A new detection method for LDoS attacks based on data mining
Introduction
Denial of Service (DoS) attacks, an essential problem bothering the field of network security, still pose a great threat today. Low-rate denial of service (LDoS) [1] attacks are a type of DoS attack. This sort of attack first appeared on the Internet2 backbone in 2001 [2].
Different from other flooding-style DoS attacks, LDoS attacks take advantage of security vulnerabilities in network adaptive mechanisms to send high-speed periodic bursts to reduce the utilization of the target network. For example, in traditional networks, LDoS attacks against the transport layer usually exploit the TCP/IP congestion control mechanism to maintain the target network in constant switching confusion between congestion and recovery for a long time, significantly reducing network availability and quality of service. Due to the short duration of each pulse and the long silence time of each cycle, the mean rate of the attack flow is quite low. By virtue of the low mean rate nature of LDoS attacks, malicious users can effortlessly hide each attack pulse within legitimate traffic. This makes it easy for attack traffic to be overlooked and mistaken for normal traffic. Many of today’s network platforms are still threatened by LDoS attacks, such as software defined networking [3], and cloud computing platforms [4], [5].
LDoS attacks exhibit a high degree of stealth and traditional DoS detection mechanisms have difficulty identifying them, so it is necessary to perform a separate study on them. In this paper, we study LDoS attacks at the transport layer. The threat model will be introduced in Section 3. Most of the existing detection schemes for LDoS attacks at the transport layer are highly complex and inefficient in detection, but do not have high accuracy. Therefore, we attempt to develop a low-complexity, efficient, and high-accuracy detection scheme starting from the distribution of traffic using data mining techniques.
In this paper, we propose a novel LDoS attack detection method that can identify LDoS attacks at the transport layer with high efficiency and low detection cost. To develop this method, this paper first describes two kinds of abnormal phenomena, TCP data flow distribution and fluctuation, under the influence of LDoS attacks. In this part, we combine data mining techniques to analyse network traffic anomalies caused by LDoS attacks, including the use of frequency histograms and Gaussian distributions to analyse the anomalous frequency distribution of network traffic. Second, this paper summarizes three abnormal features of the frequency distribution, distribution pattern and fluctuation pattern of the network under LDoS attacks. Finally, this paper uses three analysis methods to analyse and measure the abnormal characteristics and establishes three relevant judgement benchmarks. We evaluated the efficiency of the method by conducting experiments in different environments. In our experiments, we also verify the effectiveness of the features derived from the analysis of data mining techniques in this paper. The results demonstrate that this adaptive method can be applied in detecting LDoS attacks with its effectiveness and accuracy. The importance and originality of this study are that it explores the following four aspects.
- 1.
The anomalies of the network under LDoS attacks are analysed utilizing data mining techniques.
- 2.
Three anomalous features of the network under LDoS attacks and judgement benchmarks for detection are proposed.
- 3.
The method in this paper is validated in five different environments, including the simulation platform, the physical environment, local area networks, wide area networks, and data centre networks.
- 4.
The detection method in this paper is capable of detecting LDoS attacks with low cost, low complexity and high accuracy.
The rest of this paper proceeds as follows. Section 2 reviews several schemes for LDoS attack detection in traditional networks. Section 3 describes the principles and threat models of transport layer LDoS attacks. Section 4 analyses and presents three detection benchmarks in detail and describes the approach of this paper. Section 5 presents the experiments and analyses the results under five settings. Section 6 summarizes our work and discusses directions for improvement related to the approach of this paper.
Section snippets
Related work
Since LDoS attacks were raised in 2003 [1], they have attracted the attention of many scholars. At present, many types of LDoS attacks have been proposed, such as the Shrew Attack [1], [6], PDoS Attack [7], SlowDrop Attack [8], CrossPath Attack [3] in software defined networking, distributed LDoS Attacks [9] in cloud computing platforms [10], [11] and so on [12], [13]. Due to the concealment (the lower average attack traffic) and the diversity (multiple attack patterns) of LDoS attacks, they
Model and analysis
There are multiple attack modes for LDoS attacks. In this section, we discuss a unified attack model. As an extremely important adaptive mechanism in the TCP protocol, the congestion control mechanism still has some security flaws. TCP congestion control mechanisms such as the retransmission time-out (RTO) mechanism and additive-increase and multiplicative-decrease (AIMD) congestion control scheme will be triggered when the network suffers from congestion. It will result in a rapid reduction of
Abnormal analysis and detection method
We will describe the abnormal phenomena in the network resulting from LDoS attacks and then introduce our new LDoS detection method.
Experiments and results
From the perspective of detection and analysis technology, the method proposed in this paper belongs to anomaly detection. Compared with misuse detection, it has a lower rate of false negatives, but a higher rate of false positives. Therefore, we designed five sets of experiments to verify this method. The first two sets of experiments prove the validity of this method in detecting LDoS attacks. The last three sets evaluate the accuracy of the scheme. Each set of experiments collects data from
Conclusion and future work
In this paper, we use data mining analysis methods to analyse anomalies of network traffic under LDoS attacks. We mainly use statistical analysis methods including frequency histograms and Gaussian distribution statistical techniques. We summarized the abnormal frequency distribution, abnormal distribution pattern and abnormal fluctuation pattern caused by LDoS attacks, and established three judgement benchmarks based on these three abnormal characteristics. According to the three judgement
CRediT authorship contribution statement
Dan Tang: Methodology, Validation, Writing – original draft, Visualization, Supervision, Funding acquisition. Jingwen Chen: Formal analysis, Investigation, Writing – review & editing, Visualization. Xiyin Wang: Data curation, Formal analysis, Writing – review & editing. Siqi Zhang: Software, Resources, Writing – review & editing. Yudong Yan: Conceptualization, Data curation, Writing – review & editing.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgment
This work was supported by the National Natural Science Foundation of China (61772189), and the Natural Science Foundation of Hunan Province, China (2019JJ40037).
Dan Tang is a associate professor of College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. He received the Ph.D. degree in 2014. His research interests include the areas of computer network security, computer information security, and architecture of future Internet.
References (45)
- et al.
Prime inner product encoding for effective wildcard-based multi-keyword fuzzy search
IEEE Trans. Serv. Comput.
(2020) - et al.
Introducing the slowdrop attack
Comput. Netw.
(2019) - et al.
Low rate cloud DDoS attack defense method based on power spectral density analysis
Inform. Process. Lett.
(2018) - et al.
Resilient strategy design for cyber-physical system under DoS attack over a multi-channel framework
Inform. Sci.
(2018) - et al.
Toward an optimal solution against denial of service attacks in software defined networks
Future Gener. Comput. Syst.
(2019) - et al.
Power spectrum entropy based detection and mitigation of low-rate DoS attacks
Comput. Netw.
(2018) - et al.
An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics
Future Gener. Comput. Syst.
(2018) - et al.
Low-rate DDoS attacks detection method using data compression and behavior divergence measurement
Comput. Secur.
(2021) - et al.
Sequence alignment detection of TCP-targeted synchronous low-rate DoS attacks
Comput. Netw.
(2019) - et al.
MF-Adaboost: LDoS attack detection based on multi-features and improved Adaboost
Future Gener. Comput. Syst.
(2020)
The detection of low-rate DoS attacks using the SADBSCAN algorithm
Inform. Sci.
Distributed real-time SlowDoS attacks detection over encrypted traffic using artificial intelligence
J. Netw. Comput. Appl.
The detection method of low-rate DoS attack based on multi-feature fusion
Digit. Commun. Netw.
WEDMS: An advanced mean shift clustering algorithm for LDoS attacks detection
Ad Hoc Netw.
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants
New breed of attack zombies lurk
The crosspath attack: Disrupting the control channel via shared links
Privacy preserving data aggregation scheme for mobile edge computing assisted IoT applications
IEEE Internet Things J.
Low-high burst: a double potency varying-rtt based full-buffer shrew attack model
IEEE Trans. Dependable Secure Comput.
Modeling the vulnerability of feedback-control based internet services to low-rate DoS attacks
IEEE Trans. Inf. Forensics Secur.
Secure multi-keyword fuzzy searches with enhanced service quality in cloud computing
IEEE Trans. Netw. Serv. Manag.
Enabling verifiable and dynamic ranked search over outsourced data
IEEE Trans. Serv. Comput.
Cited by (8)
Preface of special issue on Artificial Intelligence: The security & privacy opportunities and challenges for emerging applications
2022, Future Generation Computer SystemsThe use of statistical features for low-rate denial-of-service attack detection
2024, Annales des Telecommunications/Annals of TelecommunicationsGASF-IPP: Detection and Mitigation of LDoS Attack in SDN
2023, IEEE Transactions on Services Computing
Dan Tang is a associate professor of College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. He received the Ph.D. degree in 2014. His research interests include the areas of computer network security, computer information security, and architecture of future Internet.
Jingwen Chen entered Hunan University in China in September 2015. She is currently a postgraduate in College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. Her research direction is network information security.
Xiyin Wang received the BS degree in Electronic Commerce in Hunan normal university in June 2019. She is a currently postgraduate in College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. Her research direction is cyber-space security.
Siqi Zhang received the BA degree in E-commerce from Dalian Maritime University, China, in June 2019. She is a currently postgraduate in College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. Her current research interests are network attack detection.
Yudong Yan received the BE degree in computer science and technology from Hunan University in 2020. He is currently a postgraduate in College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. His research interests include Sofware Defined Networking and network attack detection.