Abstract

This paper develops two parametric methods to detect low-rate denial-of-service attacks and other similar near-periodic traffic, without the need for flow separation. The first method, the periodic attack detector, is based on a previous approach that exploits the near-periodic nature of attack traffic in aggregate traffic by modeling the peak frequency in the traffic spectrum. The new method adopts simple statistical models for attack and background traffic in the time-domain. Both approaches use sequential probability ratio tests (SPRTs), allowing control over false alarm rate while examining the trade-off between detection time and attack strength. We evaluate these methods with real and synthetic traces, observing that the new Poisson-based scheme uniformly detects attacks more rapidly, often in less than 200ms, and with lower complexity than the periodic attack detector. Current entropy-based detection methods provide an equivalent time to detection but require flow-separation since they utilize source/destination IP addresses. We evaluate sensitivity to attack strength (compared to the rate of background traffic) with synthetic traces, finding that the new approach can detect attacks that represent only 10% of the total traffic bitrate in fractions of a second.