Low-Rate DoS Attack Flows Filtering Based on Frequency Spectral Analysis

The College of Electronic Information & Automation, Civil Aviation University of China, Tianjin 300300,China

* The corresponding author, email: zjwu@cauc.edu.cn

I. INTRODUCTION

Low-rate denial of service (LDoS) attack was first detected on Internet2 Abilene in 2001[1]and presented on SIGCOMM conference in 2003 by Kuzmanovic [2]. The primary aim of LDoS attacks is to reduce the network quality of service (QoS).

LDoS attack exploits the vulnerability of timeout retransmission (RTO) mechanism in TCP protocol to degrade the QoS at the end of victim by sending a sequence of periodic pulses in square wave. A typical LDoS attack can be expressed in a three tuple of attack periodT, attack durationL, and attack rateHere,Tis the interval between two successive attack pulses.Tcan be obtained by estimating the execute duration of trusted source. The duration of this timer is referred as retransmission timeout (RTO).Lis the width of attack pulse.Ris the intensity of attack pulse.Rindicates the highest rate of attack flows[2][3].

LDoS attack is quite different from that of traditional flood-based attacks in behaviors,attack effects and vulnerable mechanism exploitations. LDoS attacks only send attack packets within a specific time interval with a relatively low rate, which is hidden deep in the normal network traffic. Hence, LDoS attack is characterized as an intermittent attack [1].LDoS attack flows are quite similar with legitimate network traffic, and which is completely embedded into legitimate TCP traffic. It is difficult to detect and filter LDoS attack flows by available methods which adopt the network traffic sample and time statistics[4].

Based on frequency spectrum analysis, the authors proposed an approach of LDoS attack flow filtering.

It is well known that network traffic data is a sequence of discrete time signal and a majority of traffic on Internet is using TCP protocol nowadays[5]. Furthermore, TCP traffic flows behave obvious periodicity. Hence, LDoS attack flows are small periodic signal, which is hidden in the periodic TCP background traffic. This analysis result provides a basis for distinguishing LDoS attack flows and normal TCP traffic from the spectral distribution in frequency domain. Available research results show that the power spectrum distribution of legitimate TCP traffic and LDoS attack flows were not the same in frequency domain[6].Therefore, an approach of filtering LDoS attack flows based on frequency spectrum analysis is proposed. In this approach, the network data (Including the normal traffic and attack traffic) is transformed from the time domain into the frequency domain and processed by using the technology of digital signal processing (DSP).

II. RELATED WORKS

The LDoS attack detection by using time statistics analysis method in time domain has deficiencies in detection effects, because the average LDoS attack flows are very small while the effect of background traffic is relatively large. Therefore, many researchers proposed new approaches of detecting LDoS attacks by using the method of spectrum analysis in frequency domain [7][8]. The signal processing technology is combined with network traffic data processing techniques and the classical signal detection and filter theory are applied with the method to detect and filter LDoS attack flows [9].

In the research of network traffic periodicity, Yu Chen etc.[10] explored the energy distributions of normal Internet flows in frequency domain on Abilence-III. Legitimate TCP traffic flows presented periodicity because of its protocol behavior. The periodicity is closely related with round-trip time (RTT)(RTT also called round-trip delay, is the time between a request for data and the complete return that data. RTT is defined as the interval between data transmission and the receipt of a positive acknowledgement.). Their results revealed that legitimate TCP flows could be segregated from malicious flows according to energy distribution properties. They discovered the spectral shifting of attack flows from that of normal flows. Combining flow-level spectral analysis with sequential hypothesis testing, they proposed a novel defense scheme against RoQ attacks. The research shows their detection and filtering scheme can effectively rescue 99% of legitimate TCP flows under the RoQ attacks.

In the research on spectrum distribution of DoS attacks, Ramin Fadaei Fouladi etc.[11] characterized the frequency domain of DoS attacks instead of time domain. They considered the number of packets arriving to the node of victim as a random process which was acquired by sampling the packets number every 1 mil-second. Their research shows that the main energy of DoS and DDoS attacks is distributed in high and low frequencies respectively. While the energy is spread evenly through all range of frequencies in Legitimate TCP traffic.

In the research of attack energy detection,Hao Chen etc. [12] explored the existent energy which was exposed to Shrew attacks in frequency domain, and proposed an optimized FPGA based on an accelerator for the real-time PSD (Power Spectral Density)conversion. And this work is based on their innovative component-reusable Auto-Correlation (AC) algorithm and the adapted 2N-point real-valued DFT (Discrete Fourier Transform)algorithm. They designed the accelerator in a Xilinx Virtex2 Pro FGPA.

In the research of filtering attack flows in frequency domain, WU Zhijun and SHI Zhen[13] proposed a method of filtering LDoS attack by a finite impulse response (FIR) filter.They analyzed spectrum characteristics of LDoS attacks in frequency domain by adopting digital signal processing technology, and designed a FIR filter to eliminate the illegitimate frequencies in frequency domain. Experiments result shows that 92.88% of LDoS attack energy is filtered, and 19.75% of normal energy is eliminated. WU Zhijun and ZHANG Dong [14] presented an approach of defending against DoS attack in frequency domain.This approach analyzed DoS attack flows which utilized the signal processing method to explore the DoS attack spectrum distribution in frequency domain. The FIR filter was designed to filter the illegitimate frequencies in frequency domain and the LAR (Legitimate traffic to attacked traffic ratio) was improved about 10 dB.

Periodic characteristic of LDoS attack flows facilitates to the research of attacks detection and filtration. Periodic signals and non periodic signals show different properties in spectrum distribution in frequency domain.A legitimate TCP flow should exhibit strong periodicity around its round-trip time (RTT) in both flow directions. Similarly, LDoS attack is also cyclical. But, the TCP-periodicity is millisecond while that of the cyclical LDoS attack is a second-level. Hence, the differences between TCP and LDoS attack are their periodical occupancies in different frequency bands of the spectrum in frequency domain [6][11]. And these differences are very easy to be distinguished by using signal processing technology.

This paper proposes an approach of filtering LDoS attack flows based on the spectral energy distribution. A comb filter using IIR filter is designed to filter out the spectral energy belonging to LDoS attacks.

III. INTERNET TRAFFIC ANALYSIS

In time domain, it is quite difficult to distinguish LDoS attack flows from legitimate TCP flows, because both flows are very similar in nature and totally mixed. In order to explore the differences between LDoS attack flows and legitimate TCP flows, traffic energy distributions of LDoS attack flows and legitimate TCP flows are analyzed in frequency domain.The RTT value is estimated by using spectral analysis method. The comparative analysis of energy distribution of both legitimate TCP flows and LDoS attack flows are carried out in frequency domain.

3.1 Analysis of legitimate TCP flows

The TCP congestion control mechanism serving as a reliable end-to-end byte-based transport protocol, it has been remarkably successful in making the current Internet function efficiently. TCP protocol carries 95% of today’s Internet traffic and constitutes more than 80%of the total number of the flows in the Internet[5]. Hence, TCP-targeted LDoS attacks take advantage of the time-out mechanism of the TCP protocol to create persistent link congestions.

Packet transmission of TCP can be characterized by the packet conservation principle[15]. This principle asserts that every arriving data packet at the receiver allows the departure of an ACK packet, and every arriving ACK packet at the sender enables the injection of a new data packet into the network. Consecutive packets within a window are sent out in a bursty manner, constrained only by the transmission time of the bottleneck link [7].The conservation principle leads to TCP flows showing obvious periodicity. If a TCP packet is sent out in the network at any point, that is to say, chances are there to see another packet belonging to the same TCP flow passing through the same point after one RTT. Therefore, legitimate TCP traffic flow also present some features related to RTT in frequency domain. Yu Chen and Kai Hwang [10] reveal that TCP flow presents a clear periodicity in frequency domain and the positions of peaks are related to the RTT of the communication by using the Abilene-III Internet trace data.

The TCP flow whose RTT is about 50 ms was sampled every 1 ms withinThen the packet arrivals to the detecting router are regarded as a signal sequenceUsing Discrete Fourier Transform (DFT) to transformas following.

Fig. 1 Amplitude spectrum of a TCP flow

The amplitude spectrum of TCP flow is obtained by using DFT to convertinto the frequency according to the sampling theorem[16], the TCP signal is band-limited within 500 Hz. Fig. 1(a) evaluates the energy distribution of signal sequence, and Fig. 1(b) zooms in the low frequency band of 0 Hz to 200 Hz to show the detail characteristics of TCP flow in frequency domain.

Fig. 1.(a) shows that the energy of TCP flow is almost evenly distributed along all the range of frequency band. Through carefully observation on the spectrum of each frequency range, there are more TCP energy located in some frequency bands than others, as shown in Fig. 1.(b). The peaks of energy distribution are located at different points determined by the RTT related to the TCP flow. This characteristic is particularly obvious in the low-frequency band.

Because of congestion control mechanisms of TCP, packet arrivals of traffic flows appear periodic, which leads to the main energy of the flow locating in the bands corresponding to the RTT. Thus, it is feasible to guarantee the main energy of TCP can pass through if a filter scheme is designed to make sure that the energy corresponding to the RTT can pass through.So it is necessary to estimate RTT precisely in frequency domain for the sake of filtering work as follows.

3.2 Estimation of RTT in frequency domain

RTT is an important factor has direct impact on the QoS in the Internet. Taking TCP as an example, for its best popularity, it uses RTT to estimate the network load or the congestion,and therefore RTT needs to be measured frequently. RTT consists of the following parameters.

A new available RTT estimation method is proposed by using traffic spectrum analysis.This method aims to estimate the peak locations of the flow in frequency domain related to RTT for the sake of filtering work following in the passage.

The estimation of the RTT in frequency domain is as following, which is called frequency domain research method.

Fig. 2 Estimation result using frequency domain research method

The theory foundation of the estimation method is that the main energy of the TCP flow is distributed in the frequency bands corresponding to RTT.can be extracted from the selected maximum value ofFig. 2 shows the result of using the proposed method to estimate RTT of a TCP flow, and whose RTT is about 50 ms (Corresponding frequency point of 20 Hz).

3.3 Energy distribution comparison of LDoS attack and legitimate TCP flows

LDoS attack flows are generated by using LDoS attacks generation tool, which is Linux TCP-kernel source code [21]. A UDP-based software is used to generate attack flows in network simulation (NS-2) platform.The attack period is 1000 seconds, and the attack begins at 400 seconds and ends at 500 seconds. A tripleLDoS(T,L,R) = (2000 ms,50 ms, 15 Mbps) is used to describe the LDoS attacks.

Transforming LDoS attack flows into power spectrum from time domain to frequency domain by using DFT. the Normalized Cumulative Amplitude Spectrum (NCAS) [6][10] of LDoS attack flows is obtained as Fig. 3.

In time domain, the LDoS attack flows are a series of typical periodic rectangular impulse sequences, its power spectrum distribution is very similar to the rectangular pulse signal.So, the main energy of LDoS attack flows is concentrated in the main lobe.

Fig. 3 shows that the power spectrum (energy) distribution of LDoS attack flows are concentrated in the low-frequency band. This distribution presents a very different spectral pattern from that of legitimate TCP flows, its power spectrum (energy) is distributing evenly all over the whole band[6][10].

Fig. 3 Normalized amplitude spectrum of A single LDoS attack flow

Fig. 4 Energy distribution comparison of LDoS attack and TCP flows

In order to measure the difference between two power spectrum distributions, both NCAS of LDoS attack flows and legitimate TCP flows are calculated respectively[6][10]. Fig.4(a) indicates two power spectrum distributions, while Fig. 4(b) is the enlarged figure of interesting area, which locates in low frequency band of 0 Hz to 88 Hz.

As shown in Fig. 4(a), the NCAS curve of legitimate TCP flow is almost rising linearly with the increases of frequency value, and its slope keeps nearly the same in the whole frequency band. However, the NCAS curve of LDoS attack flow has a very steep slope at low frequencies but a very gentle slope in other frequency bands. That is to say, the energy of TCP flow is substantially evenly distributed throughout the frequency domain. But the energy of LDoS attack flow is concentrated in the low-frequency band, in which more than 67% is located within frequency band range of[0,50]Hz [6][10].

Fig. 4(b) shows that there is a step slope at frequency points of 0 Hz, 20 Hz, 40 Hz and 60 Hz while the slope is relative smooth at other frequency points. In other word, the slope has a abrupt increase at step frequency points. The mathematical interpretation of step slope is that the energy distributed at step frequency points are directly related to the monotonicity of a function in a certain interval. Hence, it is concluded that step change at these frequency points represents energy is concentrated in the vicinity of 0 Hz, 20 Hz,40 Hz and 60 Hz. This conclusion is consistent with the previous discussion that the main energy of legitimate TCP flow is distributed at the frequency points of n/RTT. In other word,the energy peaks of TCP flow occur at the frequency points of n/RTT. Except step frequency points, the slope is smaller and almost flat at other frequency points, this situation indicates that little energy is distributed at non-step frequency points. In low frequency band, it is extremely obvious that the energy distribution of legitimate TCP flows is ladder shaped, which is the most different characteristic from LDoS attack flows[6][10].

Therefore, a comb filter can be designed 0to separate legitimate TCP flows and LDoS attack flows by filtering hybrid network traffic[13]. If the comb of designed filter is alignment of frequency points of n/RTT, most of the legitimate TCP flows will pass through the designed filter, while most of the LDoS attack flows will be filtered out. This is the basic principle of LDoS attack flows filtering based on frequency spectral analysis.

IV. FILTER DESIGN

Filter design is completed on the basis of the LDoS attack traffic analysis. It is designed according to the characteristic of the frequency spectrum distribution of normal TCP traffic and LDoS attack traffic in the frequency domain.

4.1 Filter response

Spectrum analysis shows that the spectrum distribution of LDoS attacks (as shown in Fig 3) is composed of a series of regularly distributed peaks, which looks similar to the comb. Hence, the traditional signal processing technology is used in designing a comb filter,which has several equally spaced passbands starting at[16]. Considering the fact that the spectrum of LDoS attack is mainly concentrated in the low frequency band (as shown in Fig 3) and the spectrum of TCP flows is almost uniformly distributed in the whole frequency band (as shown in Fig 1),the frequency at 1/RTT and its corresponding frequency at integral multiples of 1/RTT are designed as the passband of the comb filter,which ensures that most of normal TCP flow is passed. Hence, the designed comb filter has following frequency response [16].

where, the order of filter isfundamental frequencyand sample frequencyis 1s.

The magnitude response of comb filter is shown as Fig. 5.

Fig 5 shows that the response simply consists of a repeating series of impulses decreasing in amplitude over time when stable. The magnitude response periodically drops to a local minimum and rises to a local maximum at corresponding frequency point of 1/RTT and integral multiples of 1/RTT [16]. The purpose of this design is to ensure that the overwhelming majority of normal TCP traffic can pass through, and as much as possible to stop the LDoS attack flows (filtering LDoS attack flows).

4.2 Determining the filter order

Fig. 5 The magnitude response of comb filter

Fig. 6 The filtering flow chart of LDoS attack flow

The ordernof comb filter is determined through precise estimation of RTT value. It can be calculated as

The filtering effect should be fully considered once the order of comb filter is determined. The estimation of RTT value and evaluation of filtering effect are shown in following flow chart as Fig. 6.

The procedures are as following.

(i) Sample legitimate TCP flows under no LDoS attack situation with sampling interval of 1s

(ii) Estimate RTT value by using frequency search method to determine the filter order.The estimated RTT is 50msThen the filter order

(iii) Set the filter parameters. The center frequency of passband is 20 Hz and its integer times, and the passband bandwidth is 5.8 Hz.The passband maximum attenuation 1 dB, and the stop band minimum attenuation 15 dB.

(iv) Sample legitimate TCP and LDoS attack flows respectively under LDoS attack situation.

(v) Start filter operation and evaluate filtering effect.

(vi) Change LDoS attack parameters ofTandL, and reconfigure comb filter design parameters.

(vii) Change RTT value, repeat all above steps.

In order to make the filtering effect better until getting the optimal, filtering results should be analyzed and evaluated during the whole process of filtering LDoS attack flows.

Fig. 7 Diagram of filtering LDoS attack flows

4.3 Filtering rule

The principle of LDoS attack flows filtering by using comb filter is shown in Fig. 7[13].

Spectral analysis explores that legitimate TCP flow has even energy distribution over the entire frequency band and main energy of LDoS attack flow is distributed in low frequency band. Based on the differences of energy distribution between the legitimate TCP flows and LDoS attack flows in frequency domain, Fig. 7 shows that the comb filter can be designed to ensure the main energy of legitimate TCP flows distributed in the frequency band corresponding to the RTT passing through the filtering rules, while most energy of LDoS attacks flows are blocked.

(i) In low frequency band, main energy of LDoS attack flows are filtered out, and the vast majority of legitimate TCP flows pass through the comb filter. A very small amount of legitimate TCP flows are abandoned due to overlap of legitimate TCP flows and LDoS attack flows at frequency points corresponding to n/RTT.

(ii) In high frequency band, legitimate TCP flows are the principal component while LDoS attack flows occupy small proportion. Hence,nearly all legitimate TCP flows are kept due to the well-designed magnitude response of comb filter. But, all the energy of LDoS attack flows that distributed in high frequency band pass through the designed comb filter smoothly.

In general, the designed comb filter aims to let as much as possible legitimate TCP traffic pass through and maximum stop LDoS attack flows through.

V. EXPERIMENTS AND RESULT ANALYSIS

Experiments on LDoS attack flows filtering are carried out by using designed comb filter in Network Simulation (NS-2) platform with the topology shown in Fig. 8.

Experimental network topology is a dumbbell shape, two routers A and B connect all TCP and victim servers.

In Fig. 8, node 1, 2, and 3 are TCP clients,Node 4 is LDoS attacker, and Node 5, 6 and 7 are TCP servers. Node A and B are two routers at both end of bottleneck link. The bandwidth between clients and the router A is 100Mb with a delay of 2.5ms, the link between router B and servers is the same configuration. Total 9 links between TCP clients 1, 2, 3 to server 5, 6, 7 are recorded, and the RTT values of the all links are set to the same value (Because all link paths are the same).

The experimental scenario is a simulation of FTP transmission process. The client uses the UDP protocol to upload and download files to the server. In this scenario, the sender and receiver are described as (i) In the absence of LDoS attacks, TCP clients 1, 2, and 3 are the senders of packets, and TCP servers 5, 6 and 7 are the receivers of packets. (ii) In the case of LDoS attacks, Node 4 ( LDoS attacker) is the sender of packets, and TCP servers 5, 6 and 7 are the receivers of packets.

LDoS attack flows are generated by using a UDP-based software, which is a tool exploiting the Linux TCP-kernel source code [1][21].The period of LDoS attack is 1000 seconds.

The bandwidth of bottleneck link between the router A and B is 15Mb with a delay ofαms. The bandwidth between attacker and the router A is 15Mb with a delay of 2.5ms. Thus,

where,RTTis calculated according to whole link.

5.1 RTT estimation

As mentioned above, Fig 2 illustrates the estimation of RTT by using frequency domain research method and shows that there was a peak at 20 Hz (50ms), which is the estimated value of RTT. Therefore, to find the highest peak of the spectrum through frequency domain analysis, and the frequency point corresponding to the highest peak of the spectrum is RTT value

In Fig. 8, all links have the same RTT value, and then the frequency points corresponding to the highest peak of the spectrum are identical for all links. Hence, spectrum superposition is realized to form the aggregated flow.

Set RTT to be 20 ms, 40 ms, … , and 200 ms individually by adjusting the delay ofαto in NS-2 platform. Then, estimate RTT value of whole link. The estimated RTT is expressed as RTTes, which is the obtained by using frequency domain research method. In order to obtained preciseα, the relative errors between RTT and RTTes are calculated and result are listed in Table I.

Table I shows that the value of RTTes is very close to that of the RTT and their relative error is tiny. Considering the response processing time of NS-2 simulation platform, the value of RTTes is typically larger than the value of RTT set in NS-2 simulation platform. In fact, the relative error will be tinier if the real values of RTT are acquired.

5.2 LDoS attack flow filtering

The comber filter is designed to filter the LDoS attack flows.

Table I Estimation of RTT by using frequency domain search method

Fig. 8 The layout of simulation experiments

5.2.1 Comb filter

Fig. 9 Energy distribution of both TCP and LDoS attack flows within 50 Hz

Fig. 10 Feedback magnitude response for delay values of 19.625

Table II Filtering effect comparison when T changes with constant L

RTT values in the Ethernet environment are typically several tens of milliseconds. In the experiment environments shown as Fig. 8,settingαto satisfy RTT=49.25 s,αequals 19.625 according to equation (4). The value of RTTes=50 s is obtained by using the frequency domain search method, thenHz.The filter order iswhereis 1000 Hz [6]. Setting the parameters of LDoS attack: T=2 s,L=50 ms. Sampling TCP traffic under no LDoS attack for 100 s, so does to the TCP and LDoS attack flows under LDoS attack. The energy distribution of both TCP and LDoS attack flows within 50 Hz are shown in Fig. 9.

The magnitude response of designed feedback comb filter is shown in Fig. 10.

The filtering effect is analyzed as following.

After filtering, the energy of TCP remains 91.84% under no attack situation, while it remains 81.08% and the energy of LDoS attack remains 22.21% under the attack situation.The filtering effects are shown in Fig. 11(a),(b)and Fig. 12(a),(b). They are respectively for TCP and LDoS attack both in frequency domain and time domain under attack situation.

As shown in Fig. 11(a), the TCP flow remains the features of the comb spectrum broadly under attack situation. The shape of the spectrum nearly keeps unchanged after filtering. It is also observed clearly that the majority of TCP packets pass through the comb filter in Fig. 11(b). Most energy of the LDoS attack can be eliminated from the filter through comparison in Fig. 12(a), and it is verified visually in Fig. 12(b).

In order to get a better observation on the performance of the filter, different values of attack period T and pulse duration L are applied with during the experiments. The remained percentage of energy is shown in Table II and Table III.

From the Table II and Table III, we can make a conclusion that different attack parameters lead to different filtering effect even of the same comb filter. The longer the attack period T is set, the more energy of TCP flow remains after filtering, which illustrates a better filtering effect.

At the same time, it has little impact on the remained energy of LDoS attack. The longer the pulse duration L is set, the less energy of TCP flow remains and the less energy of LDoS attack flow is filtered out, which shows a bad filtering effect. It is clear that LDoS attack traffic throttles legitimate TCP traffic more heavily with a shorter attack period T and a longer pulse duration L. Therefore, if the proportion of LDoS attack traffic in the whole link rises, it will lead to the changes of queuing delay which affects the value of RTT,resulting in the spectrum changes of legitimate TCP traffic. Since the spectrum appearance of TCP traffic under attack situation is not consistent with that of TCP traffic under no attack situation. It makes the filtering effect of TCP traffic under attack situation become worse.The filtering effect will be closer to that of under no attack situation when parameters of LDoS attack have less impact on TCP traffic.

5.2.2 Improved comb filter

Even the comb filter can satisfy the basic requests of filtering, the filtering effect is not optimal due to the limitations of the comb filter design and the estimation deviations of the RTT. Based on the Equation (3), the accuracy ofleads to passbands of comb filter deviating slowly from the peak locations corresponding to the RTT with the increase ofOn the other hand, the main energy of LDoS attack is concentrated in low frequency-band whereas TCP flow has its energy distributed along the whole frequency band. From the above considerations, the comb filter can be improved as following. Making the whole energy of high frequency pass through, which makes sure that the filtering effect of the TCP flow has a great improvement and promises little impact on LDoS attack. Then decreasing the passband bandwidth of the comb filter and increasing the value of the maximum attenuation of its passband, which guarantee the main energy of TCP still pass through and also eliminate more energy of LDoS attack remarkably in low frequency-band.

By improving the filter based on the analysis mentioned before, and decreasing the passband bandwidth of the comb filter while increasing the value of the maximum attenuation of its passband can let all the energy above the frequency band [80,500]Hz pass through. The remained percentage of energy is obtained as in Table IV.

Fig. 11(a) Spectrum analysis of TCP traffic under attack situation

Fig. 11(b) Analysis of TCP traffic under attack situation in time domain

Table III Filtering effect comparison when L changes with constant T

Fig. 12(a) Spectrum analysis of LDoS attack traffic

Fig. 12(b) Analysis of LDoS attack traffic in time domain

Table IV Filtering effect of improved comb filter

Through comparison between Table IV and Table II, the filtering effect of LDoS attack has a slight improvement while that of TCP flow has improved about 5%. It means that more energy of TCP flow remains after filtering.The improved filter has a better filtering effect than that of a single comb filter, and of which effects is shown in Fig. 13(a) and (b).

Let’s compare Fig. 13(a) with Fig. 11(a),Fig. 10(b) with Fig. 12(a) respectively. It is shown that the improved filter makes more TCP traffic energy pass through while has little impact on the energy of LDoS attack, and whose most energy is concentrated in low-frequency band. Since the TCP traffic energy distributes evenly along the whole frequency band, the improved filter makes more TCP traffic pass through while hardly hurts the filtering effect of LDoS attack.

5.2.3 Comparison analysis

The proposed approach is conducted by the means of comparing with other related methods of filtering LDoS attack traffic in frequency domain.

The paper[14] exploited PSD to show the energy distribution’s difference between normal traffic and attack traffic with designing FIR filter in frequency domain directly to filter out shrew attacks. It adopted windowing method to design a magnitude response of prescribed shape. However, the desired magnitude response contains several jump discontinuities. And the oscillations caused by Gibb’s phenomenon effectively prohibit the design of filters having a very small passband ripple or stopband attenuation[16]. So the width of the transition band is increased to remedy it,which can affect the filtering effect. Besides,the premise of the windowing method of paper[14] is that the spectrum of TCP traffic is known. The proposed approach overcomes the shortcoming of the method in that paper[14]by designing IIR filter with the RTT estimation in frequency domain. So it has a good filtering property for unknown spectrum of TCP traffic.

The paper[13] explored the obvious differences mainly in the low-frequency band with designing a window–function FIR filter to eliminate LDoS attack traffic whose main energy is distributed in the low-frequency band. The key of this method is to find out the detection point FD, where the biggest difference between the energy proportion of legit-imate TCP flow and LDoS attack occurred in low-frequency band. The energy distributed at frequency which is smaller than that of the detection point is filtered out, whereas the energy distributed at frequency which is bigger than that of the detection point passes through the FIR filter. So it is difficult to find out the detection point accurately, which affects the filtering effect greatly. If the mistake was made in finding out the detection point, it would result in filtering out massive legitimate traffic or letting a massive of LDoS attack traffic pass through. Besides, it does not allow any energy distributed at frequency which is smaller than the detection point to pass through the filter, which hurts the TCP traffic a lot whose energy proportion in the low-frequency band should not be ignored. However, the proposed approach is aimed at solving this problem by designing a comb filter to ensure the energy of TCP in the low-frequency band pass through,and with limited impact on LDoS attack traffic. The improved comb filter offers a better filtering effect than the FIR filter in paper[13]in the same experiment environments, especially the pass rate of TCP traffic.

The filtering operations of proposed approach are carried out in more complicated experiments. Furthermore, the filtering effects with different attack parameters are compared,so it increases the experimental complexity and describes the filter principle in details.From the implementation point of view, it can be stated that the improved comb filter offers a more effective and more robust design in comparison to the conventional FIR approach.

VI. CONCLUSIONS

Fig. 13(a) Spectrum analysis of TCP traffic

Fig. 13(b) Spectrum analysis of LDoS attack traffic

Characteristics of TCP congestion control mechanism determines that the TCP connection appears a peak flow for every RTT, resulting in the periodic change of a single TCP flow associated with RTT to some extent. For LDoS attack traffic, the long-period (second-level)features and the rectangular pulse characteristics determine that its spectral energy is more concentrated in the lower frequency band.Based on the analysis mentioned above, it is possible to design the improved comb filter in frequency domain. The filter is designed to filter out LDoS attack traffic as much as possible whose energy is concentrated in low frequency at the same time ensures the TCP traffic pass though the filter successfully whose energy distribution exhibits periodicity in frequency domain. The simulation experiments show that the filtering work in frequency domain has a good filtering effect.

However, there is an inevitable spectrum overlap of energy distribution between them,especially near the zero frequency, which results in a great difficulty in separating LDoS attack traffic from TCP traffic completely in frequency domain. To filter out more LDoS attack traffic is bound to bring losses to legitimate TCP traffic.

ACKNOWLEDGEMENTS

The authors would like to thank the reviewers for their detailed reviews and constructive comments, which have helped improve the quality of this paper. This work was supported in part by the National Natural Science Foundation under grant No. U1533107, the Major Program of Natural Science Foundation of Tianjin under grant No. 17JCZDJC30900,the Fundamental Research Funds for the Central Universities of CAUC under grant No.3122016D003, and the graduate program of curriculum development project of Civil Aviation University of China (2050070515).

[1] A. Kuzmanovic, E. W. Knightly, “Low-rate TCP-targeted denial of service attacks and counter strategies[J]”,IEEE/ACM Transactions on Networking, vol.14, no.4, pp 683-696, 2006.

[2] A. Kuzmanovic, E. W. Knightly, “Low-rate TCP-targeted denial of service attacks [C]”, inproceedings of ACM SigComm 2003, pp 75-86,2003.

[3] Y. J Tang, X. P Luo, Q Hui, R. K. C. Chang,“Modeling the vulnerability of feedback-control based Internet services to Low-Rate DoS attacks[J]”.IEEE Transactions on Information Forensics and Security, vol. 9, no. 3, pp 339 – 353,2014.

[4] V. Kumar, P. Jayalekshmy, G. Patra, R. Thangavelu, “On remote exploitation of TCP sender for low-rate flooding denial-of-service attack[J]”,IEEE Communications Letters, vol. 13, no. 1, pp 46-48,2009.

[5] K. Thompson, G.J. Miller, R. Wilder, “Wide-area Internet traffic patterns and characteristics[J]”,IEEE Network, vol. 11, no. 6, pp 10-23, 1997.

[6] Y Chen, and K. Hwang, “Collaborative detection and filtering of Shrew DDoS attacks using spectral analysis[J]”,Journal of Parallel and Distributed Computing, vol. 66, no. 9, pp 1137-1151,2006.

[7] C. M Cheng, H Kung, K. S Tan, “Use of spectral analysis in defense against DoS attacks[C]”,in proceedings of IEEE Conference on Global Telecommunications, pp 2143-2148, 2002.

[8] P. Barford, J. Kline, D. Plonka, A. Ron, “A signal analysis of network traffic anomalies[J]”,Proceedings of ACM Sigcomm Internet Measure-ment Workshop, pp 71-82, 2002.

[9] A. Petropulu, R. Nowak, “Signal processing for networking[C]”,IEEE Signal Processing Magazine, pp 12-13, May , 2002.

[10] Y Chen, K. Hwang, “Spectral analysis of TCP flows for defense against reduction-of-quality attacks[C]”,Proc. IEEE Communications Society subject matter experts ICC, 2007.

[11] R. F. Fouladi, T. Seifpoor, E. Anarim. “Frequency characteristics of DoS and DDoS attacks[C]”,in proceedings of 21th Signal Processing and Communications Applications Conference, 2013.

[12] H Chen, Y Chen, D. H. Summerville, Z Su, “An optimized design of reconfigurable PSD accelerator for online Shrew DDoS attacks detection”,Proc. IEEE Infocom, vol. 12, no. 11, pp 1780-1787, 2013.

[13] Z.J Wu, Z Shi, “Filtering LDoS attack by FIR filter”,The Chinese Journal of Electronics (CJE), vol.19, no. 2, pp 275-278, 2010.

[14] Z.J Wu, D. Zhang, “The approach of defending against DoS attack in frequency domain[J]”,Journal of Electronics & Information Technology,vol. 30, no. 6, pp 1493-1495, 2008.

[15] V. Jacobson, “Congestion avoidance and control[J]”,ACM Computer Communication Review,vol. 18, no. 4, pp 314-329, August, 1988.

[16] V. K. Ingle, J. G. Proakis, “Digital Signal Processing Using MATLAB [M]”,WIELY, pp 361-571,2011.

[17] M. Imal, Y. Sugizaki, K. Asatani, “A new estimation method using RTT for available bandwidth of a bottleneck link”, in proceedings ofInternational Conference on Information NETWORKING IEEE Computer Society, pp 529-534, 2013.

[18] A. Moosbrugger, P. Dorfinge, “Passive RTT measurement during connection close”,Software,Telecommunications and Computer Networks(SofteCOM), pp 392-396, 2010.

[19] S. Floyd, E. Kohler, “Internet research needs better models”,In Proceedings of HOTNETS’02,Princeton, October, 2002.

[20] H. Jiang and C. Dovrolis, “Passive estimation of TCP round-trip times”,ACM Computer Comm.Review, vol. 32, no. 5 , pp 5-21, July, 2002.

[21] E. W. Knightly, A. Kuzmanovic, “Shrew attack Linux code,” December, 2004, http://www.cs.northwestern.edu/～akuzma/rice/shrew/.