Research On Detection Methods For Low-rate Denial Of Service Attack Based On Spectrum And Reconstructed Signal Anomaly

Network security is becoming increasingly complex with the development of network technology.Low-rate Denial of Service(LDoS)attack is a variant of Denial of Service(Do S)attack for network adaptive mechanism defects,which is no t only powerful and destructive but also has a low-rate nature and stealth,so it can easily escape the defense mechanism against Do S attack.The existing LDoS attack detection methods still have shortcomings such as insufficient adaptive capability and low detection accuracy.Therefore,in-depth research on LDoS attacks and detection methods has great value and significance for network security.Although LDoS attacks are launched stealthily,they c an still cause a certain degree of network anomalies.LDoS attacks periodically send attack traffic to maliciously create network congestion,leaving the congestion control mechanism in a constant state of adjustment,which causes a severe drop in the aver age rate of the TCP traffic.Therefore,LDoS attacks will inevitably cause TCP traffic anomalies in some aspects,and these anomalies will become an important basis for attack detection.According to the TCP traffic spectrum anomaly caused by LDoS attacks,the first detection method proposed in this paper is the LDoS attack dete ction method based on frequency-domain feature fusion.First,Discrete Fourier Transform is used to extract the normalized amplitude sequence of the TCP traffic.Then,Linear Discriminant Analysis is used to fuse the amplitude sequences in the high-frequency band and the low-frequency band,which improves the classification performance of amplitude features in the frequency domain and the detection accuracy of the method for LDoS attacks.Finally,according to the fused frequency domain features,the one-class classification-based anomaly detection model is used to detect LDoS attacks.According to the TCP traffic spectrum anomaly and wavelet reconstruction sig nal anomaly caused by LDoS attacks,the second detection method proposed in this paper is the LDoS attack detection method based on reconstruction anomaly.To fully extract the abnormal information of the TCP traffic and improve the adaptive ability of the method,this method provides two options in the TCP traffic feature extraction.The first one is to extract the normalized amplitude sequence of the TCP traffic from the perspective of frequency domain using discrete Fourier transform,and the second one is to extract the approximate component reconstruction signal reflecting the trend information of the TCP traffic from the perspective of time-frequency domain using wavelet multi-scale analysis.According to the extracted TCP traffic features,the anomaly detection model based on the autoencoder is adopted to detect LDoS attacks.The experimental results in the NS2 simulation platform and the Test-bed environment show that the detection accuracy of the two detection methods can reach more than 90%,and the false positive rate and the false negative rate are low.The two detection methods proposed in this paper can effectively detect LDoS attacks in the network,which is of positive significance for network security.