SEDP-based detection of low-rate DoS attacks

Low-rate Denial of Service (LDoS) is a new type of TCP-targeted attacks, which attempt to deny bandwidth to TCP flows while sending at sufficiently low-average rate to elude detection of DoS defense system. Therefore, LDoS attacks are difficult to be detected by routers and counter-DoS mechanisms. In this paper, an approach of detecting LDoS attacks is proposed by using the technology of signal processing based on the model of spectral energy distribution probability. The proposed approach calculates variances between the incoming traffic of normal TCP and attack flows to a server by using packet sampling sequence within a certain period. The network traffic is converted from the time domain to the frequency domain forming a spectral signal, and the distribution probability of spectral energy is estimated based on spectrum characteristics of rectangular pulses. This approach explores that the energy of LDoS attacks is mostly distributed in the main lobe width while that of normal TCP traffic is just concentrated near zero in frequency domain. Both the spectral energy of normal TCP traffic and LDoS attacks distributed in main lobe are calculated, and an energy threshold is set as decision value based on statistical results according to energy distribution properties. The existence of LDoS attacks is determined and detected by comparing calculated variances with the preset decision threshold value. Tests on the detection performance of the proposed approach were performed in NS-2 simulation environment, and detection rate was obtained by Hypothesis test. Experiment results show that the proposed approach has higher detection accuracy and less computation consuming. Copyright (c) 2014 John Wiley & Sons, Ltd.