| Low-rate Denial of Service(LDoS)is a new type of DoS attack that exploits the shortcomings of the TCP congestion control mechanism to reduce the transmission rate of the victim by periodically transmitting short-term high-speed data streams.The average rate of LDoS attacks is low so the concealment of it is strong.It is difficult for traditional attack detection methods to find attack traffic hidden in normal data.LDoS attacks are more harmful to the network than traditional attacks.Thesis studies the characteristics of LDoS attacks and traffic,and analyzes its impact on TCP protocol behavior.The influence of LDoS attack on RTO(Retransmission Timeout)and round-trip delay(RTT)in TCP variables are analyze.An attack detection algorithm based on TCP behavior analysis is proposed.The algorithm extracts variables from the TCP protocol from the server side and uses it as a feature to detect LDoS attacks.The algorithm uses wavelet transform to decompose and reconstruct the RTT information,and extract two features from the reconstructed information.Two features are low frequency mean and low frequency variance.Two features extracted from the RTO information.Two features are RTO sample entropy and exponential back-off frequency.The above four features are used as attack detection features.The four features used as input to a support vector machine(SVM).After training with a large amount of data under different conditions(normal,bursty UDP,bursty TCP,and LDoS attacks),the SVM is used as a classifier for determining LDoS attacks.The algorithm in thesis is tested in NS-2 and practice network test environment,and compared with existing algorithms.The experimental results show that the detection rate of this method is 95.3%,the false alarm rate is 1.2%,which has good detection performance. |
PDF Full Text Request