Research On Detection Methods For Low-rate Denial Of Service Attack Based On Network Traffic Correlation

With the development and progress of society,the Internet has continued to develop,which has gradually improved its status.At the same time,some security issues in the network have also been exposed.Among the many cybersecurity threats,the harm caused by denial of service(DoS)attacks is particularly acute.The Low-rate Denial of Service(LDoS)attack is a variant of the traditional DoS attack.It can achieve the same or even better attack effect at a lower cost than the traditional DoS attack.In addition,due to its periodic attack mode,LDoS attack has better concealment.Therefore,the detection and defense mechanism against traditional DoS attacks is not applicable to the detection and defense of LDoS attack.At present,the LDoS attack detection methods have a problem of high false positive rate and high false negative rate.Therefore,in order to obtain a more effective LDoS attack detection method,further research is necessary.According to the following characteristics of LDoS attacks,which is that there is a correlation between LDoS attack network traffic and normal network traffic,which is different from the correlation between normal network traffic and normal network traffic,this paper proposes two LDoS attack detection methods.The first LDoS attack detection method proposed in this paper is based on Hilbert-Huang transform and Pearson correlation.The method first uses the Hilbert-Huang transform and the Pearson correlation to measure the correlation between network traffic.By analyzing and calculating the normal network traffic and LDoS attack traffic,it is found that when an LDoS attack occurs,the Pearson correlation between the frequency domain characteristics of the network traffic and the normal network traffic is significantly reduced compared with the normal case.Based on this,the corresponding judgment criteria and detection algorithm are proposed.Experimental results on the NS2 network simulation platform and WIDE public dataset show that this method has higher detection accuracy and lower false positive rate and false negative rate.The second LDoS attack detection method proposed in this paper is based on similar cloud and support vector machine.The method first uses the normal cloud model to characterize the network traffic and uses the normal cloud model similarityalgorithm to measure the similarity between two normal cloud models.Through calculation and analysis,it is found that the similarity between the cloud model of the normal network traffic and the base cloud model is significantly higher than the similarity between the cloud model of the LDoS attack and the base cloud model.Through further observation of the analysis results,it is found that the classification method is suitable here.To this end,the support vector machine is introduced to perform the two classifications.The two categories are normal network traffic and LDoS attack traffic.According to the above analysis,the corresponding judgment criteria and detection algorithms are proposed.In order to verify the effectiveness of the method,experiments were carried out on the NS2 network simulation platform and testbed respectively.The experimental results show that the method has higher detection accuracy and lower false positive rate and false negative rate.