Skip to main content
Log in

A novel LDoS attack detection method based on reconstruction anomaly

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

In network security, Low-rate Denial of Service (LDoS) attacks can severely degrade the quality of the network service by sending attacking pulses intermittently with a low-rate behavior. It is hard to accurately detect this attack because of its low-rate nature and stealth. By combining the discrete Fourier transform (DFT) and discrete wavelet transform (DWT) with autoencoder-based anomaly detection, we put forward a novel LDoS attack detection method. According to the approximate coefficients (NAC), the normalized amplitude spectrum of network traffic (NAS) and the normalized reconstruction signal according to the approximate coefficients (NAC) have a significant difference between normal and LDoS conditions. The proposed detection method consists of two detection models, one is NAS–AE that takes the normalized amplitude spectrum (NAS) of network traffic as the input of the autoencoder, and the other is the NAC–AE that employs the normalized reconstruction signal as the input of the autoencoder. The reconstruction error of the network signal is represented as the difference between the autoencoder input and output. Network traffic without LDoS attacks can be reconstructed well by the autoencoder trained with normal network traffic, while the network traffic under LDoS conditions will be failed to do so, resulting in an anomaly of the reconstruction error. The reconstruction anomaly indicates that the network is under LDoS conditions. Experiments performed in NS2 and test-bed networking prove that the method put forward by us can detect LDoS attacks accurately.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20

Similar content being viewed by others

References

  1. Agrawal, N., Tapaswi, S.: Detection of low-rate cloud DDoS attacks in frequency domain using fast Hartley transform. Wirel. Pers. Commun. 112(2), 1–28 (2020)

    Google Scholar 

  2. An, J., Cho, S.: Variational autoencoder based anomaly detection using reconstruction probability. In: Special Lecture on IE, vol. 2(1) (2015)

  3. Badotra, S., Panda, S.N.: Snort based early DDoS detection system using Opendaylight and open networking operating system in software defined networking. Clust. Comput. 24, 501–513 (2021)

    Article  Google Scholar 

  4. Cambiaso, E., Chiola, G., Aiello, M.: Introducing the slowdrop attack. Comput. Netw. 150, 234–249 (2019)

    Article  Google Scholar 

  5. Cao, J., Li, Q., Xie, R., Sun, K., Gu, G., Xu, M., Yang, Y.: The crosspath attack: disrupting the SDN control channel via shared links. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 19–36 (2019a)

  6. Cao, Y., Han, L., Zhao, X., Pan, X.: AccFlow: defending against the low-rate TCP DoS attack in wireless sensor networks (2019b). arXiv preprint arXiv:190306394

  7. Chen, H., Meng, C., Shan, Z., Fu, Z., Bhargava, B.K.: A novel low-rate denial of service attack detection approach in Zigbee wireless sensor network by combining Hilbert–Huang transformation and trust evaluation. IEEE Access 7, 32853–32866 (2019)

    Article  Google Scholar 

  8. Chen, Y., Hwang, K., Kwok, Y.K.: Filtering of shrew DDoS attacks in frequency domain. In: The IEEE Conference on Local Computer Networks 30th Anniversary (LCN’05) l, p. 8. IEEE (2005)

  9. Chen, Z., Yeo, C.K., Lee, B.S., Lau, C.T.: Power spectrum entropy based detection and mitigation of low-rate DoS attacks. Comput. Netw. 136, 80–94 (2018)

    Article  Google Scholar 

  10. Deng, S., Gao, X., Lu, Z., Li, Z., Gao, X.: DoS vulnerabilities and mitigation strategies in software-defined networks. J. Netw. Comput. Appl. 125, 209–219 (2019)

    Article  Google Scholar 

  11. Gong, D., Liu, L., Le, V., Saha, B., Mansour, M.R., Venkatesh, S., van den Hengel, A.: Memorizing normality to detect anomaly: memory-augmented deep autoencoder for unsupervised anomaly detection. In: Proceedings of the IEEE International Conference on Computer Vision, pp. 1705–1714 (2019)

  12. Guirguis, M., Bestavros, A., Matta, I.: Exploiting the transients of adaptation for ROQ attacks on Internet resources. In: Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004, pp. 184–195. IEEE (2004)

  13. He, Y.X., Cao, Q., Liu, T., Han, Y., Xiong, Q.: A low-rate DoS detection method based on feature extraction using wavelet transform. J. Softw. 20(4), 930–941 (2009)

    Google Scholar 

  14. Kieu, T., Yang, B., Guo, C., Jensen, C.S.: Outlier detection for time series with recurrent autoencoder ensembles. In: 28th International Joint Conference on Artificial Intelligence (2019)

  15. Liu, H., Kim, M.S.: Real-time detection of stealthy DDoS attacks using time-series decomposition. In: 2010 IEEE International Conference on Communications, pp. 1–6. IEEE (2010)

  16. Luo, X., Chang, R.K.: On a new class of pulsing denial-of-service attacks and the defense. In: NDSS (2005)

  17. de Miranda, Rios V., Inácio, P.R., Magoni, D., Freire, M.M.: Detection of reduction-of-quality DDoS attacks using fuzzy logic and machine learning algorithms. Comput. Netw. 186, 107792 (2021)

    Article  Google Scholar 

  18. Nguyen, T.N., Meunier, J.: Anomaly detection in video sequence with appearance-motion correspondence. In: Proceedings of the IEEE International Conference on Computer Vision, pp. 1273–1283 (2019)

  19. Rajendran, R., Kumar, S.S., Palanichamy, Y., Arputharaj, K.: Detection of DoS attacks in cloud networks using intelligent rule based classification system. Clust. Comput. 22(1), 423–434 (2019)

    Article  Google Scholar 

  20. Tang, D., Dai, R., Tang, L., Li, X.: Low-rate DoS attack detection based on two-step cluster analysis and UTR analysis. Hum. Centric Comput. Inf. Sci. 10(1), 6 (2020)

    Article  Google Scholar 

  21. Tang, D., Man, J., Tang, L., Feng, Y., Yang, Q.: WEDMS: an advanced mean shift clustering algorithm for LDoS attacks detection. Ad Hoc Netw. 102, 102145 (2020)

    Article  Google Scholar 

  22. Tang, D., Tang, L., Dai, R., Chen, J., Li, X., Rodrigues, J.J.: MF-Adaboost: LDoS attack detection based on multi-features and improved Adaboost. Future Gener. Comput. Syst. 106, 347–359 (2020)

    Article  Google Scholar 

  23. Tang, D., Yan, Y., Zhang, S., Chen, J., Qin, Z.: Performance and features: mitigating the low-rate TCP-targeted DoS attack via SDN. IEEE J. Sel. Areas Commun. 40(1), 428–444 (2021)

    Article  Google Scholar 

  24. Verma, P., Tapaswi, S., Godfrey, W.W.: A request aware module using CS-IDR to reduce VM level collateral damages caused by DDoS attack in cloud environment. Clust. Comput. 24(4), 1–17 (2021)

    Google Scholar 

  25. Wu, Z., Zhang, L., Yue, M.: Low-rate DoS attacks detection based on network multifractal. IEEE Trans. Depend. Secure Comput. 13(5), 559–567 (2015)

    Article  Google Scholar 

  26. Wu, Z., Wang, M., Yan, C., Yue, M.: Low-rate DoS attack flows filtering based on frequency spectral analysis. China Commun. 14(6), 98–112 (2017)

    Article  Google Scholar 

  27. Wu, Z., Pan, Q., Yue, M., Liu, L.: Sequence alignment detection of TCP-targeted synchronous low-rate DoS attacks. Comput. Netw. 152, 64–77 (2019)

    Article  Google Scholar 

  28. Xie, K., Li, X., Wang, X., Cao, J., Xie, G., Wen, J., Zhang, D., Qin, Z.: On-line anomaly detection with high accuracy. IEEE/ACM Trans. Netw. 26(3), 1222–1235 (2018)

    Article  Google Scholar 

  29. Xu, H., Chen, W., Zhao, N., Li, Z., Bu, J., Li, Z., Liu, Y., Zhao, Y., Pei, D., Feng, Y., et al.: (2018) Unsupervised anomaly detection via variational auto-encoder for seasonal KPIs in web applications. In: Proceedings of the World Wide Web Conference, pp. 187–196 (2018)

  30. Yuan, H., Xia, Y.: Resilient strategy design for cyber–physical system under DoS attack over a multi-channel framework. Inf. Sci. 454, 312–327 (2018)

    Article  MathSciNet  Google Scholar 

  31. Yue, M., Wang, M., Wu, Z.: Low-high burst: a double potency varying-RTT based full-buffer shrew attack model. IEEE Trans. Depend. Secure Comput. 18(5), 2285–2300 (2019)

    Google Scholar 

  32. Yue, M., Wu, Z., Wang, J.: Detecting LDoS attack bursts based on queue distribution. IET Inf. Secur. 13(3), 285–292 (2019)

    Article  Google Scholar 

  33. Yue, M., Li, J., Wu, Z., Wang, M.: High-potency models of LDoS attack against cubic+ red. IEEE Trans. Inf. Forensics Secur. 16, 4950–4965 (2021)

    Article  Google Scholar 

  34. Zhang, X., Wu, Z., Chen, J., Yue, M.: An adaptive KPCA approach for detecting LDoS attack. Int. J. Commun. Syst. 30(4), e2993 (2017)

    Article  Google Scholar 

  35. Zhi-Jun, W., Hai-Tao, Z., Ming-Hua, W., Bao-Song, P.: MSABMS-based approach of detecting LDoS attack. Comput. Secur. 31(4), 402–417 (2012)

    Article  Google Scholar 

  36. Zhijun, W., Meng, Y.: Detection of LDDoS attack based on Kalman filtering. Acta Electron. Sin. 36(8), 1590–1594 (2008)

    Google Scholar 

  37. Zhijun, W., Wenjing, L., Liang, L., Meng, Y.: Low-rate DoS attacks, detection, defense, and challenges: a survey. IEEE Access 8, 43920–43943 (2020)

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported by National Key R&D Program of China under Grant 2020YFB1713400, National Natural Science Foundation of China under Grants U20A20174, 61772189 and 61772191. The authors declare that there is no conflict of interest. The data and code of this paper will made available on reasonable requests.

Author information

Authors and Affiliations

Authors

Contributions

DT: Conceptualization, investigation, resources, supervision, project administration, funding acquisition. YY: Methodology, experiment, validation, formal analysis, investigation, data curation, review and editing, visualization. RD: Experiment, validation, formal analysis, data curation, review and editing. ZQ: Resources, supervision, project administration, funding acquisition. JC: Investigation, data curation, writing, review and editing. DZ: Investigation, data curation, writing, review & editing.

Corresponding author

Correspondence to Yudong Yan.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tang, D., Yan, Y., Dai, R. et al. A novel LDoS attack detection method based on reconstruction anomaly. Cluster Comput 25, 1373–1392 (2022). https://doi.org/10.1007/s10586-022-03537-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-022-03537-y

Keywords

Navigation