Research On Anomaly Detection Algorithms For Low-rate Denial Of Service Attacks

There are security risks that can not be ignored when the rapid development of Internet technology brings convenience to people's life.Denial of service(Do S)attack has the characteristics of large scale and strong harm,which is a huge threat to Internet security.Low rate denial of service(LDo S)attack,a variant of Do S attacks,reduces the quality of service by periodically sending a short-term high-rate pulse attack stream to the target server.Therefore,it has lower average attack rate and better concealment.and the existing Do S attack detection algorithm can not recognize it.The existing detection algorithms of LDo S attack also have the problems of slow detection speed,low accuracy,high false alarm rate and lack of adaptive ability.LDo S attacks usually use the vulnerability of TCP adaptive mechanism to launch attacks,so it inevitably has an impact on TCP traffic.In order to better solve the above problems,this paper uses anomaly detection algorithm based on network traffic to identify LDOS attacks,which is further analyzed and studied.Based on the fact that the LDo S attack flow will cause the abnormal distribution of TCP traffic in the time domain,this paper proposes a LDo S attack detection algorithm combining cloud model and K-Nearest Neighbor(KNN).Through the cloud model theory,the cloud model forms corresponding to TCP traffic in the two states are compared,analyzed and summarized,then the quantitative analysis and extraction of numerical feature groups are carried out.The simple and clear concept of k-nearestneighbor algorithm is borrowed to build anomaly detection model.And then decision criteria are established for identifying LDo S attacks quickly.Based on the fact that the LDo S attack flow will lead to the abnorma l distribution of TCP traffic in time-frequency joint domain,this paper proposes an algorithm of LDo S attack detection based on multiple feature adaptive fusion.The time-frequency distribution of TCP traffic in the two states is analyzed by using short-time Fourier transform,and the time-frequency analysis process is compared with frame segment.Then several statistical characteristics are selected.The anomaly detection model is composed of three modules: sub model construction,linear weighted fusion a nd noise filtering.And then decision criteria are established for identifying LDo S attacks accurately.Experimental results of NS2 simulation platform,testbed and public data sets(WIDE and LBNL)demonstrates that the first algorithm can not only have a fast detection speed,but also accurately identify LDo S attacks with different parameters.Compared with the first algorithm,the second algorithm has better adaptability and lower false alarm rate for complex network environment.Compared with other algorithms,the two algorithms proposed in this paper have better detection performance.To sum up,the algorithms we proposed can effectively detect the LDo S attacks,and it has a positive significance for defend ing network attack and maintaining network security.