Adaptive EWMA Method Based on Abnormal Network Traffic for LDoS Attacks

The low-rate denial of service (LDoS) attacks reduce network services capabilities by periodically sending high intensity pulse data flows. For their concealed performance, it is more difficult for traditional DoS detection methods to detect LDoS attacks; at the same time the accuracy of the current detection methods for LDoS attacks is relatively low. As the fact that LDoS attacks led to abnormal distribution of the ACK traffic, LDoS attacks can be detected by analyzing the distribution characteristics of ACK traffic. Then traditional EWMA algorithm which can smooth the accidental error while being the same as the exceptional mutation may cause some misjudgment; therefore a new LDoS detection method based on adaptive EWMA (AEWMA) algorithm is proposed. The AEWMA algorithm which uses an adaptive weighting function instead of the constant weighting of EWMA algorithm can smooth the accidental error and retain the exceptional mutation. So AEWMA method is more beneficial than EWMA method for analyzing and measuring the abnormal distribution of ACK traffic. The NS2 simulations show that AEWMA method can detect LDoS attacks effectively and has a low false negative rate and a false positive rate. Based on DARPA99 datasets, experiment results show that AEWMA method is more efficient than EWMA method.

[1]  L. Mohan,et al.  Survey of Low rate Denial of Service (LDoS) attack on RED and its counter strategies , 2012, 2012 IEEE International Conference on Computational Intelligence and Computing Research.

[2]  Xiapu Luo,et al.  Detecting Pulsing Denial-of-Service Attacks with Nondeterministic Attack Intervals , 2009, EURASIP J. Adv. Signal Process..

[3]  Mina Guirguis,et al.  Exploiting the transients of adaptation for RoQ attacks on Internet resources , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[4]  Xiapu Luo,et al.  Vanguard: A New Detection Scheme for a Class of TCP-targeted Denial-of-Service Attacks , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[5]  Xiaosu Chen,et al.  EBDT: A method for detecting LDoS attack , 2012, 2012 IEEE International Conference on Information and Automation.

[6]  Patrice Abry,et al.  Wavelet Analysis of Long-Range-Dependent Traffic , 1998, IEEE Trans. Inf. Theory.

[7]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[8]  S. W. Roberts Control chart tests based on geometric moving averages , 2000 .

[9]  KAI HWANG,et al.  Collaborative Defense against Periodic Shrew DDoS Attacks in Frequency Domain , 2005 .

[10]  Xiapu Luo,et al.  On a New Class of Pulsing Denial-of-Service Attacks and the Defense , 2005, NDSS.

[11]  Kai Chen,et al.  Detecting LDoS Attacks based on Abnormal Network Traffic , 2012, KSII Trans. Internet Inf. Syst..

[12]  Kai Hwang,et al.  HAWK: Halting Anomalies with Weighted Choking to Rescue Well-Behaved TCP Sessions from Shrew DDoS Attacks , 2005, ICCNMC.

[13]  Antonio Ortega,et al.  Detecting low-rate periodic events in Internet traffic using renewal theory , 2011, 2011 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[14]  Andreas Terzis,et al.  On the effect of router buffer sizes on low-rate denial of service attacks , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[15]  Giovanna Capizzi,et al.  An Adaptive Exponentially Weighted Moving Average Control Chart , 2003, Technometrics.

[16]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[17]  David K. Y. Yau,et al.  Defending against low-rate TCP attacks: dynamic detection and protection , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[18]  Yuting Zhang,et al.  Reduction of quality (RoQ) attacks on Internet end-systems , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..