Improving Detection Rate Of High-distributed Low-rate QoS Violation Based On Fusion Strategy

In recent years malicious quality of services (QoS) violation attackshave become one of the most serious security threats to the Internet. NewQoS attacks are increasingly showing the trend of high-distributed lowrate. In the literature, this kind of attacks has been called shrew attacks,pulsing denial of service (DoS) attacks or reduction of quality (RoQ)attacks. For simplicity, we call all of them LDoS (low-rate denial ofservice) attacks in the sequel.LDoS attacks are stealthy, periodic, pulsing, and low rate in attackvolume, very different from early flooding type of attacks. A traditionaldetection system against flooding attacks is based on traffic volumeanalysismethod in the time domain.However, it almost has no effect on newLDoS attack.In this paper, we present a fusion strategy: Identifying LDoS attacksby combining multiple observed features to improve the detect rate.1. Existing studies construct recognition algorithm based on singlefeature of the network. This ignores the influence of multiple featuresthat contains more meaningful multi-dimensional information. Althoughsignificant improvement can be achieved by these recognition algorithms,we observe that one-dimensional feature contains small amount ofinformation, based on which it is difficult to describe subtle changesof network QoS. And thus these methods will become bottlenecks for furtherimprovement of the recognition rate.2. The paper propose using multiple observed features of network traffic to identify new high-distributed low-rate quality of services(QoS) violation so that detection accuracy may be further improved. Forthe multiple observed features, we choose F feature in TCP packet headeras a microscopic feature and, P feature and D feature of network trafficas macroscopic features. Based on these features, we establish multiplestream fused hidden Markov model (MF-HMM) to detect stealthy low-ratedenial of service (LDoS) attacks hidden in legitimate network backgroundtraffic.3. In addition, the threshold value is dynamically adjusted by usingKaufman algorithm. Our experiments show that the additive effect ofcombining multiple features effectively reduces the false-positive rate.The average detection rate of MF-HMM results in a significant23.39%and44.64%improvement over typical power spectrum density (PSD) algorithmand nonparametric cumulative sum (CUSUM) algorithm.4. The paper summarize the main work and prospect the research in thefuture.