Research On LdoS Attacks Detection Method Based On The Statistical Features Of TCP Traffic

DoS(Denial of Service) attacks are growing fast in size, and they are the security hazards which widely exist in the Internet. As a variation of the DoS attacks, the LDoS(Low-rate DoS) attacks have great harm and high concealment. So it's difficult to use the detecting methods for the other DoS attacks to discover the LDoS attacks. Existing LDoS attacks detection methods have some limitations in aspects of cost, accuracy or universality. Therefore it is necessary to conduct continuous in-depth study of detecting LDoS attacks in order to obtain a more effective detection method.In the context of actual network, four typical network scenarios are summarized and defined to discuss the issue. Through comparison and analysis of TCP traffic distribution and fluctuation in each scenario, it is found that the distribution and fluctuation of TCP traffic are obviously different from other scenarios when LDoS attacks occur. In order to measure the differences of TCP traffic's distribution and fluctuation between different scenarios, kurtosis and moving range sequence are introduced. The former would determine TCP traffic distribution's centralized degree and the latter could indicate the degree of fluctuation in different scenarios. On this basis, LDoS attacks detection method based on kurtosis and LDoS attacks detection method based on moving range sequence are proposed, and these two methods have each judgment and standard.The availability and effectiveness of the two methods are proved by experiments, but their shortcomings are found at the same time. Method based on kurtosis would lead to false negative when the burst of network traffic exists in normal circumstances, and method based on moving sequences cannot effectively distinguish a little jump in normal network traffic and the frequency network traffic fluctuations that LDoS attacks result in.According to analyzing, measuring and judging of the anomalies caused by LDoS attacks with these two approaches from different aspects and the complementarity of two approaches, a coordinated method for detecting LDoS attacks is proposed by combining the two approaches. The experiments based on simulation platform and actual network datasets demonstrate the effectiveness and accuracy of this collaborative detection method and this method has the features of low complexity, high real-time and easy deployment.