Low-Rate DoS Attacks Detection Based on MAF-ADM

Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.

Download Full-text

A Mathematical Model for Randomly-Occurring Low-Rate Denial of Service Attacks

International Journal of Computer and Communication Technology ◽

10.47893/ijcct.2014.1215 ◽

2014 ◽

pp. 27-31

Author(s):

Nahush Chaturvedi ◽

Hrushikesha Mohanty

Keyword(s):

Mathematical Model ◽

Continuous Time ◽

Transmission Control Protocol ◽

Denial Of Service ◽

Denial Of Service Attacks ◽

Continuous Time Markov Chain ◽

Dos Attacks ◽

Transmission Control ◽

Abnormal State ◽

Low Rate

Low rate attacks, or Denial-of-Service (DoS) attacks of the occasional misbehaviour, can throttle the throughput of robust timed-protocols, like the Transmission Control Protocol(TCP), by creating either periodic or exponentially distributed outages, or transmission disruptions. Such attacks are as effective as full-fledged DoS with high undetectability of the misbehaving network entity. In this paper, we present a mathematical model of Low-Rate. randomly occurring, Denial-of-Service attacks. By viewing the process as a twostate Continuous-Time Markov Chain(CTMC), we have successfully computed the transition and state probabilities of a compromised network entity that can behave normally, while in the normal state. and abnormally, when in the abnormal state.

Download Full-text

Identifying High-Distributed Low-Rate QoS Violation Based on Multi-Stream Fused HMM

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.519-520.245 ◽

2014 ◽

Vol 519-520 ◽

pp. 245-249

Author(s):

Mei Yang ◽

Jian Kang

Keyword(s):

Network Flow ◽

False Positive Rate ◽

Denial Of Service ◽

False Negative ◽

Recognition Rate ◽

False Negative Rate ◽

Threshold Value ◽

Positive Rate ◽

Multiple Network ◽

Low Rate

In order to maintain high network QoS (quality of service) against new high-distributed low-rate QoS violation, this paper proposes a novel recognition scheme with the consideration of multiple network features in both macro and micro side. This scheme uses Multi-stream Fused Hidden Markov Model (MF-HMM) in automatic low-rate QoS violation recognition for integrating multi-features simultaneously. The multi-features include the I-I-P triple and TCP header control Flag in a data packet at a micro level, and R feature in network flow at a macro level. In addition, based on the successful experience of Load-Shedding, Kaufman algorithm is used to adjust and upgrade threshold value dynamically. Our experiments show that our approach effectively reduces false-positive rate and false-negative rate. Moreover, it has a high recognition rate specifically for new QoS violation by High-Distributed Low-rate Denial of Service attacks.

Download Full-text

Modeling and Simulation of Low Rate of Denial of Service Attacks

Applied Mechanics and Materials ◽

10.4028/www.scientific.net/amm.484-485.1063 ◽

2014 ◽

Vol 484-485 ◽

pp. 1063-1066

Author(s):

Kui Liang Xia

Keyword(s):

High Efficiency ◽

Denial Of Service ◽

Research Work ◽

Attack Detection ◽

Detection Methods ◽

Dos Attacks ◽

Denial Of Service Attack ◽

Service Attack ◽

User Data ◽

Low Rate

The low-rate denial of service attack is more applicable to the network in recent years as a means of attack, which is different from the traditional field type DoS attacks at the network end system or network using adaptive mechanisms exist loopholes flow through the low-rate periodic attacks on the implementation of high-efficiency attacked by an intruder and not be found, resulting in loss of user data or a computer deadlock. LDos attack since there has been extensive attention of researchers, the attack signature analysis and detection methods to prevent network security have become an important research topic. Some have been proposed for the current attacks were classified LDoS describe and model, and then in NS-2 platform for experimental verification, and then LDoS attack detection to prevent difficulties are discussed and summarized for the future such attacks detection method research work to provide a reference.

Download Full-text

A Methodology to Counter DoS Attacks in Mobile IP Communication

Mobile Information Systems ◽

10.1155/2012/268781 ◽

2012 ◽

Vol 8 (2) ◽

pp. 127-152

Author(s):

Sazia Parvin ◽

Farookh Khadeer Hussain ◽

Sohrab Ali

Keyword(s):

Ad Hoc ◽

Mobile Ip ◽

Denial Of Service ◽

Base Station ◽

Base Stations ◽

Network Simulator ◽

Dos Attack ◽

Dos Attacks ◽

Denial Of Service Attack ◽

Ip Communication

Similar to wired communication, Mobile IP communication is susceptible to various kinds of attacks. Of these attacks, Denial of Service (DoS) attack is considered as a great threat to mobile IP communication. The number of approaches hitherto proposed to prevent DoS attack in the area of mobile IP communication is much less compared to those for the wired domain and mobile ad hoc networks. In this work, the effects of Denial of Service attack on mobile IP communication are analyzed in detail. We propose to use packet filtering techniques that work in different domains and base stations of mobile IP communication to detect suspicious packets and to improve the performance. If any packet contains a spoofed IP address which is created by DoS attackers, the proposed scheme can detect this and then filter the suspected packet. The proposed system can mitigate the effect of Denial of Service (DoS) attack by applying three methods: (i) by filtering in the domain periphery router (ii) by filtering in the base station and (iii) by queue monitoring at the vulnerable points of base-station node. We evaluate the performance of our proposed scheme using the network simulator NS-2. The results indicate that the proposed scheme is able to minimize the effects of Denial of Service attacks and improve the performance of mobile IP communication.

Download Full-text

On the Detection of Low-Rate Denial of Service Attacks at Transport and Application Layers

Electronics ◽

10.3390/electronics10172105 ◽

2021 ◽

Vol 10 (17) ◽

pp. 2105

Author(s):

Vasudha Vedula ◽

Palden Lama ◽

Rajendra V. Boppana ◽

Luis A. Trejo

Keyword(s):

Network Traffic ◽

Short Term Memory ◽

Transmission Control Protocol ◽

Denial Of Service ◽

Detection Methods ◽

Support Vector ◽

Detection Accuracy ◽

Ddos Attacks ◽

Network Bandwidth ◽

Low Rate

Distributed denial of service (DDoS) attacks aim to deplete the network bandwidth and computing resources of targeted victims. Low-rate DDoS attacks exploit protocol features such as the transmission control protocol (TCP) three-way handshake mechanism for connection establishment and the TCP congestion-control induced backoffs to attack at a much lower rate and still effectively bring down the targeted network and computer systems. Most of the statistical and machine/deep learning-based detection methods proposed in the literature require keeping track of packets by flows and have high processing overheads for feature extraction. This paper presents a novel two-stage model that uses Long Short-Term Memory (LSTM) and Random Forest (RF) to detect the presence of attack flows in a group of flows. This model has a very low data processing overhead; it uses only two features and does not require keeping track of packets by flows, making it suitable for continuous monitoring of network traffic and on-the-fly detection. The paper also presents an LSTM Autoencoder to detect individual attack flows with high detection accuracy using only two features. Additionally, the paper presents an analysis of a support vector machine (SVM) model that detects attack flows in slices of network traffic collected for short durations. The low-rate attack dataset used in this study is made available to the research community through GitHub.

Download Full-text

Enhancing network-edge connectivity and computation security in drone video analytics

10.32469/10355/86549 ◽

2020 ◽

Author(s):

◽

Alicia Esquivel-Morel

Keyword(s):

Precision Agriculture ◽

Denial Of Service ◽

Cyber Attacks ◽

Network Simulator ◽

Security Framework ◽

Dos Attacks ◽

Video Analytics ◽

Edge Connectivity ◽

Decision Algorithm ◽

Main Research

[ACCESS RESTRICTED TO THE UNIVERSITY OF MISSOURI--COLUMBIA AT REQUEST OF AUTHOR.] Unmanned Aerial Vehicle (UAV) systems with high-resolution video cameras are used for many operations such as aerial imaging, search and rescue, and precision agriculture. Multi-drone systems operating in Flying Ad Hoc Networks (FANETS) are inherently insecure and require efficient and end-to-end security schemes to defend against cyber-attacks (i.e., Man-in-the-middle (MITM), Replay and Denial of Service (DoS) attacks). In this work, we propose a cloud-based, intelligent security framework viz., "DroneNet-Sec" that provides network-edge connectivity and computation security for drone video analytics to defend against common attack vectors in UAV systems. The proposed framework includes three main research thrusts: (i) a secure hybrid testbed management that synergies simulation and emulation via an open-source network simulator (NS3) and a research platform for mobile wireless networks (POWDER), (ii) an intelligent and dynamic decision algorithm based on machine learning to detect anomaly events without decreasing the performance in a real-time FANET deployment, and (iii) a web-based experiment control module that features a graphical user interface to assist experimenters in the execution/visualization of repeatable and high-scale UAV security experiments. Our performance evaluation experiments in a holistic hybrid-testbed show that our proposed security framework successfully detects anomaly events and effectively protects containerized tasks execution in drones video analytics in a light-weight manner.

Download Full-text

Enhanced Approach Using Reduced SBTFD Features and Modified Individual Behavior Estimation for Crowd Condition Prediction

Entropy ◽

10.3390/e21050487 ◽

2019 ◽

Vol 21 (5) ◽

pp. 487 ◽

Cited By ~ 2

Author(s):

Fatai Idowu Sadiq ◽

Ali Selamat ◽

Roliana Ibrahim ◽

Ondrej Krejcar

Keyword(s):

Activity Recognition ◽

False Negative ◽

False Negative Rate ◽

Individual Behavior ◽

Sensor Technology ◽

Participatory Sensing ◽

Context Aware ◽

Time Frequency ◽

Crowd Monitoring ◽

Intelligent Technology

Sensor technology provides the real-time monitoring of data in several scenarios that contribute to the improved security of life and property. Crowd condition monitoring is an area that has benefited from this. The basic context-aware framework (BCF) uses activity recognition based on emerging intelligent technology and is among the best that has been proposed for this purpose. However, accuracy is low, and the false negative rate (FNR) remains high. Thus, the need for an enhanced framework that offers reduced FNR and higher accuracy becomes necessary. This article reports our work on the development of an enhanced context-aware framework (EHCAF) using smartphone participatory sensing for crowd monitoring, dimensionality reduction of statistical-based time-frequency domain (SBTFD) features, and enhanced individual behavior estimation (IBEenhcaf). The experimental results achieved 99.1% accuracy and an FNR of 2.8%, showing a clear improvement over the 92.0% accuracy, and an FNR of 31.3% of the BCF.

Download Full-text

Low-Rate DDoS Attack Detection Using Expectation of Packet Size

Security and Communication Networks ◽

10.1155/2017/3691629 ◽

2017 ◽

Vol 2017 ◽

pp. 1-14 ◽

Cited By ~ 12

Author(s):

Lu Zhou ◽

Mingchao Liao ◽

Cao Yuan ◽

Haoyu Zhang

Keyword(s):

Denial Of Service ◽

False Negative ◽

Attack Detection ◽

Detection Sensitivity ◽

Distributed Denial Of Service ◽

Ddos Attacks ◽

Packet Size ◽

Tolerance Factors ◽

Ddos Attack Detection ◽

Low Rate

Low-rate Distributed Denial-of-Service (low-rate DDoS) attacks are a new challenge to cyberspace, as the attackers send a large amount of attack packets similar to normal traffic, to throttle legitimate flows. In this paper, we propose a measurement—expectation of packet size—that is based on the distribution difference of the packet size to distinguish two typical low-rate DDoS attacks, the constant attack and the pulsing attack, from legitimate traffic. The experimental results, obtained using a series of real datasets with different times and different tolerance factors, are presented to demonstrate the effectiveness of the proposed measurement. In addition, extensive experiments are performed to show that the proposed measurement can detect the low-rate DDoS attacks not only in the short and long terms but also for low packet rates and high packet rates. Furthermore, the false-negative rates and the adjudication distance can be adjusted based on the detection sensitivity requirements.

Download Full-text

Research of Three-Level Detection Algorithm against Low-Rate Denial of Service Attacks

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.403-408.2325 ◽

2011 ◽

Vol 403-408 ◽

pp. 2325-2328

Author(s):

Yuan Bai ◽

Chui Yi Xie ◽

Jian Cheng Qin

Keyword(s):

Detection Method ◽

Denial Of Service ◽

Detection Algorithm ◽

Denial Of Service Attacks ◽

Dos Attacks ◽

Left Behind ◽

The Third ◽

Complex Procedure ◽

Transfer Method ◽

Low Rate

Three-Level detection algorithm is provided to detect low-rate denial of service attacks. The networks abnormities are caught in the first level; In the second level the flooding and low-rate denial of service(DoS) are divided; And then the Low-Rate DoS is detected accurately using frequency transfer method in the third level. Considering the application of networks, Low-Rate DoS attacks are detected and confirmed in Three-Level detection algorithm. Comparing with single level detection method, the most complex procedure is left behind to reduce detecting overhead. The simulation results certificate the feasibility of the algorithm.

Download Full-text

Distributed reflection denial of service attack: A critical review

International Journal of Electrical and Computer Engineering (IJECE) ◽

10.11591/ijece.v11i6.pp5327-5341 ◽

2021 ◽

Vol 11 (6) ◽

pp. 5327

Author(s):

Riyadh Rahef Nuiaa ◽

Selvakumar Manickam ◽

Ali Hakem Alsaeedi

Keyword(s):

Transmission Control Protocol ◽

Denial Of Service ◽

Dos Attack ◽

Dos Attacks ◽

Transmission Control ◽

Denial Of Service Attack ◽

Tcp Protocol ◽

Service Attack ◽

Pass Through ◽

Prime Target

As the world becomes increasingly connected and the number of users grows exponentially and “things” go online, the prospect of cyberspace becoming a significant target for cybercriminals is a reality. Any host or device that is exposed on the internet is a prime target for cyberattacks. A denial-of-service (DoS) attack is accountable for the majority of these cyberattacks. Although various solutions have been proposed by researchers to mitigate this issue, cybercriminals always adapt their attack approach to circumvent countermeasures. One of the modified DoS attacks is known as distributed reflection denial-of-service attack (DRDoS). This type of attack is considered to be a more severe variant of the DoS attack and can be conducted in transmission control protocol (TCP) and user datagram protocol (UDP). However, this attack is not effective in the TCP protocol due to the three-way handshake approach that prevents this type of attack from passing through the network layer to the upper layers in the network stack. On the other hand, UDP is a connectionless protocol, so most of these DRDoS attacks pass through UDP. This study aims to examine and identify the differences between TCP-based and UDP-based DRDoS attacks.

Download Full-text