Detection of stealthy TCP-based DoS attacks

Denial of service (DoS) attacks are among the most crippling of network attacks because they are easy to orchestrate and usually cause an immediate shutdown of whatever resource is targeted. Today´s intrusion detection systems check if specific single scalar features exceed a threshold to determine if a specific TCP-based DoS attack is underway. To defeat such systems we demonstrate that an attacker can simply launch a combination of attack threads, each of which on its own does not break a system down but together can be very potent. We demonstrate that such attacks cannot be detected by simple threshold based statistical anomaly detection techniques that are used in today´s intrusion detection systems. We argue that an effective way to detect such attacks is by jointly considering multiple features that are affected by such attacks. Based on this, we identify a possible set of such features and design a new detection approach that jointly examines these features with regards to whether each exceeds a high threshold or is below a low threshold. We demonstrate that this approach is extremely effective in detecting stealthy DoS attacks; the true positive rate is close to 100 % and the false positive rate is decreased by about 66 % as compared to traditional detectors.