Research On Response Methods Of The LDoS Attack Based On Sequence Feature Analysis In The SDN

The low-rate denial of service(LDoS)attack is a variant of the denial of service(Do S)attack.It exploits vulnerabilities in the transmission control protocol(TCP)adaptive mechanism and severely degrades the quality of service through periodic attack pulses.The LDoS attack has a long silent time,so its average rate is low and stealthiness is high.It is difficult for generic anti-Do S mechanisms to respond to the LDoS attack.In the network security field,the study of how to respond to the LDoS attack is an important issue.The current LDoS attack response methods have certain limitations.Specifically,most of them have one or more shortcomings such as only supporting offline analysis,not providing attack mitigation or defense,high false positives,and high deployment cost.To explore LDoS attack response methods with better performance,this thesis studies sequence features of network traffic and attack characteristics of the LDoS,and combines machine learning techniques with software-defined networking(SDN)to propose two LDoS attack response methods.Based on the statistical characteristic changes of network traffic sequences under the LDoS attack and the special pattern performance of LDoS attack traffic sequences,this thesis proposes an LDoS attack response method based on the HGBT and peak-searching algorithm.The method is deployed on the SDN controller and includes a detection module and a mitigation module.The detection module analyzes the sequence features of network traffic to detect LDoS attacks online using a trained HGBT classification model.The mitigation module obtains the outflow information of each Internet protocol(IP)address in real-time through the SDN controller and determines the LDoS attack flow based on the peak-searching algorithm and preset thresholds.The IP address of the attack flow is the attack source.The outflowing traffic of the attack source will be discarded.It is experimentally verified that the LDoS attack response method based on the HGBT and peak-searching algorithm has over 96% detection performance,can complete the response in seconds,and the deployment cost is low.Based on the fluctuating morphological changes of network traffic sequences under the LDoS attack and the special pattern performance of LDoS attack traffic sequences,this thesis proposes the LDoS attack response method based on the coefficient of fluctuation and coefficient of pulse.The coefficient of fluctuation and coefficient of pulse are two new features that reflect the fluctuation degree and periodic impulse behavior of continuous sequences,respectively.Based on the proposed features,the method relies on the SDN controller to complete traffic collection,trains a classification model to monitor LDoS attacks,uses a Gaussian mixture model to determine the attack flow,sets a blacklist to record suspicious attack sources and their suspicion degrees,and dynamically issues flow rules to discard the attack flow.It is experimentally verified that the LDoS attack response method based on the coefficient of fluctuation and coefficient of pulse can achieve 98.729%accuracy with only 0.274% false positive.It can respond to the attack in about 1second at the fastest,and will not significantly increase the burden of the controller after deployment.The two proposed response methods have high accuracy and low deployment cost,and both can mitigate the negative impact caused by the LDoS attack online and effectively.Therefore,the work in this thesis is a useful guideline for studying response methods against the LDoS attack and is important for securing networks.