Low-rate DoS attack detection based on two-step cluster analysis and UTR analysis
Dan Tang, Rui Dai, Liu Tang, Xiong Li
2020
Human-Centric Computing and Information Sciences
Introduction Denial of service (DoS) attack [1, 2] is a common attack vector, which generally seeks to exhaust the limited network resources, resulting in the legitimate users' requests not being processed. DoS attacks are becoming more widespread, targeting IoT networks [3, 4] , SDN networks [5, 6] , cloud computing environments [7, 8] and cyber-physical systems [9] . Aiming to combat DoS attacks, many methods have been proposed, in which a common detection method is based on abnormal
more »
... al characteristics. Another type of DoS attack is the low-rate denial of service (LDoS) attack [10-12] that is hard to be accurately detected due to its low-rate nature. Many LDoS attacks have emerged, such as Shrew attacks [13], LoRDAS attacks [14] , slow DoS attacks(e.g. Slow Next, SlowComm) [15, 16] , etc. These attacks have the same characteristics, that is, they do not need to maintain sustained high-speed attack traffic to cause damage. Among all these attacks, TCP-targeted LDoS attacks are one of the most common LDoS attacks. To reduce the TCP's throughput, the attacker sends packet bursts Abstract Low-rate denial of service (LDoS) attacks send attacking bursts intermittently to the network which can severely degrade the victim system's Quality of Service (QoS). The low-rate nature of such attacks complicates attack detection. LDoS attacks repeatedly trigger the congestion control mechanism, which can make TCP traffic extremely unstable. This paper investigates the network traffic' characteristics, in which variance and entropy are used to evaluate the TCP traffic's characteristics, and the ratio of UDP traffic to TCP traffic (UTR) is also analyzed. Thus, a detection method combining two-step cluster analysis and UTR analysis is proposed. Through two-step cluster analysis which is one of the machine learning algorithms, network traffic is divided into multiple clusters and then clusters subjected to LDoS attacks are determined using UTR analysis. NS2 simulation platform and test-bed network environment aim to evaluate the detection approach's performance. To better assess the effectiveness of the method, public dataset WIDE is also utilized. Experimental results with a good performance prove that the proposed detection approach can accurately detect LDoS attacks.
doi:10.1186/s13673-020-0210-9
fatcat:e55637qtyvejpn5kuua7uibjwq