Congyuan Xu,Jizhong Shen,Xin Du

DOI: https://doi.org/10.1016/j.jisa.2021.102879

IF: 4.96

2021-01-01

Journal of Information Security and Applications

Abstract:Low-rate Denial of Service (LDoS) attacks use the low-rate requests to achieve the occupation of the network resources and have strong concealment. The traditional signal analysis based detection methods are challenging to detect LDoS attacks in the fluctuating legitimate traffic. In this paper, an LDoS attack detection method based on hybrid deep neural networks is proposed using one-dimensional convolutional neural network and gated recurrent unit. In order to evaluate the proposed detection method in the real scenarios, we captured real legitimate traffic from a website in the datacenter, and carried out a variety of real LDoS attacks on the mirror of the website in the laboratory environment to obtain real attack traffic. The detection results on the real traffic show that the proposed detection method does not need to extract features manually and can effectively detect LDoS attacks in fluctuating HTTP traffic with an average detection rate of 98.68%, which is more advantageous than MF-DFA or power spectral density based detection methods.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Siyuan Wang,Dan Tang,Yu Liu,Jingwen Chen,Yudong Yan,Jiayi Zhang

DOI: https://doi.org/10.1109/CSCWD49262.2021.9437702

2021-01-01

Abstract:Low-rate Denial of Service (LDoS) attack exploiting vulnerabilities of TCP protocol for periodic attacks usually results in the degradation of service quality. Its short attack duration and low average attack traffic make it highly efficient and concealed. Existing detection methods against this type of attack still have a shortcoming that the accuracy is not so satisfactory. A method for detecting LDoS attacks using PSO and k-means algorithm is proposed in this paper. The method first divides the detection time into multiple detection units, samples the traffic data of the data stream and summarizes the traffic characteristics in each detection unit, and then it uses the K-means algorithm to calculate the clustering center. In order to conduct a better detection, the particle swarm optimization algorithm is used to perturb the clustering center to avoid the defect that the K-means algorithm is easy to fall into the local optimal solution. Finally, the network features after clustering are compared with the anomalous features generated after the LDoS attacks, and the relevant criteria is adopted to judge and subsequently verify the LDoS attacks. The experiments are carried out on multiple platforms and public datasets such as NS2 platform, test-bed platform, DARPA dataset, LBNL dataset and WIDE2018 dataset. The results of comparative experiments show that the proposed method has a better performance in effectively detecting LDoS attacks.

Zhiqing Zheng,Dan Tang,Siyuan Wang,Xiaoxue Wu,Jingwen Chen

DOI: https://doi.org/10.1109/ICCCN49398.2020.9209699

2020-01-01

Abstract:Low Rate Denial of Service (LDoS) Attack is a sort of DoS attack with analogous effects but is more hidden. The LDoS attack is essentially launched by a malicious attacker who utilizes the loopholes of the TCP/IP congestion control mechanism to aim the purpose of attacking by using the periodic burst co-intensity attack flow and causing repeated congestion on the network. Disadvantages of high false positive rate and high false negative rate still remain in the existing detection methods for LDoS attacks. In this paper, a new method based on NCS-SVM algorithm for LDoS attacks is presented. By judging the similarity between the normal cloud model and the reference, this method determines whether the LDoS attack has occurred. In this detection process, the inverse cloud generator and the normal cloud’s expectation curve are also adopted. For the purpose of improving the accuracy of detection, a Support Vector Machine (SVM) is introduced to classify the similarity of cloud models. Experiments to verify this algorithm used multiple data sets, namely NS2, Testbed, and WIDE2018. And at last, the experimental results and comparison with other methods are given to prove that the NCS-SVM-based LDoS attack detection method is effective.

Dan Tang,Xiyin Wang,Xiong Li,Pandi Vijayakumar,Neeraj Kumar

DOI: https://doi.org/10.1109/tdsc.2021.3131531

2023-01-01

Abstract:Low-rate denial of service (LDoS) attacks exploit the security vulnerabilities of network protocols adaptive mechanisms to launch periodic bursts. These attacks result in the severe destruction of the quality of service of TCP applications. Therefore, detection of LDoS attacks is a concern among scientific communities. However, the existing coarse-scale detection methods yield poor detection performance and adaptability. To achieve the accurate detection of LDoS attacks, an adaptive Kohonen Network based fine-grained detection (AKN-FGD) model for LDoS attacks is proposed. Based on the burst and periodicity characteristics of attack traffic, the Smith-Waterman (SW) algorithm is used to estimate the pulse period, which is the length of the detection unit. Subsequently, cluster analysis is performed for each detection unit using the adaptive Kohonen network (AKN) algorithm because the discreteness of traffic suffering from LDoS attacks is more pronounced than that of legitimate traffic. Finally, the existence of LDoS attacks can be verified in view of a novel decision metric, denoted as the anomaly degree, based on the clustering results. We conducted experiments not solely in traditional networks using NS3 and in a test-bed environment but also in a software-defined network (SDN), with accuracies of 99.7%, 99.8%, and 95.6% for detecting LDoS bursts, respectively. The experimental results show that the AKN-FGD scheme not only enables accurate fine-grained detection, that is, it can detect every attack burst, but also estimates the start and end times of the attacks. Moreover, we have compared the AKN-FGD scheme with some other detection methods, and a comparison of the results show that our proposed approach displays better detection performance.

Dan Tang,Yudong Yan,Rui Dai,Zheng Qin,Jingwen Chen,Dongshuo Zhang

DOI: https://doi.org/10.1007/s10586-022-03537-y

2022-01-01

Cluster Computing

Abstract:In network security, Low-rate Denial of Service (LDoS) attacks can severely degrade the quality of the network service by sending attacking pulses intermittently with a low-rate behavior. It is hard to accurately detect this attack because of its low-rate nature and stealth. By combining the discrete Fourier transform (DFT) and discrete wavelet transform (DWT) with autoencoder-based anomaly detection, we put forward a novel LDoS attack detection method. According to the approximate coefficients (NAC), the normalized amplitude spectrum of network traffic (NAS) and the normalized reconstruction signal according to the approximate coefficients (NAC) have a significant difference between normal and LDoS conditions. The proposed detection method consists of two detection models, one is NAS–AE that takes the normalized amplitude spectrum (NAS) of network traffic as the input of the autoencoder, and the other is the NAC–AE that employs the normalized reconstruction signal as the input of the autoencoder. The reconstruction error of the network signal is represented as the difference between the autoencoder input and output. Network traffic without LDoS attacks can be reconstructed well by the autoencoder trained with normal network traffic, while the network traffic under LDoS conditions will be failed to do so, resulting in an anomaly of the reconstruction error. The reconstruction anomaly indicates that the network is under LDoS conditions. Experiments performed in NS2 and test-bed networking prove that the method put forward by us can detect LDoS attacks accurately.

Sijia Zhan,Dan Tang,Jianping Man,Rui Dai,Xiyin Wang

DOI: https://doi.org/10.3390/s20010189

IF: 3.9

2019-12-29

Sensors

Abstract:Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Yu Fu,Xueyuan Duan,Kun Wang,Bin Li

DOI: https://doi.org/10.48550/arXiv.2206.00325

2022-06-01

Abstract:For the traditional denial-of-service attack detection methods have complex algorithms and high computational overhead, which are difficult to meet the demand of online detection; and the experimental environment is mostly a simulation platform, which is difficult to deploy in real network environment, we propose a real network environment-oriented LDoS attack detection method based on the time-frequency characteristics of traffic data. All the traffic data flowing through the Web server is obtained through the acquisition storage system, and the detection data set is constructed using pre-processing; the simple features of the flow fragments are used as input, and the deep neural network is used to learn the time-frequency domain features of normal traffic features and generate reconstructed sequences, and the LDoS attack is discriminated based on the differences between the reconstructed sequences and the input data in the time-frequency domain. The experimental results show that the proposed method can accurately detect the attack features in the flow fragments in a very short time and achieve high detection accuracy for complex and diverse LDoS attacks; since only the statistical features of the packets are used, there is no need to parse the packet data, which can be adapted to different network environments.

Cryptography and Security,Networking and Internet Architecture

Jing Zhang,Bo Liu,Huaping Hu,Lin Chen

DOI: https://doi.org/10.1109/MINES.2010.123

2010-01-01

Abstract:Low-rate denial-of-service attack is a novel category of attacks that are based on exploiting the adaptive behavior exhibited by several network and system protocols. This attack through periodically non-suspicious low-rate attack pulsing, to reduce the performance of the victims. Based on the simulation of low-rate denial-of-service on NS2 platform, we analyze the defense performance of queue management mechanism itself to count the LDoS attack. Under the analysis of experiments result, we give some suggestions about counter technology.

Libing Wu,Jing Cheng,Yanxiang He,Ao Xu,Peng Wen

DOI: https://doi.org/10.1007/978-3-642-23235-0_25

2011-01-01

Abstract:Low-rate Denial-of-Service attacks are stealthier and trickier than traditional DDoS attacks. According to the characteristic of periodicity and short burst in LDoS flows, a detection measure against LDoS attacks based on rate anomalies has been proposed. In the period when the router packet loss-rate is abnormal caused by the attack pulse, the rate of attack flow is large, while in other time the rate of attack flow is close to 0. In the view point of the periods that the packet loss is abnormal, we can find that the attack flow rate is far higher in these periods than the average rate, while the normal flow is lower to the average rate. In this paper, we proposed a measure that observes the flow rate in the periods that the packet loss rate is abnormal, computing the difference of the rate in these periods and the average rate. If it is beyond a certain threshold, treats the flow as a malicious flow and filters the flow with corresponding method.

Chen Hongsong,Meng Caixia,Fu Zhongchuan,Chao-Hsien Lee

DOI: https://doi.org/10.1049/iet-ifs.2018.5512

2020-01-01

IET Information Security

Abstract:Low-rate denial of service (LDoS) attack is a special DoS attack type of wireless sensor network (WSN). Routing protocol is the critical component of the WSN. Routing flood attack is a novel LDoS attack pattern in WSN. However, the attack is difficult to be detected by traditional intrusion detection algorithm. A novel LDoS attack detection method based on big data and signal analysis is proposed. Hilbert–Huang Transform (HHT) time–frequency signal analysis method is used to analyse the small non-linear signal from LDoS attack traffic signal. Spark-based Pearson and Spearman correlation coefficient calculation approaches are used to recognise the false intrinsic mode functions (IMFs) components decomposed by the HHT method. The effective threshold value of Pearson correlation coefficient is set to 0.2, the effective threshold value of Spearman correlation coefficient is set to 0.3, which are united to identify the false IMF components. SunSpot wireless nodes are used to build the wireless sensor nodes. If the difference between the IMF component and the normal IMF component is more than 40%, the LDoS attack will be detected. Experimental results show that this approach is effective to detect the LDoS attack in ZigBee WSN. This is a quantitative LDoS attack detection experimental research in WSN.

Kun Ding,Lin Liu,Yun Liu

DOI: https://doi.org/10.1007/978-94-007-7262-5_100

2013-01-01

Abstract:Low-rate Denial of Service (LDoS) attack is a new type of Denial of Service attack, which is difficult for the router and victim site to detect because the attack packets are as many as the valid packets. In consideration of the fact that the features in time domain between attack traffic and valid traffic are different, we present a method to identify such kind of attack and try to trace the potential location of the attacker. We also carry out a simulation to illustrate the usability of this method.

Xiaocai Wang,Dan Tang,Ye Feng,Zheng Qin,Bing Xiong,Yufeng Liu

DOI: https://doi.org/10.1016/j.eswa.2024.125006

IF: 8.5

2024-01-01

Expert Systems with Applications

Abstract:The Low-rate Denial-of-Service (LDoS) attack is a stealthy and periodic attack, which belongs to the category of DoS attacks. The LDoS attack maliciously preempts and consumes target resources, causing the targeted network performance to decline and affecting the service quality. The LDoS attack is highly destructive and difficult to detect and defend against due to its abnormal attack behavior. In this paper, we discuss the network traffic behavior in the time domain, frequency domain, and time-frequency domain, and we find that the time-frequency domain contains more detailed information than the time domain and frequency domain alone. Considering the limitations of the existing time-frequency domain transformation methods, an LDoS attack detection method based on Frequency Slice Wavelet Transformation (FSWT) is presented in this paper. The entropy, ratio of energy, contrast, and correlation are extracted from the time-frequency distribution to depict the network traffic, and a decision tree is trained to detect the LDoS attack in this paper. According to the experimental results on NS2, testbed, and the comparative experiment, we conclude that the method presented in this paper performs well.

Yazhi Liu,Ding Sun,Rundong Zhang,Wei Li

DOI: https://doi.org/10.3390/s23104745

IF: 3.9

2023-05-15

Sensors

Abstract:Currently, Low-Rate Denial of Service (LDoS) attacks are one of the main threats faced by Software-Defined Wireless Sensor Networks (SDWSNs). This type of attack uses a lot of low-rate requests to occupy network resources and hard to detect. An efficient detection method has been proposed for LDoS attacks with the features of small signals. The non-smooth small signals generated by LDoS attacks are analyzed employing the time–frequency analysis method based on Hilbert–Huang Transform (HHT). In this paper, redundant and similar Intrinsic Mode Functions (IMFs) are removed from standard HHT to save computational resources and to eliminate modal mixing. The compressed HHT transformed one-dimensional dataflow features into two-dimensional temporal–spectral features, which are further input into a Convolutional Neural Network (CNN) to detect LDoS attacks. To evaluate the detection performance of the method, various LDoS attacks are simulated in the Network Simulator-3 (NS-3) experimental environment. The experimental results show that the method has 99.8% detection accuracy for complex and diverse LDoS attacks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Dan Tang,Liu Tang,Rui Dai,Jingwen Chen,Xiong Li,Joel J. P. C. Rodrigues

DOI: https://doi.org/10.1016/j.future.2019.12.034

2020-01-01

Abstract:A low-rate denial of service (LDoS) attack is a precise network attack that aims at reducing the quality of the network service. Many networks do not have an effective mechanism for defending against LDoS attacks, including the emerging Internet of Things. In this paper, we propose an LDoS attack detection method that is based on multiple features of network traffic and an improved Adaboost algorithm (MF-Adaboost). Based on an analysis of the network traffic, we construct a network feature set that is used for feature calculation and feature selection of network traffic data. Feature calculation can extract the most useful information from the network traffic data and reduce the scale of the network data. Feature selection is used to select the optimal classification features to ensure that the detection algorithm can be effectively trained. This method utilizes the Adaboost algorithm, which is a classification algorithm in the field of machine learning. The well-trained Adaboost algorithm can effectively identify LDoS attack traffic. We improve the Adaboost algorithm to alleviate the imbalance of the sample weights. Experiments are conducted on the NS2 simulation platform and a test-bed platform to evaluate the performance of our method. The experimental results demonstrate that our method can detect LDoS attacks effectively.

Dan Tang,Ye Feng,Siqi Zhang,Zheng Qin

DOI: https://doi.org/10.1109/tr.2020.3023257

IF: 5.883

2021-01-01

IEEE Transactions on Reliability

Abstract:The low-rate denial of service (LDoS) attack mainly exploits security vulnerabilities of adaptive mechanisms in network protocols and application services. The high-rate attack pulses within a short time interval are sent periodically, which will result in the degradation of service quality. The attack traffic is similar to normal traffic from legitimate users in the network, consequently, it is easy to escape the traditional detection methods because of its intermittence. Research works have demonstrated that there are fractal characteristics (self-similarity) of the network traffic over the large scale of time. Although the fractal characteristics of the network traffic will be changed under the LDoS attack, the variations of the fractal characteristics in some network states are not apparent in real-time detection. Based on the fractal characteristics, the fractal residual of the network traffic is analyzed through the Hurst parameters calculating process by R/S algorithm in this article. It can be found that the fractal residual of the network traffic can better reflect the different states of the LDoS attack. Combining the idea behind the sliding window, a novel fractal residual based real-time detection (FR-RED) method of the LDoS attack is proposed. The effectiveness of the method in this article is verified by performing some experiments on two platforms, the NS2 and test-bed. The results manifest the beginning and end of the LDoS attack can be estimated in real-time with high detection accuracy.

Fang Feng,Xin Liu,Binbin Yong,Rui Zhou,Qingguo Zhou

DOI: https://doi.org/10.1016/j.adhoc.2018.09.014

IF: 4.816

2019-01-01

Ad Hoc Networks

Abstract:Ad-hoc network is a temporary self-organizing network that needs no fixed infrastructure. So it has been applied extensively in many areas requesting temporary communication such as military field, emergency disaster relief and road traffic. While, due to the feature of self-organization and wireless communication channels, ad-hoc network is more vulnerable to various attacks compared to the traditional network. In this paper, we proposed a plug and play device to detect Denial of Service (DoS) and privacy attacks. This device mainly includes capture tool and deep learning detection model. Capture tool is used to grab packets in ad-hoc networks, deep learning detection model is used for detecting attacks. An alarm will be triggered if the detected result is attack. In this way, we can avoid the detected attack to spreading out in larger scale. The proposed method can be used as the second line of dense to issue the early-warning signal. In the experiment, first, we use Deep neural network (DNN) detection model to detect DoS attacks; next, we use DNN, Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM) detection model to detect XSS and SQL attacks. The results show that these detection models can achieve very high Accuracy, Precision, Recall and F1−score. In addition, the time efficiency among the CNN, the LSTM and the DNN is in acceptable range. It proofs that the proposed method can be effectively applied for attack detection. It is important to note that the proposed method can be extended to all other attacks with little modification in ad-hoc networks.

Dan Tang,Xiaoxue Wu,Liu Tang,Jianping Man,Sijia Zhan,Qin Liu

DOI: https://doi.org/10.1109/smartworld.2018.00236

2018-01-01

Abstract:To date, Denial of Service (DoS) attack still causes great damage to the Internet in spite of many years' research on its detection and defense. Low-rate Denial of Service (LDoS) attack, a new type of DoS attack, exploits the congestion control mechanism of Transmission Control Protocol (TCP) to degrade the throughput of network by sending periodic pulse attack traffic. The periodic mechanism applied by LDoS makes its average attack traffic speed very low compared to DoS attack, which means existing DoS detection methods based on high attack traffic speed are incapable of detecting LDoS attack. In this paper, we propose a correlation-based approach to detect LDoS attack. The major innovation of the correlation-based approach is that, instead of calculating the correlation coefficient of network traffic sequence directly, it calculates the correlation coefficient of the Hilbert Spectrum of the network traffic. The Hilbert Spectrum, obtained by applying Hilbert-Huang Transform to the network traffic, is an energy-frequency-time distribution which presents more information about the network traffic than raw network traffic sequences. We conduct NS-2 simulations, public dataset experiments to evaluate the performance of the proposed approach. The experimental results show that the approach can detect LDoS attack effectively.

Haosu Cheng,Jianwei Liu,Tongge Xu,Bohan Ren,Jian Mao,Wei Zhang

DOI: https://doi.org/10.1504/ijsnet.2020.109720

2020-01-01

International Journal of Sensor Networks

Abstract:The software-defined network (SDN) enabled internet of things (IoT) architecture is deployed in many industrial systems. The ability of SDN to intelligently route traffic and use underutilised network resources, enables IoT networks to cope with data onslaught smoothly. SDN also eliminates bottlenecks and helps to process IoT data efficiently without placing a larger strain on the network. The SDN-based IoT network is vulnerable to DDoS attack in a sophisticated usage environment. The SDN-based IoT network behaviours are different from traditional networks, which makes the detection of low-traffic DDoS attacks more difficult. In this paper, we propose a learning-based detection approach that deploys learning algorithms and utilizes stateful and stateless features from Openflow packages to identify attack traffics in SDN control and data planes. Our prototype approach and experiment results show that our system identified the low-rate DDoS attack traffic accurately with relatively low system performance overheads.