Characterization of the Imaged R/S Pox Diagram for Low-rate DoS Attack

Abstract

According to the development of network and systems environment, there are growing concerns about various threats on networking. Since many of those threats are caused by unauthorized access from the network, early detection of them is important as security measures. DoS attacks such as TCP SYN Flood [1] attack and smurf attack [2] waste network resources by sending a large number of packets to the victim and stop the victim's network service. The Flooding attack is relatively easy to detect since it has a characteristic of high rate with respect to the network band. In recent years, however, it has been pointed out that DoS attacks that use attack packets exposed to inadequate detection comparing to conventional methods existed [3]. A lowrate denial of service (LDoS) attack can degrade the quality of TCP communication with fewer attack traffic. LDoS attacks are those that exploit TCP retransmission time out (RTO) which is one of the network congestion control agent of TCP communication. An attack that transmits bursty traffi c with the same time interval of the minimum value of RTO causes instantaneous network congestion and packet losses. When a packet loss occurs, TCP communication performs congestion control, resulting in deterioration in quality such as throughput reduction. It has been proved diffi cult to detect them with the method developed for traditional DDoS attacks, since the attack is hard to distinguish from normal congestions [3,4]. LDoS attacks have a periodicity because bursty traffic transmitted at 1 second interval provides victims a great effect. Various methods have been proposed for detecting attacks by focusing on the periodicity. In Ref. [5], a method is proposed to apply an autocorrelation function to a periodic pulse sequence which includes attack traffic. In Ref. [6], a method is proposed to discriminate patterns of attack traffic from flow level traffic. Detection method by signal processing using the DSP technique has been proposed, and there are methods based on wavelet analysis [7,8] and methods based on multifractal characteristics of network traffi c [9]. In addition, a chaos-based approach [10] is proposed to detect LDoS attack by using the technology of weak signal detection. We have proposed a detection method using R/S pox legline characteristics [11] against long-term port scanning attacks with periodic features like LDoS attacks. The R/S pox leg-line characteristic is a feature value obtained from a graph called an R/S Pox Diagram which is used for estimating self-similarity of a time series. This feature value has superiority over the conventional method because it can quantify change of attack state such as attack-start and attack-end in addition to periodic component detection. The leg-line characteristic is quantifi ed from the slope of the characteristic plots which appears in the R/S Pox Diagram. Since the shape of the plot, from the viewpoint of a twodimensional image, is considered to have various image properties, it is thought to be useful to quantify other shape features of R/S pox leg-line characteristics. The purpose of this study is to propose a method to quantify the features of the plot shape of R/S Pox Diagrams and to evaluate Characterization of the Imaged R/S Pox Diagram for Low-rate DoS Attack