A new detection method for LDoS attacks based on data mining

https://doi.org/10.1016/j.future.2021.09.039Get rights and content

Abstract

The serving capabilities of networks are reduced by low-rate denial of service (LDoS) attacks that periodically send high-intensity pulse data flows. This type of attack shows a harmful effect similar to that of traditional DoS attacks, but their attack modes differ greatly. The high concealment of LDoS attacks makes it extremely difficult for traditional DoS detection methods to detect LDoS attacks. Meanwhile, the state-of-art detection methods for LDoS attacks have low-efficiency and resource-intensive and time complexity issues. We propose a novel detection method with analysis of abnormal network traffic under LDoS attacks that combines data mining technology. The judgement benchmarks were also established. The results from the experimental simulation on the simulated environment, physical environment and public datasets prove that the developed method can effectively detect LDoS attacks with optimal detection cost and low complexity, and has a high accuracy, a low false-negative rate, and a low false-positive rate.

Introduction

Denial of Service (DoS) attacks, an essential problem bothering the field of network security, still pose a great threat today. Low-rate denial of service (LDoS) [1] attacks are a type of DoS attack. This sort of attack first appeared on the Internet2 backbone in 2001 [2].

Different from other flooding-style DoS attacks, LDoS attacks take advantage of security vulnerabilities in network adaptive mechanisms to send high-speed periodic bursts to reduce the utilization of the target network. For example, in traditional networks, LDoS attacks against the transport layer usually exploit the TCP/IP congestion control mechanism to maintain the target network in constant switching confusion between congestion and recovery for a long time, significantly reducing network availability and quality of service. Due to the short duration of each pulse and the long silence time of each cycle, the mean rate of the attack flow is quite low. By virtue of the low mean rate nature of LDoS attacks, malicious users can effortlessly hide each attack pulse within legitimate traffic. This makes it easy for attack traffic to be overlooked and mistaken for normal traffic. Many of today’s network platforms are still threatened by LDoS attacks, such as software defined networking [3], and cloud computing platforms [4], [5].

LDoS attacks exhibit a high degree of stealth and traditional DoS detection mechanisms have difficulty identifying them, so it is necessary to perform a separate study on them. In this paper, we study LDoS attacks at the transport layer. The threat model will be introduced in Section 3. Most of the existing detection schemes for LDoS attacks at the transport layer are highly complex and inefficient in detection, but do not have high accuracy. Therefore, we attempt to develop a low-complexity, efficient, and high-accuracy detection scheme starting from the distribution of traffic using data mining techniques.

In this paper, we propose a novel LDoS attack detection method that can identify LDoS attacks at the transport layer with high efficiency and low detection cost. To develop this method, this paper first describes two kinds of abnormal phenomena, TCP data flow distribution and fluctuation, under the influence of LDoS attacks. In this part, we combine data mining techniques to analyse network traffic anomalies caused by LDoS attacks, including the use of frequency histograms and Gaussian distributions to analyse the anomalous frequency distribution of network traffic. Second, this paper summarizes three abnormal features of the frequency distribution, distribution pattern and fluctuation pattern of the network under LDoS attacks. Finally, this paper uses three analysis methods to analyse and measure the abnormal characteristics and establishes three relevant judgement benchmarks. We evaluated the efficiency of the method by conducting experiments in different environments. In our experiments, we also verify the effectiveness of the features derived from the analysis of data mining techniques in this paper. The results demonstrate that this adaptive method can be applied in detecting LDoS attacks with its effectiveness and accuracy. The importance and originality of this study are that it explores the following four aspects.

  • 1.

    The anomalies of the network under LDoS attacks are analysed utilizing data mining techniques.

  • 2.

    Three anomalous features of the network under LDoS attacks and judgement benchmarks for detection are proposed.

  • 3.

    The method in this paper is validated in five different environments, including the simulation platform, the physical environment, local area networks, wide area networks, and data centre networks.

  • 4.

    The detection method in this paper is capable of detecting LDoS attacks with low cost, low complexity and high accuracy.

The rest of this paper proceeds as follows. Section 2 reviews several schemes for LDoS attack detection in traditional networks. Section 3 describes the principles and threat models of transport layer LDoS attacks. Section 4 analyses and presents three detection benchmarks in detail and describes the approach of this paper. Section 5 presents the experiments and analyses the results under five settings. Section 6 summarizes our work and discusses directions for improvement related to the approach of this paper.

Section snippets

Related work

Since LDoS attacks were raised in 2003 [1], they have attracted the attention of many scholars. At present, many types of LDoS attacks have been proposed, such as the Shrew Attack [1], [6], PDoS Attack [7], SlowDrop Attack [8], CrossPath Attack [3] in software defined networking, distributed LDoS Attacks [9] in cloud computing platforms [10], [11] and so on [12], [13]. Due to the concealment (the lower average attack traffic) and the diversity (multiple attack patterns) of LDoS attacks, they

Model and analysis

There are multiple attack modes for LDoS attacks. In this section, we discuss a unified attack model. As an extremely important adaptive mechanism in the TCP protocol, the congestion control mechanism still has some security flaws. TCP congestion control mechanisms such as the retransmission time-out (RTO) mechanism and additive-increase and multiplicative-decrease (AIMD) congestion control scheme will be triggered when the network suffers from congestion. It will result in a rapid reduction of

Abnormal analysis and detection method

We will describe the abnormal phenomena in the network resulting from LDoS attacks and then introduce our new LDoS detection method.

Experiments and results

From the perspective of detection and analysis technology, the method proposed in this paper belongs to anomaly detection. Compared with misuse detection, it has a lower rate of false negatives, but a higher rate of false positives. Therefore, we designed five sets of experiments to verify this method. The first two sets of experiments prove the validity of this method in detecting LDoS attacks. The last three sets evaluate the accuracy of the scheme. Each set of experiments collects data from

Conclusion and future work

In this paper, we use data mining analysis methods to analyse anomalies of network traffic under LDoS attacks. We mainly use statistical analysis methods including frequency histograms and Gaussian distribution statistical techniques. We summarized the abnormal frequency distribution, abnormal distribution pattern and abnormal fluctuation pattern caused by LDoS attacks, and established three judgement benchmarks based on these three abnormal characteristics. According to the three judgement

CRediT authorship contribution statement

Dan Tang: Methodology, Validation, Writing – original draft, Visualization, Supervision, Funding acquisition. Jingwen Chen: Formal analysis, Investigation, Writing – review & editing, Visualization. Xiyin Wang: Data curation, Formal analysis, Writing – review & editing. Siqi Zhang: Software, Resources, Writing – review & editing. Yudong Yan: Conceptualization, Data curation, Writing – review & editing.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgment

This work was supported by the National Natural Science Foundation of China (61772189), and the Natural Science Foundation of Hunan Province, China (2019JJ40037).

Dan Tang is a associate professor of College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. He received the Ph.D. degree in 2014. His research interests include the areas of computer network security, computer information security, and architecture of future Internet.

References (45)

  • TangD. et al.

    The detection of low-rate DoS attacks using the SADBSCAN algorithm

    Inform. Sci.

    (2021)
  • GarciaN. et al.

    Distributed real-time SlowDoS attacks detection over encrypted traffic using artificial intelligence

    J. Netw. Comput. Appl.

    (2021)
  • LiuL. et al.

    The detection method of low-rate DoS attack based on multi-feature fusion

    Digit. Commun. Netw.

    (2020)
  • TangD. et al.

    WEDMS: An advanced mean shift clustering algorithm for LDoS attacks detection

    Ad Hoc Netw.

    (2020)
  • KuzmanovicA. et al.

    Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants

  • DelioM.

    New breed of attack zombies lurk

    (2001)
  • CaoJ. et al.

    The crosspath attack: Disrupting the {SDN} control channel via shared links

  • LiX. et al.

    Privacy preserving data aggregation scheme for mobile edge computing assisted IoT applications

    IEEE Internet Things J.

    (2018)
  • YueM. et al.

    Low-high burst: a double potency varying-rtt based full-buffer shrew attack model

    IEEE Trans. Dependable Secure Comput.

    (2019)
  • TangY. et al.

    Modeling the vulnerability of feedback-control based internet services to low-rate DoS attacks

    IEEE Trans. Inf. Forensics Secur.

    (2013)
  • LiuQ. et al.

    Secure multi-keyword fuzzy searches with enhanced service quality in cloud computing

    IEEE Trans. Netw. Serv. Manag.

    (2020)
  • LiuQ. et al.

    Enabling verifiable and dynamic ranked search over outsourced data

    IEEE Trans. Serv. Comput.

    (2019)

    • Cited by (8)

    View all citing articles on Scopus

    Dan Tang is a associate professor of College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. He received the Ph.D. degree in 2014. His research interests include the areas of computer network security, computer information security, and architecture of future Internet.

    Jingwen Chen entered Hunan University in China in September 2015. She is currently a postgraduate in College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. Her research direction is network information security.

    Xiyin Wang received the BS degree in Electronic Commerce in Hunan normal university in June 2019. She is a currently postgraduate in College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. Her research direction is cyber-space security.

    Siqi Zhang received the BA degree in E-commerce from Dalian Maritime University, China, in June 2019. She is a currently postgraduate in College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. Her current research interests are network attack detection.

    Yudong Yan received the BE degree in computer science and technology from Hunan University in 2020. He is currently a postgraduate in College of Computer Science and Electronic Engineering (CSEE) Hunan University (HNU), Changsha, China. His research interests include Sofware Defined Networking and network attack detection.

    View full text
    © 2021 Elsevier B.V. All rights reserved.