MSABMS-based approach of detecting LDoS attack

Low-rate Denial of Service (LDoS) attacks exploit the deficiencies of the minimum RTO of TCP to send out attack packets in short-duration periodic pulses with low average volume traffic in order to throttle TCP throughput. It is hard to detect an LDoS attack by most available detection schemes, which are triggered by high-rate traffic based on time average statistics. In this paper, the method of Multiple Sampling Averaging Based on Missing Sampling (MSABMS) is used to detect LDoS attacks based on the model of small signal for the first time. In the proposed approach, statistics on the packets are taken within 30 s with the sampling interval of 10 ms (3000 sampling points in total), and the statistical results are compared with a threshold for identifying the LDoS attacks. Furthermore, an eigenvalue-estimating matrix is established to estimate the attack period after the detection of LDoS attacks. Simulation results in NS-2 environment show that the proposed approach can be used to detect the LDoS attack effectively.