Detection of DoS and DDoS Attacks in NGMN Using Frequency Domain Analysis

Ensuring security of the infrastructure against external attacks across network boundaries constitutes one of primary attributes as well as challenges of the next generation mobile network (NGMN). To allay the possibility of such attacks emancipating the NGMN architecture, it is necessary to identify the attack types. However, detection of the attack types from various traffic flows (as is the case in network links) and their subsequent classification can be a very daunting task, especially when both the attack and the legitimate traffic exhibit similar statistical properties (such as denial-of-service (DoS) and distributed DoS (DDoS)). Furthermore, the attacker's ability to spoof and forge the packet header information (including IP address) makes the detection process even more difficult. Conventional anomaly based attack detection mechanisms have been found wanting in such situations. In an attempt to provide a solution, this paper proposes a detection algorithm that identifies and characterizes network traffic by investigating the frequency spectrum distribution. The Lomb periodogram is utilized to determine the power spectrum of the observed traffic whereupon two deviation score parameters are employed to segregate the anomaly traffic flows from legitimate ones in a two-step method. For simplicity purposes, the efficiency of such classification effort is demonstrated for DoS and DDoS attacks only (for their statistical similarity to normal traffic).