IEA-DMS: An Interpretable feature-driven, Efficient and Accurate Detection Method for Slow HTTP DoS in high-speed networks

Abstract

Slow HTTP DoS (SHD) is a novel DoS attack that exploits HTTP/HTTPS. SHD often operates at the application layer with encryption and has long packet intervals due to its slow transmission rate, making it more concealed and difficult to detect. Therefore, traditional detection methods for high-speed DDoS are ineffective against SHD. Meanwhile, Existing SHD detection approaches need many generic features or complex models, thus becoming less interpretable and more resource-intensive to meet real-time demands in high-speed networks. Moreover, most methods rely on bidirectional traffic, neglecting the prevalent issue of asymmetric routing in high-speed networks. To overcome these shortcomings, this paper proposes IEA-DMS, an Interpretable feature-driven, Efficient and Accurate Detection Method for Slow HTTP DoS in high-speed networks. We first analyze SHD mechanisms and construct a representative feature set based on its traffic characteristics to perform effectively under sampling and asymmetric routing. Then, to fast and accurately record the features, we employ Slow HTTP DoS Sketch and provide a detailed error analysis and suggest appropriate parameters. Experiments using public datasets show that the proposed features are efficient and interpretable. Even with numerous unidirectional flows and a 1/64 sampling rate, IEA-DMS detects SHD accurately within 2 min with low memory usage. Besides, IEA-DMS’s processing performance reaches 13.1 Mpps and can continuously process more than 100 days of traffic without clearing memory.