Low-Rate DoS Attacks Detection Based on MAF-ADM

Low-Rate DoS Attacks Detection Based on MAF-ADM

Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detecti...

Full description

Bibliographic Details
Main Authors: Sijia Zhan, Dan Tang, Jianping Man, Rui Dai, Xiyin Wang
Format: Article
Language:English
Published: MDPI AG 2019-12-01
Series:Sensors
Subjects:
low-rate denial of service attacks
anomaly detection
adaptive fusion of multiple features
time-frequency joint distribution
isolation trees
Online Access:https://www.mdpi.com/1424-8220/20/1/189
id doaj-45136925f1c8484ab7d747244586f241
record_format Article
spelling doaj-45136925f1c8484ab7d747244586f2412020-11-25T03:01:02ZengMDPI AGSensors1424-82202019-12-0120118910.3390/s20010189s20010189Low-Rate DoS Attacks Detection Based on MAF-ADMSijia Zhan0Dan Tang1Jianping Man2Rui Dai3Xiyin Wang4College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, ChinaCollege of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, ChinaCollege of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, ChinaCollege of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, ChinaCollege of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, ChinaLow-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.https://www.mdpi.com/1424-8220/20/1/189low-rate denial of service attacksanomaly detectionadaptive fusion of multiple featurestime-frequency joint distributionisolation trees
collection DOAJ
language English
format Article
sources DOAJ
author Sijia Zhan
Dan Tang
Jianping Man
Rui Dai
Xiyin Wang
spellingShingle Sijia Zhan
Dan Tang
Jianping Man
Rui Dai
Xiyin Wang
Low-Rate DoS Attacks Detection Based on MAF-ADM
Sensors
low-rate denial of service attacks
anomaly detection
adaptive fusion of multiple features
time-frequency joint distribution
isolation trees
author_facet Sijia Zhan
Dan Tang
Jianping Man
Rui Dai
Xiyin Wang
author_sort Sijia Zhan
title Low-Rate DoS Attacks Detection Based on MAF-ADM
title_short Low-Rate DoS Attacks Detection Based on MAF-ADM
title_full Low-Rate DoS Attacks Detection Based on MAF-ADM
title_fullStr Low-Rate DoS Attacks Detection Based on MAF-ADM
title_full_unstemmed Low-Rate DoS Attacks Detection Based on MAF-ADM
title_sort low-rate dos attacks detection based on maf-adm
publisher MDPI AG
series Sensors
issn 1424-8220
publishDate 2019-12-01
description Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.
topic low-rate denial of service attacks
anomaly detection
adaptive fusion of multiple features
time-frequency joint distribution
isolation trees
url https://www.mdpi.com/1424-8220/20/1/189
work_keys_str_mv AT sijiazhan lowratedosattacksdetectionbasedonmafadm
AT dantang lowratedosattacksdetectionbasedonmafadm
AT jianpingman lowratedosattacksdetectionbasedonmafadm
AT ruidai lowratedosattacksdetectionbasedonmafadm
AT xiyinwang lowratedosattacksdetectionbasedonmafadm
_version_ 1724695260700868608

Similar Items