Research On LDoS Attack Detection Mechanism Based On TCP Traffic Analysis Of Anomaly Characteristics

Low-rate denial-of-service(LDo S)attack is a variant of Do S attack.LDo S attacks use the current mainstream network protocols or the adaptive mechanism of specific application services to achieve the same or better attack effect through periodic short-time pulse attacks.Due to its attack mechanism,LDo S attacks have low average rate and strong concealment.Detection and defense mechanisms for other Do S attacks are not applicable to LDo S attacks.Compared with Do S attacks,LDo S attacks are more threatening and less perceptive.Current LDo S attack detection methods generally have problems such as false positive rate,high false alarm rate,poor real-time performance or high detection cost.Therefore,further research on LDo S attack detection methods is of great significance.The main research contents of this paper are as follows:(1)Aiming at the problem that the current single method cannot take the detection accuracy,real-time performance and detection cost into account at the same time,a phased LDo S attack detection mechanism is proposed.The detection process can be divided into three stages with different purposes: rapid classification,depth determination and continuous monitoring.In the quick classification phase,traffic is classified coarse-grained to distinguish normal traffic from suspicious traffic.In the depth detection phase,suspicious traffic is accurately detected to determine whether the current network is under attack.In the continuous monitoring stage,the flow is sampled accurately at a reasonable frequency,and the number of invalid detection is reduced while the state perception delay is small.Based on this,the prototype detection system is designed.The feasibility of the detection mechanism is proved through experiments,and the accuracy reaches 93.2% in the test environment.(2)In view of the poor real-time performance of current detection methods and the demand of rapid classification stage,a double-threshold determination method with good real-time performance based on skewness coefficient and dispersion coefficient is proposed.Based on the actual scenario,three typical network scenarios are summarized,and the statistical characteristics of TCP traffic distribution under different scenarios are compared and analyzed.It is found that the distribution of TCP traffic in the initial stage of attack is significantly different from other situations in terms of skewness and dispersion.The deviation degree and dispersion degree of TCP traffic distribution in different scenarios are described quantitatively by skewness coefficient and dispersion coefficient,and a double threshold method based on skewness coefficient and dispersion coefficient is proposed.Experimental results show that the LDo S attack detection method based on TCP traffic statistics is effective and real-time,and has good applicability in fast classification stage.(3)In view of the shortcomings of the double threshold method in detecting false positives with high rate and the need of depth determination stage,a LDoS attack detection method based on abnormal features with high detection accuracy is proposed.By comparing the TCP traffic under attack with the TCP traffic under normal network condition in time domain and frequency domain,the traffic anomaly is described from different angles,and three representative characteristics are proposed: The anomaly ratio,low frequency energy ratio and Hurst value are used to describe the anomaly of traffic during attack.Combined with XGBoost model,a LDo S attack detection method based on anomaly characteristics is proposed.Experiments show that the method has good detection effect and is suitable for depth determination stage.Detection method based on the abnormal characteristics extracted and the defect in the large amount of calculation but demand continuously monitor stage,the LDo S attack detection method based on the characteristics of adaptive optimization,in this paper,a frequency adaptive detection algorithm based on threshold distance,according to the threshold distance fixed frequency,reduce the consumption of computing resources for continuously monitor stage,Experimental results show that this method can greatly reduce detection consumption and perceptual delay,and has good applicability in continuous monitoring stage.