Journal of Sensors

Volume 2015 (2015), Article ID 465402, 11 pages

http://dx.doi.org/10.1155/2015/465402

## Accurately Identifying New QoS Violation Driven by High-Distributed Low-Rate Denial of Service Attacks Based on Multiple Observed Features

^{1}Department of Computer Science & Technology, Jilin University, Changchun 130012, China^{2}Key Laboratory of Symbol Computation and Knowledge Engineering of Ministry of Education, Jilin University, Changchun 130012, China^{3}Department of Software Engineering, Jilin University, Changchun 130012, China^{4}Department of EECS, University of Central Florida, Orlando, FL 32816, USA

Received 4 August 2014; Revised 24 November 2014; Accepted 8 December 2014

Academic Editor: Jun Zhang

Copyright © 2015 Jian Kang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

We propose using multiple observed features of network traffic to identify new high-distributed low-rate quality of services (QoS) violation so that detection accuracy may be further improved. For the multiple observed features, we choose *F feature* in TCP packet header as a microscopic feature and, *P feature* and *D feature* of network traffic as macroscopic features. Based on these features, we establish *multistream fused hidden Markov model* (MF-HMM) to detect stealthy low-rate denial of service (LDoS) attacks hidden in legitimate network background traffic. In addition, the threshold value is dynamically adjusted by using Kaufman algorithm. Our experiments show that the additive effect of combining multiple features effectively reduces the false-positive rate. The average detection rate of MF-HMM results in a significant 23.39% and 44.64% improvement over typical power spectrum density (PSD) algorithm and nonparametric cumulative sum (CUSUM) algorithm.

#### 1. Introduction

In recent years malicious quality of services (QoS) violation attacks have become one of the most serious security threats to the Internet. New QoS attacks are increasingly showing the trend of high-distributed low rate. In the literature, this kind of attacks has been called* shrew attacks* [1],* pulsing denial of service (DoS) attacks* [2], or* reduction of quality (RoQ) attacks* [3]. For simplicity, we call all of them* LDoS (low-rate denial of service) attacks* in the sequel.

LDoS attacks are stealthy, periodic, pulsing, and low rate in attack volume, very different from early flooding type of attacks. A traditional detection system against flooding attacks is based on traffic volume analysis method in the time domain. However, it almost has no effect on new LDoS attack [4]. This is because the average bandwidth consumption differs very little between normal and attack streams.

In this paper, we present a new approach to identify LDoS attacks by combining multiple observed features at the micro- and macrolevel. Multidimensional features are extremely valuable for describing slight changes of network properties and help us accurately differentiate attack flows. So our new approach can complement existing detection mechanisms based on one-dimensional feature and overcome the bottleneck of detection accuracy for LDoS violation.

In microscopic features, we calculate* weighted summation of flag bits* (WSFB) in TCP packet header to reflect the packet’s internal slight change with and without LDoS attacks. Macroscopically, the best distinguishing characteristic between LDoS and normal flow is different periodicity in frequency domain [5]. Based on this fact, we choose* weighted average size of packet in queue* (WASPQ) in router as an observed sequence. Then, we convert the WASPQ sequence into frequency-domain spectrum using discrete Fourier transform (DFT) and achieve the power spectrum density (PSD) of WASPQ as a macroscopic feature. Moreover, we calculate the* difference between request/response flows* (DRRF) as another macroscopic feature.

Based on above three-dimensional features, we develop a multistream fused hidden Markov model (MF-HMM) to detect LDoS violation hidden in legitimate TCP/IP traffic. In addition, we adjust the* decision threshold* value dynamically based on Kaufman algorithm for improving the detection accuracy. Notations, symbols, and abbreviations used in this paper are summarized in Notations section. Only brief definitions are given here; details are given in subsequent sections.

The rest of this paper is organized as follows. In Section 2, we present the related work. Section 3 describes MF-HMM, its advantages, and its training algorithm. Section 4 presents the overview of TF-HMM procedure and explains how to extract multiobserved features of network traffic to establish the corresponding component HMM of TF-HMM. Furthermore, we also introduce the threshold dynamic adjustment based on Kaufman algorithm. In Section 5, we compare our work with those of other researchers and discuss the training and recognition time of TF-HMM. Finally, we conclude our paper in Section 6.

#### 2. Related Work

Some scholars studied the mathematical model of LDoS attacks. By simulating various LDoS attacks, they discussed the properties of LDoS attacks and gave some suggestions on further research. Maciá-Fernández et al. [6] summarized the behavior of LDoS and proposed a mathematical model for the LDoS attack. They also discussed the development trend and made some recommendations for building defense techniques against this attack. He et al. [7] presented theoretical analyses, modeling, and simulations of various LDoS attacks. And they discussed the difficulties of defending and current solutions. Zhu et al. [8] discussed the vulnerabilities of TCP and the principle of low-rate attacks. Moreover, the simulation of attacks was investigated, and the further direction of research is suggested.

Most current LDoS-related studies focus on using the frequency domain method to detect LDoS attack and have made clear progress. A research group [9] proposed an approach of detecting LDoS attack based on the model of small signal. Furthermore, in paper [10], they presented the method of multiple sampling averaging based on missing sampling (MSABMS) to detect LDoS attacks. An eigenvalue-estimating matrix was established to estimate the attack period after the detection of LDoS attacks. In addition, they also indicated a scheme [11] of detecting LDoS attack based on time window sampling in time domain and capturing the periodicity by statistic analysis in frequency domain. Zhang et al. [12] proposed a detection method, which is similar to that of Yu et al. [13]. In this method, the sum of the power spectrum is computed within 1–50 Hz, and the intersection of the two fitting curves is taken as the judging threshold. Luo and Chang [2] proposed a two-stage scheme to detect LDoS attacks on a victim network. The first stage is a discrete wavelet transform (DWT) analysis of the network traffic. The second stage is to detect change points by using a nonparametric cumulative sum (CUSUM) algorithm. Liu [14] proposed an LDoS attack detection method by calculating the* Holder* based on binary discrete wavelet analysis. Shevtekar et al. [15] presented an approach of detecting the periodicity of attack flow based on autocorrelation of flow.

Some detection methods based on traditional traffic characteristics are proposed in recent years. These methods detect the LDoS attacks by searching and identifying the abnormal network traffic caused by the LDoS attacks. For example, the exponentially weighted moving average (EWMA) method was presented in papers [16, 17]. However, the EWMA algorithm may smooth not only the normal traffic but also the abnormal traffic. This will affect the detection accuracy for the LDoS attacks. Therefore, paper [18] proposed an adaptive EWMA method which used an adaptive weighting function instead of the constant weighting of EWMA algorithm. The adaptive EWMA can smooth the accidental error and retain the exceptional mutation. Thus, it is more efficient than EWMA method.

Unlike a popular deployment location of detection system, paper [19] proposed an adaptive detection method for LDoS attacks in* source-end* network. The method does not require the distribution assumption of the traffic samples. Moreover, they presented the automatic adjustment of the detection threshold according to the traffic conditions.

In particular, Xiang et al. [20] innovatively propose using two new information metrics to detect low-rate DDoS attacks by measuring the difference between legitimate traffic and attack traffic. The proposed* generalized entropy metric* and* information distance metric* outperform the existing popular approach as they can clearly enlarge the adjudication distance and then obtain the better detection sensitivity.

In summary, most researches use one-dimensional information of network traffic to establish algorithms for detecting LDoS attack. Though some algorithms are sophisticated, one-dimensional information is not enough to accurately differentiate stealthy LDoS attack hidden in legitimate traffic. Despite gratifying progress, the high false-positive rate is still a striking bottleneck.

#### 3. Multistream Fused HMM

We first describe basic properties of multistream fused HMM and then give its mathematical description and training algorithm in detail.

##### 3.1. Basic Properties

To accurately identify stealthy LDoS violation hidden in legitimate network traffic, the combination of multiobserved features is considered in our scheme by using multistream fused HMM [21]. According to the maximum entropy principle and the maximum mutual information (MMI) criterion, MF-HMM constructs a new structure linking multiple HMMs. MF-HMM is the generalization of two-stream fused HMM [22].

The main advantages of MF-HMM are as follows.(1)Every observation feature can be modeled by a component HMM, so the performance of every feature can be analyzed individually. The set of features can be modified according to the performance analysis.(2)Compared with other existing model fusion methods (e.g., CHMM [23], MHMM [24], etc.), MF-HMM reaches a better balance between model complexity and performance.(3)MF-HMM has stronger robustness. If one component HMM fails due to some reason, the other component HMM can still work. Thus, the final result is still a valuable reference for the recognition judgment.

##### 3.2. Mathematical Description

HMM is the basis of MF-HMM. In brief, we only discuss MF-HMM, and paper [25] discussed the HMM definition and relevant algorithms in detail. The mathematical symbols in this paper are consistent with the standard HMM description symbol.

Let represent tightly coupled observing sequences. Assume that can be modeled by corresponding HMMs with hidden states . In MF-HMM, an optimal solution for is given according to the maximum entropy principle and the maximum mutual information criterion .

In order to calculate , firstly we need to calculate every component ; here . The th can be given through

And assume

It has a good record in recognizing and detecting LDoS attacks, though the conditional independence assumption is always violated in practice. The success is because of the small number of parameters to be estimated in assumption. Without this assumption, some complicated algorithms require more training data and are more susceptible to local maximum during parameter estimation.

So, the estimate of can be given by

There are different expressions to different . To our three-stream fused HMM (TF-HMM), (3) corresponds to (4a), (4b), and (4c) as follows;

In practice, if the component HMMs have different reliabilities, they may be combined by different weights to get a better result:

Here, .

##### 3.3. Training Algorithm

The training algorithm of MF-HMM is a three-step process.(1) component HMMs are trained independently by representative algorithm, such as Baum-Welch algorithm, segmented K-means algorithm, or hybrid method EM algorithm.(2)The best hidden state sequences of the component HMMs are estimated by the Viterbi algorithm.(3)Calculate the coupling parameters between the HMMs.

To our three-stream fused HMM, step is to calculate (6a), (6b), and (6c):

Step is to calculate (7a), (7b), and (7c):

Step is to estimate the coupling parameters between HMM1, HMM2, and HMM3:

#### 4. Identifying LDoS Violation Using TH-HMM

In this section, we first present the procedure of identifying LDoS violation by using TF-HMM. Then, we explain how to establish three-component HMMs of TF-HMM, including F-HMM, P-HMM, and D-HMM. At last, we introduce the threshold dynamic adjustment based on Kaufman algorithm.

##### 4.1. Procedure Overview

In order to make it easier to understand, we firstly introduce the procedure of TH-HMM, as illustrated in Figure 1.