Correlation-based Detection of LDoS Attack
Wu Zhi-jun
School of Electronics & Information, Engineering, Civil Aviation University of China, Tianjin, China
Email: zjwu@cauc.edu.cn
Wang Minghua
China Computer Emergency Response Term, Beijing, China
Email: wmh@cert.org.cn
Zhang Haitao, Liu Xingchen
School of Electronics & Information, Engineering, Tianjin University, Tianjin, China
Email: haitao_mail@yahoo.com.cn; liu19850119@gmail.com
Abstracts—Low-rate Denial of Service (LDoS) attack and
TCP flows are simulated in the time and frequency domain
for the purpose of analyzing their signatures and extracting
period T and duration L of LDoS attack, which are two
correlative parameters used in the proposed detecting
approach. In the correlation operation, the reference signal
is the simulated traffic of LDoS attack, which are built
based on the extracted parameters of T and L. The
incoming signal is the hybrid signal (TCP flows plus Real
LDoS attacks). A detect threshold is established to be
compared with the results of correlation operation. If the
correlation value exceeds the threshold, the LDoS attack is
determined. The proposed method has been tested both in
network simulation NS-2 platform and network testbed
environment with different parameters of T and L.
Experimental results show that the proposed approach
reaches the good performance with higher detect rate P
D
,
and lower false negative alarm rate P
FN
and false positive
alarm rate P
FP
.
Index Terms
—LDoS, correlation, detection, period,
duration
I. INTRODUCTION
Low-rate Denial of Service (LDoS) attack is a new
class of DoS attacks
[1]
. LDoS attack uses network
protocol adaptation mechanism of system security
vulnerabilities, by sending periodic pulse attack flow to
the target, making the victim end network throughput
decreased, and the result is that the performance of its
quality of services (QoS) reduced. From the signal
processing point of view, LDoS attack is usually a
periodic square wave signal
[1]
, the main parameter is a
triple: L is the pulse width, T is the pulse period, R is the
transmission rate. Therefore, the average rate of the
LDoS attack is RL/T. LDoS attacks remain silent (did not
attack during the pulse) in most of the time, and only
activities in the short period of time (pulse duration of
attacks) to send high-intensity pulse, this feature of
intermittent attacks makes the average data flow rate of
attack very low, so the traditional DoS detection methods
will be ineffective. In this paper, based on the analysis of
LDoS attack model, utilizing its two important
parameters: T and L to reconstruct LDoS attack signals on
the affected side, we proposed parameters related based
LDoS attack detection methods.
Since LDoS was found in 2001, it has attracted the
concern of many researchers, Kuzmanovic and Knightly
[1]
first gave detailed analysis of the principle of LDoS, and
conducted a deep research in characteristic of the periodic
pulse of LDoS, mined the LDoS overflow attack methods,
proposed network-based defense method; Cheng
[2]
first
proposed a method to detect LDoS attack in the
frequency domain by using the cumulative normalized
power spectrum density; Barford. P. and Kline. J.
[3]
proposed a method to detect abnormal traffic by using
signal processing; Gabriel Maciá-Fernández
[4]
and Y.
Zhang
, Z. M. Mao, and J. Wang
[5]
completed the method of
detecting LDoS attack in frequency domain, and
simulated in NS-2 environment; Xiapu Luo
[6]
and He
Yanxiang
[7]
simulated and tested the performance of the
LDoS attack by using wavelet in the frequency domain.
That system focusing on the number of arriving packets
at the monitoring node, extracts five feature indices of
LDoS flows through wavelet multi-scale analysis. Then a
synthesis diagnosis is made by a trained BP neural
network;
Qiao Zhu, Zhang Yizhi, and Xie Chuiyi
[8]
studied
the LDoS attack and TCP-oriented prevention strategies.
Macia-Fernandez, G., Diaz-Verdejo, J.E., and
Garcia-Teodoro, P.
[9]
have researched the mathematical
model for LDoS attacks against application servers
[10]
.
In the LDoS attack detection methods using signal
analysis theory, the results of the Sun H. B
[11]
, Yu Chen
[12]
and HE Yan-Xiang
[7]
are representative. Sun H. B
[17]
proposed data flow through the sampling and feature
extraction, which is commonly used in speech
recognition using dynamic time warping (DTW) method
to match the data and samples; Yu Chen
[12]
fitted curve of
the normalized cumulative power spectral density which
whether they are the attacks to find the optimal threshold.
JOURNAL OF SOFTWARE, VOL. 7, NO. 10, OCTOBER 2012
doi:10.4304/jsw.7.10.2341-2348