Detection of Pulsing DoS Attacks at Their Source Networks

Pulsing Denial of Service (PDoS) is a type of DoS attack. Its attacking behavior is intermittent rather than constant, which helps it avoid being detected. In this paper, an adaptive detection method is proposed for source-end detection of PDoS attacks. It has three distinctive features: (i) its detection statistic is based on the discrepancy in the aggregated outbound and inbound packets; (ii) a self-adaptive detection threshold adapts it quickly to the variations of network traffic and the latest detection result; (iii) random abnormalities in the normal network traffic can be filtered by consecutive accumulation of threshold violations. Experimental results show the minimum attack traffic that can be detected is less than 35% of the background traffic, under the requirements that probability of false alarms is less than 10-6, probability of a miss during an attack is less than 10-2 and detection delay is within 7 sampling periods.