Visible to the public Applying Sigmoid Filter for Detecting the Low-Rate Denial of Service Attacks

TitleApplying Sigmoid Filter for Detecting the Low-Rate Denial of Service Attacks
Publication TypeConference Paper
Year of Publication2018
AuthorsRabie, R., Drissi, M.
Conference Name2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC)
Keywordsattacker traffic, Bandwidth, Computer crime, computer network security, denial of service (dos), distributed DoS, filtering theory, high rate attacks, honey pots, honey-pot server, human factors, low-rate bandwidth, low-rate denial of service attack detection, low-rate DoS attack detection, MATLAB, network efficiency, NS-3 Simulation, NS3 simulation, Probabilistic logic, pubcrawl, re-transition timeout mechanism, resilience, Resiliency, Routing protocols, Scalability, Servers, sigmoid filter optimization, TCP congestion control window algorithm, TCP packet size, telecommunication congestion control, telecommunication traffic, threshold bandwidth filter, transport protocols
AbstractThis paper focuses on optimizing the sigmoid filter for detecting Low-Rate DoS attacks. Though sigmoid filter could help for detecting the attacker, it could severely affect the network efficiency. Unlike high rate attacks, Low-Rate DoS attacks such as ``Shrew'' and ``New Shrew'' are hard to detect. Attackers choose a malicious low-rate bandwidth to exploit the TCP's congestion control window algorithm and the re-transition timeout mechanism. We simulated the attacker traffic by editing using NS3. The Sigmoid filter was used to create a threshold bandwidth filter at the router that allowed a specific bandwidth, so when traffic that exceeded the threshold occurred, it would be dropped, or it would be redirected to a honey-pot server, instead. We simulated the Sigmoid filter using MATLAB and took the attacker's and legitimate user's traffic generated by NS-3 as the input for the Sigmoid filter in the MATLAB. We run the experiment three times with different threshold values correlated to the TCP packet size. We found the probability to detect the attacker traffic as follows: the first was 25%, the second 50% and the third 60%. However, we observed a drop in legitimate user traffic with the following probabilities, respectively: 75%, 50%, and 85%.
Citation Keyrabie_applying_2018