| LDoS(Low-Rate Denial of Service) attacks exploit the deficiencies in the congestion avoidance mechanism of TCP protocol, and launch high intensity attack flow in short periodic bursts to the victim. The system state switches between unstable and stable unceasingly, making the transmission performance of network degraded. Therefore, any network will be the possible victim if it adopts TCP as its transport layer protocol. LDoS attacks have small traffic, which is covered by normal network traffic. Hence the detection and defense approaches of available DoS could not be effective.Low-rate Distributed DoS attacks are composed of a number of LDoS attacks. The bigger pulses are sent by many well-organized LDoS attackers. The smaller pulse can be hidden in the normal traffic. All distributed smaller attack pulses are aggregated at a determined position through different transmission paths within a precise time to generate LDDoS attack pulses. So there is a certain correlation between these distributed attacks pulses. The attack pulses are with strict timing relationships.In this paper, targeted at timing relationships when distributed LDoS pulse arrives at the end, a cross-correlation algorithm based on circular convolution is proposed. It can extract attack parameters, by calculating the related sequences between constructed detection sequence with the sequence of network traffic.It takes advantage of a periodic single pulse to estimate attack parameters. So the detection algorithm based on Signal Cross-correlation was proposed. Simulation results in NS-2 environment show that the proposed approach calls detect the LDoS attack effectively. |