 environment show that the adaptive ν‐SVR prediction model can effectively predict the network traffic measurement time series, and the probability distribution of time series generated by the adaptive ν‐SVR prediction model is quite similar to that of the network traffic measurement data. Experiments also clearly demonstrate the superiority of the proposed approach in LDoS attacks detection.     

SEDP‐based detection of low‐rate DoS attacks

Low‐rate Denial of Service (LDoS) is a new type of TCP‐targeted attacks, which attempt to deny bandwidth to TCP flows while sending at sufficiently low‐average rate to elude detection of DoS defense system. Therefore, LDoS attacks are difficult to be detected by routers and counter‐DoS mechanisms. In this paper, an approach of detecting LDoS attacks is proposed by using the technology of signal processing based on the model of spectral energy distribution probability. The proposed approach calculates variances between the incoming traffic of normal TCP and attack flows to a server by using packet sampling sequence within a certain period. The network traffic is converted from the time domain to the frequency domain forming a spectral signal, and the distribution probability of spectral energy is estimated based on spectrum characteristics of rectangular pulses. This approach explores that the energy of LDoS attacks is mostly distributed in the main lobe width while that of normal TCP traffic is just concentrated near zero in frequency domain. Both the spectral energy of normal TCP traffic and LDoS attacks distributed in main lobe are calculated, and an energy threshold is set as decision value based on statistical results according to energy distribution properties. The existence of LDoS attacks is determined and detected by comparing calculated variances with the preset decision threshold value. Tests on the detection performance of the proposed approach were performed in NS‐2 simulation environment, and detection rate was obtained by Hypothesis test. Experiment results show that the proposed approach has higher detection accuracy and less computation consuming. Copyright © 2014 John Wiley & Sons, Ltd.     

An adaptive KPCA approach for detecting LDoS attack

Low‐rate denial‐of‐service (LDoS) attack sends out attack packets at low‐average rate of traffic flow in short time. It is stealthier than traditional DoS attack, which makes detection of LDoS extremely difficult. In this paper, an adaptive kernel principal component analysis method is proposed for LDoS attack detection. The network traffic flow is extracted through wavelet multi‐scale analysis. An adaptive kernel principal component analysis method is adopted to detect LDoS attack through the squared prediction error statistics. Key parameters such as the parameter of the radial basis function, the number of principal components, and the squared prediction error confidence limit are adaptively trained with training data and updated with the network environment. Simulation is accomplished in NS‐2 environment, and results prove the favorable LDoS attack detection efficiency by the proposed approach. Copyright © 2015 John Wiley & Sons, Ltd.     

Detection method of LDoS attacks based on combination of ANN ＆ KPCA

Low-rate denial-of-service (LDoS) attack is a new type of attack mode for TCP protocol.Characteristics of low average rate and strong concealment make it difficult for detection by traditional DoS detecting methods.According to characteristics of LDoS attacks,a new LDoS queue future was proposed from the router queue,the kernel principal component analysis (KPCA) method was combined with neural network,and a new method was present to detect LDoS attacks.The method reduced the dimensionality of queue feature via KPCA algorithm and made the reduced dimension data as the inputs of neural network.For the good sell-learning ability,BP neural network could generate a great LDoS attack classifier and this classifier was used to detect the attack.Experiment results show that the proposed approach has the characteristics of effectiveness and low algorithm complexity,which helps the design of high performance router.     

LDDoS attack detection method based on wavelet decomposition and sliding windows

As a special type of distributed denial of service (DDoS) attacks, the low-rate DDoS (LDDoS) attacks have characteristics of low average rate and strong concealment, thus, it is hard to detect such attacks by traditional approaches. Through signal analysis, a new identification approach based on wavelet decomposition and sliding detecting window is proposed. Wavelet decomposition extracted from the traffic are used for multifractal analysis of traffic over different time scale. The sliding window from flow control technology is designed to identify the normal and abnormal traffic in real-time. Experiment results show that the proposed approach has advantages on detection accuracy and timeliness.     

The detection method of low-rate DoS attack based on multi-feature fusion

As a new type of Denial of Service (DoS) attacks, the Low-rate Denial of Service (LDoS) attacks make the traditional method of detecting Distributed Denial of Service Attack (DDoS) attacks useless due to the characteristics of a low average rate and concealment. With features extracted from the network traffic, a new detection approach based on multi-feature fusion is proposed to solve the problem in this paper. An attack feature set containing the Acknowledge character(ACK) sequence number, the packet size, and the queue length is used to classify normal and LDoS attack traffics. Each feature is digitalized and preprocessed to fit the input of the K-Nearest Neighbor (KNN) classifier separately, and to obtain the decision contour matrix. Then a posteriori probability in the matrix is fused, and the fusion decision index D is used as the basis of detecting the LDoS attacks. Experiments proved that the detection rate of the multi-feature fusion algorithm is higher than those of the single-based detection method and other algorithms.     

Detection method of LDoS attack based on ACK serial number step-length

Low-rate denial of service (LDoS) attack is a potential security threat to big data centers and cloud computing platforms because of its strong concealment.Based on the analysis of network traffic during the LDoS attack,statistical analysis was given of ACK packets returned by the data receiver to the sender,and result reveals the sequence number step had the characteristics of volatility during the LDoS attack.The permutation entropy method was adopted to extract the characteristics of volatility.Hence,an LDoS attack detection method based on ACK serial number step permutation entropy was proposed.The serial number was sampled and the step length was calculated through collecting the ACK packets that received at the end of sender.Then,the permutation entropy algorithm with strong time-sensitive was used to detect the mutation step time,and achieve the goal of detecting LDoS attack.A test-bed was designed and built in the actual network environment for the purpose of verifying the proposed approach performance.Experimental results show that the proposed approach has better detection performance and has achieved better detection effect.     

基于小信号检测模型的LDoS攻击检测方法的研究

 低速率拒绝服务LDoS(Low-rate Denial of Service)是一种新型的面向TCP协议的DoS攻击方式.LDoS攻击的平均流量仅占正常流量的10-20%,具有明显的周期性小信号特征,隐蔽性强.因此,检测LDoS攻击成为网络安全研究的一个难点.本文采用数字信号处理DSP技术,基于小信号检测理论,提出一种基于小信号模型的LDoS攻击检测的方法.该方法通过构造特征值估算矩阵,对30秒时间内(3000个采样点)到达的数据包个数进行统计;将统计值与设定的判决特征值门限比较,作为判断有无LDoS攻击的依据.如果判定成立,则通过特征值估算矩阵可较精确地计算出LDoS攻击的周期值.在NS-2环境中的仿真实验结果表明本文方法具有较高的LDoS攻击检测率.     

Flow‐oriented detection of low‐rate denial of service attacks

In this paper, an approach of detecting low‐rate denial of service attack is proposed on the basis of principal component analysis algorithm. The proposed approach analyzes low‐rate denial of service attack flows and handles complicated network flows by using principal component analysis algorithm to establish the network traffic matrix model, which is established on the basis of a large number of data acquisitions. Simulation results show that the proposed approach can predigest the high dimension vector, which is composed of networks flows, guarantee the detection precision, and reduce the computation consuming. Copyright © 2014 John Wiley & Sons, Ltd.     

A novel traffic identification approach based on multifractal analysis and combined neural network

An accurate identification of Internet traffic of different applications is highly relevant for a broad range of network management and measurement tasks, including traffic engineering, service differentiation, performance monitoring, and security. Traditional traffic identification approaches have become increasingly inaccurate due to restrictions of port numbers, protocol signatures, traffic encryption, and etc. In this paper, a new traffic identification approach based on multifractal analysis of wavelet energy spectrum and classification of combined neural network models is proposed. The proposed approach is able to achieve the identification of different Internet application traffic by performing classification over the wavelet energy spectrum coefficients that were inferred from the original traffic. Without using any payload information, the proposed approach has more advantages over traditional methods. The experiment results illustrate that the proposed approach has satisfactory identification results.     

基于信号互相关的低速率拒绝服务攻击检测方法

低速率拒绝服务LDoS（Low-rate Denial of Service）攻击是一种基于TCP/IP协议漏洞,采用密集型周期性脉冲的攻击方式.本文针对分布式LDoS攻击脉冲到达目标端的时序关系,提出基于互相关的LDoS攻击检测方法.该方法通过计算构造的检测序列与采样得到的网络流量序列的相关性,得到相关序列,采用基于循环卷积的互相关算法来计算攻击脉冲经过不同传输通道在特定的攻击目标端的精确时间,利用无周期单脉冲预测技术估计LDoS攻击的周期参数,提取LDoS攻击的脉冲持续时间的相关性特征,并设计判决门限规则.实验结果表明基于信号互相关的LDoS攻击检测方法具有较好的检测性能.     

隐马尔科夫模型检测LDoS攻击方法的研究

针对低速率拒绝服务LDoS （Low-Rate Denial of Service）攻击具有平均速率低、隐蔽性强的特点,提出了一种基于隐马尔科夫模型的LDoS攻击检测方法。首先对网络状态建立隐马尔科夫模型,将归一化累计功率谱密度NCPSD（Normalized Cumulative Power Spectrum Density）方法的检测结果作为隐马尔科夫模型的观测值。利用前向算法得到不同观测值序列在该模型下的相似度作为检测依据。在NS 2中对本检测方法进行测试,实验结果表明本方法能够有效的检测LDoS攻击,与其他方法相比也具有更好的检测性能。通过假设检验得出检测率为99.96%。      

DDoS攻击恶意行为知识库构建

针对分布式拒绝服务（distributed denial of service,DDoS）网络攻击知识库研究不足的问题,提出了DDoS攻击恶意行为知识库的构建方法。该知识库基于知识图谱构建,包含恶意流量检测库和网络安全知识库两部分：恶意流量检测库对 DDoS 攻击引发的恶意流量进行检测并分类;网络安全知识库从流量特征和攻击框架对DDoS 攻击恶意行为建模,并对恶意行为进行推理、溯源和反馈。在此基础上基于DDoS 开放威胁信号（DDoS open threat signaling,DOTS）协议搭建分布式知识库,实现分布式节点间的数据传输、DDoS攻击防御与恶意流量缓解功能。实验结果表明,DDoS攻击恶意行为知识库能在多个网关处有效检测和缓解DDoS攻击引发的恶意流量,并具备分布式知识库间的知识更新和推理功能,表现出良好的可扩展性。     

Differentiating Malicious DDoS Attack Traffic from Normal TCP Flows by Proactive Tests

To defend against distributed denial of service (DDoS) attacks, one critical issue is to effectively isolate the attack traffic from the normal ones. A novel DDoS defense scheme based on TCP is hereby contrived because TCP is the dominant traffic for both the normal and lethal flows in the Internet. Unlike most of the previous DDoS defense schemes that are passive in nature, the proposal uses proactive tests to identify and isolate the malicious traffic. Simulation results validate the effectiveness of our proposed scheme     

A comparative study on flood DoS and low-rate DoS attacks

Denial of service (DoS) attacks is a serious threat for the Internet. DoS attacks can consume memory, Computer processing unit (CPU), and network bandwidths and damage or shut down the operation of the resource under attack. In this paper, based on the taxonomy of DoS attacks, two typical types of DoS—flood DoS (FDoS) and low-rate DoS (LDoS) attacks, are studied on their generation principle, mechanism utilization, signature, impacts, and defense mechanisms. Simulation results illustrate that 1) FDoS is easy to be launched but its signature is easy to be detected. 2) LDoS organizes an average small quantity of traffic and it is stealthier. Comparison of LDoS with FDoS shed light on the emerging new features of DoS attacks and can make the detection and defense mechanisms more efficient.     

分布式DNS反射DDoS攻击检测及控制技术

分布式DNS反射DDoS攻击已经成为拒绝服务攻击的主要形式之一,传统的基于网络流量统计分析和网络流量控制技术已经不能满足防护需求。提出了基于生存时间值（TTL）智能研判的DNS反射攻击检测技术,能够准确发现伪造源IP地址分组;基于多系统融合的伪造源地址溯源阻断技术,从源头上阻断攻击流量流入网络。     

一种基于Haar小波变换的低速率拒绝服务攻击检测方法

依据LDoS攻击周期性脉冲突发的特点,提出一种基于Haar小波特征提取的低速率拒绝服务攻击检测方法．该方法采用信号处理技术来分析网络流量提取特征指标,通过小波多尺度分析对网络流量综合诊断,较好地缓解了合法用户背景流量对攻击特征提取的干扰．NS-2仿真实验结果表明,该方法检测率高,消耗计算资源少,具有良好的理论研究和实用价值．     

基于SNMP和神经网络的DDoS攻击检测

DDoS（Distributed Denial of Service）已经严重威胁计算机网络安全。对DDoS攻击检测的关键是找到能反映攻击流和正常流区别的特征,设计简单高效的算法,实时检测。通过对攻击特点的分析,总结出15个基于SNMP（Simple Network Management Protocol）的检测特征。利用BP神经网络高效的计算性能,设计了基于SNMP和神经网络的DDoS攻击检测模型,提高了检测实时性和准确性。实验表明：该检测模型对多种DDoS攻击都具有很好的检测效果。     

DDoS attack detection in IEEE 802.16 based networks

Achieving high data rate transmission, WiMAX has acquired noticeable attention by communication industry. One of the vulnerabilities of the WiMAX network which leads to DDoS attack is sending a high volume of ranging request messages to base station (BS) in the initial network entry process. In the initial network entry process, BS and subscriber station (SS) exchange management messages. Since some of these messages are not authenticated, malicious SSs can attack the network by exploiting this vulnerability which may increase the traffic load of the BS and prevent it from serving the SSs. So, detecting such attacks is one of the most important issues in such networks. In this research, an artificial neural network (ANN) based approach is proposed in order to detect DDoS attacks in IEEE 802.16 networks. Although lots of studies have been devoted to the detection of DDoS attack, some of them focus just on some statistical features of the traffic and some other focus on packets’ headers. The proposed approach exploits both qualitative and quantitative methods. It detects the attack by feeding some features of the network traffic under attack to an appropriate ANN structure. To evaluate the method, first a typical attacked network is implemented in OPNet simulator, and then by using the proposed system, the efficiency of the method is evaluated. The results show that by choosing suitable time series we can classify 93 % of normal traffic and 91 % of attack traffic.