Skip to main content

Detecting Pulsing Denial-of-Service Attacks with Nondeterministic Attack Intervals

Abstract

This paper addresses the important problem of detecting pulsing denial of service (PDoS) attacks which send a sequence of attack pulses to reduce TCP throughput. Unlike previous works which focused on a restricted form of attacks, we consider a very broad class of attacks. In particular, our attack model admits any attack interval between two adjacent pulses, whether deterministic or not. It also includes the traditional flooding-based attacks as a limiting case (i.e., zero attack interval). Our main contribution is Vanguard, a new anomaly-based detection scheme for this class of PDoS attacks. The Vanguard detection is based on three traffic anomalies induced by the attacks, and it detects them using a CUSUM algorithm. We have prototyped Vanguard and evaluated it on a testbed. The experiment results show that Vanguard is more effective than the previous methods that are based on other traffic anomalies (after a transformation using wavelet transform, Fourier transform, and autocorrelation) and detection algorithms (e.g., dynamic time warping).

Publisher note

To access the full article, please see PDF.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Rocky K. C. Chang.

Rights and permissions

Open Access This article is distributed under the terms of the Creative Commons Attribution 2.0 International License ( https://creativecommons.org/licenses/by/2.0 ), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Reprints and Permissions

About this article

Cite this article

Luo, X., Chan, E.W.W. & Chang, R.K.C. Detecting Pulsing Denial-of-Service Attacks with Nondeterministic Attack Intervals. EURASIP J. Adv. Signal Process. 2009, 256821 (2009). https://doi.org/10.1155/2009/256821

Download citation

Keywords

  • Fourier Transform
  • Autocorrelation
  • Quantum Information
  • Detection Algorithm
  • Previous Method