Research On Detection Methods For Low-rate DoS Attacks Based On Joint Features

Against emerging network applications and complex network structures,Denial of Service(Do S)attacks are still very active.Low-rate Do S(LDo S)attacks are a variant of Do S attacks,which pose a serious threat to network security.Aiming at the deficiency of TCP protocol,LDo S attacks periodically send attack pulses,causing the network to continuously switch between stable and unstable states,which seriously reduces network performance and quality of service.Due to the characteristics of low average rate and strong concealment,LDo S attacks can easily escape the traditional Do S attacks defense mechanisms.However,the existing LDo S attacks detection methods still have some further improvements: the true positive rate needs to be further improved,the false positive rate needs to be further reduced,and the adaptability needs to be further expanded.Therefore,in order to detect LDo S attacks more effectively and ensure the security and availability of the network,it is of great practical significance to explore and research LDo S attacks detection methods.If network suffers from LDo S attacks,the congestion control mechanism is frequently activated,resulting in serious drops of network throughput and significant fluctuations of network traffic.Therefore,based on significant differences of discrete features between normal network traffic and network traffic under LDo S attacks,two detection methods of LDo S attacks are proposed in this paper,using joint features to detect LDo S attacks on network traffic.In this paper,the first detection method is proposed called LDo S attacks detection method based on the WEDMS algorithm.According to the difference of discrete distribution of network traffic between normal network and LDo S attacks network,the WEDMS algorithm is used for cluster analysis on network traffic.The decision feature is defined by joint features of clusters,which can characterize the clustering results.With the judgment criterion,the decision feature can be used to detect LDo S attacks on network traffic.Experimental analysis and performance evaluation of the proposed method are carried out on various platforms such as NS2,test-bed,LBNL,WIDE2006,and WIDE2018 public dataset.Experimental results demonstrate that compared with other detection methods,the proposed method has higher true positive rate,lower false positive rate and better adaptability.In this paper,the second detection method is proposed called LDo S attacks detection method based on the MFOPA algorithm.According to the difference of time domain and frequency domain features of network traffic between normal network and LDo S attacks network,the MFOPA algorithm is used for outlier probability analysis to obtain the outlier probability on joint features,which combine multiple time domain and frequency domain features of network traffic.With the judgment criterion,the outlier probability can be used to detect LDo S attacks on network traffic.The proposed method has been conducted and evaluated on various platforms including NS2,test-bed,LBNL,WIDE2006,and WIDE2018 public dataset.Experimental results reveal that compared with other detection methods,the proposed method has higher true positive rate,lower false positive rate and better adaptability.