FR-RED: Fractal Residual Based Real-Time Detection of the LDoS Attack

The low-rate denial of service (LDoS) attack mainly exploits security vulnerabilities of adaptive mechanisms in network protocols and application services. The high-rate attack pulses within a short time interval are sent periodically, which will result in the degradation of service quality. The attack traffic is similar to normal traffic from legitimate users in the network, consequently, it is easy to escape the traditional detection methods because of its intermittence. Research works have demonstrated that there are fractal characteristics (self-similarity) of the network traffic over the large scale of time. Although the fractal characteristics of the network traffic will be changed under the LDoS attack, the variations of the fractal characteristics in some network states are not apparent in real-time detection. Based on the fractal characteristics, the fractal residual of the network traffic is analyzed through the Hurst parameters calculating process by R/S algorithm in this article. It can be found that the fractal residual of the network traffic can better reflect the different states of the LDoS attack. Combining the idea behind the sliding window, a novel fractal residual based real-time detection (FR-RED) method of the LDoS attack is proposed. The effectiveness of the method in this article is verified by performing some experiments on two platforms, the NS2 and test-bed. The results manifest the beginning and end of the LDoS attack can be estimated in real-time with high detection accuracy.