抽样情况下复杂LDoS攻击检测方法研究

doi:10.3969/j.issn.1671-1122.2026.01.007

摘要/Abstract

摘要：

低速率拒绝服务（LDoS）攻击借助网络协议的自适应机制缺陷，以合法方式致使网络自适应机制失效，显著降低带宽利用率和服务质量。因此，LDoS攻击的高隐蔽性和强破坏性使其成为网络安全领域的重要研究课题。针对复杂LDoS攻击在多网络层次中的隐蔽性及传统检测方法在抽样场景下的局限性，文章提出一种基于HLD-Sketch的LDoS攻击检测方法。文章涵盖在抽样情况下传输层LDoS攻击、应用层LDoS攻击及混合层次攻击场景。首先，通过改进的CM-Sketch结构实现动态流长估计，基于流长自适应调整抽样概率，优先对短流实施细粒度采样，减少长流背景噪声对攻击特征提取的干扰；其次，利用CM-Sketch的轻量级特性，在抽样流量中高效提取多维时序统计特征，包括流速率、上下行数据包个数及端口散布值等特征；最后，采用机器学习分类器对传输层、应用层及混合攻击进行层次化检测。实验结果表明，文章方法在3%的抽样率以及在混合攻击场景中，6 s内的检测准确率可以达到99.94%。该方法为高速网络环境下多维度LDoS攻击的实时检测提供了轻量化解决方案，尤其适用于大规模流量环境中的资源受限场景。

关键词: 低速率拒绝服务攻击, Sketch, 动态流抽样, 多维时序特征, 轻量化检测

Abstract:

Low-Rate Denial-of-Service (LDoS) attacks exploit vulnerabilities in network protocols’ adaptive mechanisms, causing these mechanisms to fail in a legitimate manner, significantly reducing bandwidth utilization and quality of service. Therefore, the high concealment and destructive nature of LDoS attacks make them an important research topic in the field of network security.Aiming at the concealment of complex low-rate denial-of-service (LDoS) attacks across multiple network layers and the limitations of traditional detection methods in sampled traffic scenarios, this paper proposes an LDoS attack detection method based on HLD-Sketch (Hybrid-LDoS-Detect-Sketch). The study covers the detection of transport-layer LDoS attacks, application-layer LDoS attacks, and hybrid multi-layer attack under sampling conditions. First, an improved CM-Sketch structure is introduced to dynamically estimate flow lengths and adaptively adjust sampling probabilities, prioritizing fine-grained sampling for short flows to reduce interference from long-flow background noise during attack feature extraction. Second, leveraging the lightweight nature of CM-Sketch, multidimensional temporal statistical features, such as flow rate, the number of upstream and downstream packets, and port dispersion, are efficiently extracted from the sampled traffic Finally, a machine learning classifier is employed to hierarchically detect transport-layer, application-layer, and hybrid attacks. Experimental results demonstrate that the proposed method achieves a detection accuracy of 99.94% with a 3% sampling rate within 6 seconds, even in hybrid attack scenarios. This approach provides a lightweight solution for real-time detection of multi-dimensional LDoS attacks in high-speed network environments, particularly suited for resource-constrained scenarios with large-scale traffic.

Key words: LDoS, sketch, dynamic flow sampling, multi-dimensional temporal features, lightweight detection

中图分类号:

TP309

徐一凡, 程光, 周余阳. 抽样情况下复杂LDoS攻击检测方法研究[J]. 信息网络安全, 2026, 26(1): 79-90.

XU Yifan, CHENG Guang, ZHOU Yuyang. Research on Complex LDoS Attack Detection Methods under Sampling Conditions[J]. Netinfo Security, 2026, 26(1): 79-90.

图/表 17

图1

图2

表1

图3

表2

图4

图5

表3

表4

表5

表6

表7

表8

表9

表10

表11

表12

参考文献 26

[1]	NEEDHAM R M. Denial of Service: An Example[J]. Communications of the ACM, 1994, 37(11): 42-46.
[2]	KUZMANOVIC A, KNIGHTLY E W. Low-Rate TCP-Targeted Denial of Service Attacks:the Shrew vs. The Mice and Elephants[C]// ACM. The 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. New York: ACM, 2003: 75-86.
[3]	MACIÁ-FERNÁNDEZ G, DÍAZ-VERDEJO J E, GARCÍA-TEODORO P. Evaluation of a Low-Rate DoS Attack Against Iterative Servers[J]. Computer Networks, 2007, 51(4): 1013-1030. doi: 10.1016/j.comnet.2006.07.002 URL
[4]	OKTA. Slowloris DDoS Attack: Definition, Damage&Deffense[EB/OL]. (2024-09-01)[2025-10-12]. https://www.okta.com/identity-101/slowloris/.
[5]	TOULAS B. Italian CERT: Hacktivists Hit Govt Sites in ‘Slow HTTP’ DDoS Attacks[EB/OL]. (2020-05-13)[2025-10-12]. https://www.bleepingcomputer.com/news/security/italian-cert-hacktivists-hit-govt-sites-in-slow-http-ddos-attacks/.
[6]	SUN Haibin, LUI J C S, YAU D K Y. Defending Against Low-Rate TCP Attacks: Dynamic Detection and Protection[C]// IEEE. The 12th IEEE International Conference on Network Protocols (ICNP 2004). New York: IEEE, 2004: 196-205.
[7]	TANG Dan, WANG Xiyin, LI Xiong, et al. AKN-FGD: Adaptive Kohonen Network Based Fine-Grained Detection of LDoS Attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(1): 273-287. doi: 10.1109/TDSC.2021.3131531 URL
[8]	XIANG Yang, LI Ke, ZHOU Wanlei. Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics[J]. IEEE Transactions on Information Forensics and Security, 2011, 6(2): 426-437. doi: 10.1109/TIFS.2011.2107320 URL
[9]	YUE Meng, WU Zhijun, WANG Jingjie. Detecting LDoS Attack Bursts Based on Queue Distribution[J]. IET Information Security, 2019, 13(3): 285-292. doi: 10.1049/iet-ifs.2018.5097
[10]	TANG Dan, TANG Liu, DAI Rui, et al. MF-Adaboost: LDoS Attack Detection Based on Multi-Features and Improved Adaboost[J]. Future Generation Computer Systems, 2020, 106: 347-359. doi: 10.1016/j.future.2019.12.034 URL
[11]	LUO Xiapu, CHANG R K C. On A New Class of Pulsing Denial-of-Service Attacks and the Defense[C]// NDSS. NDSS Symposium 2005. SanDiego: NDSS, 2005: 67-85.
[12]	CHEN Zhaomin, YEO C K, LEE B S, et al. Power Spectrum Entropy Based Detection and Mitigation of Low-Rate DoS Attacks[J]. Computer Networks, 2018, 136: 80-94. doi: 10.1016/j.comnet.2018.02.029 URL
[13]	ZHANG Naiji, JAAFAR F, MALIK Y. Low-Rate DoS Attack Detection Using PSD Based Entropy and Machine Learning[C]// IEEE. 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom). New York: IEEE, 2019: 59-62.
[14]	WU Zhijun, ZHANG Liyuan, YUE Meng. Low-Rate DoS Attacks Detection Based on Network Multifractal[J]. IEEE Transactions on Dependable and Secure Computing, 2016, 13(5): 559-567. doi: 10.1109/TDSC.2015.2443807 URL
[15]	CHEN Hongsong, MENG Caixia, SHAN Zhiguang, et al. A Novel Low-Rate Denial of Service Attack Detection Approach in ZigBee Wireless Sensor Network by Combining Hilbert-Huang Transformation and Trust Evaluation[J]. IEEE Access, 2019, 7: 32853-32866. doi: 10.1109/ACCESS.2019.2903816
[16]	JAZI H H, GONZALEZ H, STAKHANOVA N, et al. Detecting HTTP-Based Application Layer DoS Attacks on Web Servers in the Presence of Sampling[J]. Computer Networks, 2017, 121: 25-36. doi: 10.1016/j.comnet.2017.03.018 URL
[17]	REED A, DOOLEY L S, MOSTEFAOUI S K. A Reliable Real-Time Slow DoS Detection Framework for Resource-Constrained IoT Networks[C]// IEEE. 2021 IEEE Global Communications Conference (GLOBECOM). New York: IEEE, 2022: 1-6.
[18]	XU Congyuan, SHEN Jizhong, DU Xin. Low-Rate DoS Attack Detection Method Based on Hybrid Deep Neural Networks[EB/OL]. [2025-10-30]. https://doi.org/10.1016/j.jisa.2021.102879.
[19]	JANSI RANI S V, IOANNOU I, NAGARADJANE P, et al. Detection of DDoS Attacks in D2D Communications Using Machine Learning Approach[J]. Computer Communications, 2023, 198: 32-51. doi: 10.1016/j.comcom.2022.11.013 URL
[20]	GARCIA N, ALCANIZ T, GONZÁLEZ-VIDAL A, et al. Distributed Real-Time SlowDoS Attacks Detection over Encrypted Traffic Using Artificial Intelligence[EB/OL]. (2021-01-01)[2025-10-30]. https://doi.org/10.1016/j.jnca.2020.102871.
[21]	WEN Kun, YANG Jiahai, ZHANG Bin. Survey on Research and Progress of Low-Rate Denial of Service Attacks[J]. Journal of Software, 2014, 25(3): 591-605.
	文坤, 杨家海, 张宾. 低速率拒绝服务攻击研究与进展综述[J]. 软件学报, 2014, 25(3): 591-605.
[22]	RFC 2988. Computing TCP’s Retransmission Timer[EB/OL]. [2025-10-12]. https://www.rfc-editor.org/rfc/pdfrfc/rfc2988.txt.pdf.
[23]	LI D C, TU H H, CHOU L D. Cross-Layer Detection and Defence Mechanism Against DDoS and DRDoS Attacks in Software-Defined Networks Using P4 Switches[EB/OL]. (2021-01-01)[2025-10-30]. https://doi.org/10.1016/j.compeleceng.2024.10930.
[24]	WANG Zhi, ZHANG Hao, GU Jianjun. A Hybrid Method of Joint Entropy and Multiple Clustering Based DDoS Detection in SDN[J]. Netinfo Security, 2023, 23(10): 1-7.
	王智, 张浩, 顾建军. SDN网络中基于联合熵与多重聚类的DDoS攻击检测[J]. 信息网络安全, 2023, 23(10): 1-7.
[25]	CHEN Jinfeng, WU Hua, WANG Suyue, et al. An Accurate and Real-Time Detection Method for Concealed Slow HTTP DoS in Backbone Network[C]// Springer. ICT Systems Security and Privacy Protection. Heidelberg: Springer, 2024: 207-221.
[26]	HU Xiaoyan, GAO Wenjie, CHENG Guang, et al. Toward Early and Accurate Network Intrusion Detection Using Graph Embedding[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 5817-5831. doi: 10.1109/TIFS.2023.3318960 URL

特征	意义
FlowLength	数据流总长度
SampleLength	采样后数据流长度
DownLength	下行数据流长度
UpLength	上行数据流长度
ByteTotal	采样数据流字节数
PayloadDisp	数据包大小散布
AvgPacket	平均数据包大小
FlowRate	流速
SendPortDisp	目的端口散布
RecPortDisp	源端口散布
SYNPacket	SYN为1的数据包数量
RWND_0	接收窗口为0的数据包数量

名称	类型	字节
Length	Counter	1
SampleLength	Counter	1
ByteTotal	Counter	1
SYNPacket	Counter	1
RWND_0	Counter	1
PayloadDisp	Bitmap	2
SendPortDisp	Bitmap	2
RecPortDisp	Bitmap	2

模型	Accuracy	Recall	FPR	F1
逻辑回归	99.80%	99.84%	1.07%	99.89%
决策树	99.92%	99.98%	1.28%	99.96%
随机森林	99.94%	99.99%	1.08%	99.96%
XGBoost	99.92%	99.99%	1.49%	99.96%

${{\varepsilon }^{2}}$	Accuracy	Recall	FPR	F1	抽样
1	99.94%	99.99%	1.08%	99.96%	3.45%
2	99.94%	99.98%	0.88%	99.97%	3.20%
3	99.94%	99.99%	1.03%	99.97%	3.09%
4	99.93%	99.96%	0.95%	99.96%	3.03%
5	99.94%	99.95%	0.20%	99.97%	3.01%

时间/s	Accuracy	Recall	FPR	F1
1	99.94%	99.95%	0.20%	99.97%
2	99.95%	100%	1.07%	99.97%
3	99.97%	99.97%	0	99.98%
4	99.97%	99.97%	0.95%	99.98%
5	99.98%	99.98%	0.85%	99.99%