Research on Complex LDoS Attack Detection Methods under Sampling Conditions

doi:10.3969/j.issn.1671-1122.2026.01.007

Abstract

Abstract:

Low-Rate Denial-of-Service (LDoS) attacks exploit vulnerabilities in network protocols’ adaptive mechanisms, causing these mechanisms to fail in a legitimate manner, significantly reducing bandwidth utilization and quality of service. Therefore, the high concealment and destructive nature of LDoS attacks make them an important research topic in the field of network security.Aiming at the concealment of complex low-rate denial-of-service (LDoS) attacks across multiple network layers and the limitations of traditional detection methods in sampled traffic scenarios, this paper proposes an LDoS attack detection method based on HLD-Sketch (Hybrid-LDoS-Detect-Sketch). The study covers the detection of transport-layer LDoS attacks, application-layer LDoS attacks, and hybrid multi-layer attack under sampling conditions. First, an improved CM-Sketch structure is introduced to dynamically estimate flow lengths and adaptively adjust sampling probabilities, prioritizing fine-grained sampling for short flows to reduce interference from long-flow background noise during attack feature extraction. Second, leveraging the lightweight nature of CM-Sketch, multidimensional temporal statistical features, such as flow rate, the number of upstream and downstream packets, and port dispersion, are efficiently extracted from the sampled traffic Finally, a machine learning classifier is employed to hierarchically detect transport-layer, application-layer, and hybrid attacks. Experimental results demonstrate that the proposed method achieves a detection accuracy of 99.94% with a 3% sampling rate within 6 seconds, even in hybrid attack scenarios. This approach provides a lightweight solution for real-time detection of multi-dimensional LDoS attacks in high-speed network environments, particularly suited for resource-constrained scenarios with large-scale traffic.

Key words: LDoS, sketch, dynamic flow sampling, multi-dimensional temporal features, lightweight detection

CLC Number:

TP309

XU Yifan, CHENG Guang, ZHOU Yuyang. Research on Complex LDoS Attack Detection Methods under Sampling Conditions[J]. Netinfo Security, 2026, 26(1): 79-90.

Figures/Tables 17

References 26

[1]	NEEDHAM R M. Denial of Service: An Example[J]. Communications of the ACM, 1994, 37(11): 42-46.
[2]	KUZMANOVIC A, KNIGHTLY E W. Low-Rate TCP-Targeted Denial of Service Attacks:the Shrew vs. The Mice and Elephants[C]// ACM. The 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. New York: ACM, 2003: 75-86.
[3]	MACIÁ-FERNÁNDEZ G, DÍAZ-VERDEJO J E, GARCÍA-TEODORO P. Evaluation of a Low-Rate DoS Attack Against Iterative Servers[J]. Computer Networks, 2007, 51(4): 1013-1030. doi: 10.1016/j.comnet.2006.07.002 URL
[4]	OKTA. Slowloris DDoS Attack: Definition, Damage&Deffense[EB/OL]. (2024-09-01)[2025-10-12]. https://www.okta.com/identity-101/slowloris/.
[5]	TOULAS B. Italian CERT: Hacktivists Hit Govt Sites in ‘Slow HTTP’ DDoS Attacks[EB/OL]. (2020-05-13)[2025-10-12]. https://www.bleepingcomputer.com/news/security/italian-cert-hacktivists-hit-govt-sites-in-slow-http-ddos-attacks/.
[6]	SUN Haibin, LUI J C S, YAU D K Y. Defending Against Low-Rate TCP Attacks: Dynamic Detection and Protection[C]// IEEE. The 12th IEEE International Conference on Network Protocols (ICNP 2004). New York: IEEE, 2004: 196-205.
[7]	TANG Dan, WANG Xiyin, LI Xiong, et al. AKN-FGD: Adaptive Kohonen Network Based Fine-Grained Detection of LDoS Attacks[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(1): 273-287. doi: 10.1109/TDSC.2021.3131531 URL
[8]	XIANG Yang, LI Ke, ZHOU Wanlei. Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics[J]. IEEE Transactions on Information Forensics and Security, 2011, 6(2): 426-437. doi: 10.1109/TIFS.2011.2107320 URL
[9]	YUE Meng, WU Zhijun, WANG Jingjie. Detecting LDoS Attack Bursts Based on Queue Distribution[J]. IET Information Security, 2019, 13(3): 285-292. doi: 10.1049/iet-ifs.2018.5097
[10]	TANG Dan, TANG Liu, DAI Rui, et al. MF-Adaboost: LDoS Attack Detection Based on Multi-Features and Improved Adaboost[J]. Future Generation Computer Systems, 2020, 106: 347-359. doi: 10.1016/j.future.2019.12.034 URL
[11]	LUO Xiapu, CHANG R K C. On A New Class of Pulsing Denial-of-Service Attacks and the Defense[C]// NDSS. NDSS Symposium 2005. SanDiego: NDSS, 2005: 67-85.
[12]	CHEN Zhaomin, YEO C K, LEE B S, et al. Power Spectrum Entropy Based Detection and Mitigation of Low-Rate DoS Attacks[J]. Computer Networks, 2018, 136: 80-94. doi: 10.1016/j.comnet.2018.02.029 URL
[13]	ZHANG Naiji, JAAFAR F, MALIK Y. Low-Rate DoS Attack Detection Using PSD Based Entropy and Machine Learning[C]// IEEE. 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom). New York: IEEE, 2019: 59-62.
[14]	WU Zhijun, ZHANG Liyuan, YUE Meng. Low-Rate DoS Attacks Detection Based on Network Multifractal[J]. IEEE Transactions on Dependable and Secure Computing, 2016, 13(5): 559-567. doi: 10.1109/TDSC.2015.2443807 URL
[15]	CHEN Hongsong, MENG Caixia, SHAN Zhiguang, et al. A Novel Low-Rate Denial of Service Attack Detection Approach in ZigBee Wireless Sensor Network by Combining Hilbert-Huang Transformation and Trust Evaluation[J]. IEEE Access, 2019, 7: 32853-32866. doi: 10.1109/ACCESS.2019.2903816
[16]	JAZI H H, GONZALEZ H, STAKHANOVA N, et al. Detecting HTTP-Based Application Layer DoS Attacks on Web Servers in the Presence of Sampling[J]. Computer Networks, 2017, 121: 25-36. doi: 10.1016/j.comnet.2017.03.018 URL
[17]	REED A, DOOLEY L S, MOSTEFAOUI S K. A Reliable Real-Time Slow DoS Detection Framework for Resource-Constrained IoT Networks[C]// IEEE. 2021 IEEE Global Communications Conference (GLOBECOM). New York: IEEE, 2022: 1-6.
[18]	XU Congyuan, SHEN Jizhong, DU Xin. Low-Rate DoS Attack Detection Method Based on Hybrid Deep Neural Networks[EB/OL]. [2025-10-30]. https://doi.org/10.1016/j.jisa.2021.102879.
[19]	JANSI RANI S V, IOANNOU I, NAGARADJANE P, et al. Detection of DDoS Attacks in D2D Communications Using Machine Learning Approach[J]. Computer Communications, 2023, 198: 32-51. doi: 10.1016/j.comcom.2022.11.013 URL
[20]	GARCIA N, ALCANIZ T, GONZÁLEZ-VIDAL A, et al. Distributed Real-Time SlowDoS Attacks Detection over Encrypted Traffic Using Artificial Intelligence[EB/OL]. (2021-01-01)[2025-10-30]. https://doi.org/10.1016/j.jnca.2020.102871.
[21]	WEN Kun, YANG Jiahai, ZHANG Bin. Survey on Research and Progress of Low-Rate Denial of Service Attacks[J]. Journal of Software, 2014, 25(3): 591-605.
	文坤, 杨家海, 张宾. 低速率拒绝服务攻击研究与进展综述[J]. 软件学报, 2014, 25(3): 591-605.
[22]	RFC 2988. Computing TCP’s Retransmission Timer[EB/OL]. [2025-10-12]. https://www.rfc-editor.org/rfc/pdfrfc/rfc2988.txt.pdf.
[23]	LI D C, TU H H, CHOU L D. Cross-Layer Detection and Defence Mechanism Against DDoS and DRDoS Attacks in Software-Defined Networks Using P4 Switches[EB/OL]. (2021-01-01)[2025-10-30]. https://doi.org/10.1016/j.compeleceng.2024.10930.
[24]	WANG Zhi, ZHANG Hao, GU Jianjun. A Hybrid Method of Joint Entropy and Multiple Clustering Based DDoS Detection in SDN[J]. Netinfo Security, 2023, 23(10): 1-7.
	王智, 张浩, 顾建军. SDN网络中基于联合熵与多重聚类的DDoS攻击检测[J]. 信息网络安全, 2023, 23(10): 1-7.
[25]	CHEN Jinfeng, WU Hua, WANG Suyue, et al. An Accurate and Real-Time Detection Method for Concealed Slow HTTP DoS in Backbone Network[C]// Springer. ICT Systems Security and Privacy Protection. Heidelberg: Springer, 2024: 207-221.
[26]	HU Xiaoyan, GAO Wenjie, CHENG Guang, et al. Toward Early and Accurate Network Intrusion Detection Using Graph Embedding[J]. IEEE Transactions on Information Forensics and Security, 2023, 18: 5817-5831. doi: 10.1109/TIFS.2023.3318960 URL

特征	意义
FlowLength	数据流总长度
SampleLength	采样后数据流长度
DownLength	下行数据流长度
UpLength	上行数据流长度
ByteTotal	采样数据流字节数
PayloadDisp	数据包大小散布
AvgPacket	平均数据包大小
FlowRate	流速
SendPortDisp	目的端口散布
RecPortDisp	源端口散布
SYNPacket	SYN为1的数据包数量
RWND_0	接收窗口为0的数据包数量

名称	类型	字节
Length	Counter	1
SampleLength	Counter	1
ByteTotal	Counter	1
SYNPacket	Counter	1
RWND_0	Counter	1
PayloadDisp	Bitmap	2
SendPortDisp	Bitmap	2
RecPortDisp	Bitmap	2

模型	Accuracy	Recall	FPR	F1
逻辑回归	99.80%	99.84%	1.07%	99.89%
决策树	99.92%	99.98%	1.28%	99.96%
随机森林	99.94%	99.99%	1.08%	99.96%
XGBoost	99.92%	99.99%	1.49%	99.96%

${{\varepsilon }^{2}}$	Accuracy	Recall	FPR	F1	抽样
1	99.94%	99.99%	1.08%	99.96%	3.45%
2	99.94%	99.98%	0.88%	99.97%	3.20%
3	99.94%	99.99%	1.03%	99.97%	3.09%
4	99.93%	99.96%	0.95%	99.96%	3.03%
5	99.94%	99.95%	0.20%	99.97%	3.01%

时间/s	Accuracy	Recall	FPR	F1
1	99.94%	99.95%	0.20%	99.97%
2	99.95%	100%	1.07%	99.97%
3	99.97%	99.97%	0	99.98%
4	99.97%	99.97%	0.95%	99.98%
5	99.98%	99.98%	0.85%	99.99%