The approach of detecting LDoS attack based on correlative parameters

Low-rate Denial of Service (LDoS) attacks and TCP flows are be modeled in the time and frequency domain for the purpose of analyzing the signatures and extracting LDoS attack´s period T and length L. A simulated LDoS attack signal is constructed based on the extracted parameters of T and L. The correlation between the signal of simulated LDoS attack and the hybrid signal (TCP flow plus LDoS attack) is calculated. To compare the correlation value with a detect threshold, which is determined through experiments. If the correlation value is exceeds the threshold, the LDoS attack is determined. The proposed method has been tested totally 1500 times in NS-2 environment and 200 times in real network environment with different parameters of T and L. Experimental results show that the false negative alarm rate PFN is less than 1.1%, the false positive alarm rate Pτρ are less than 0.8%, and the detect rate PD is more than 98%.