shrew ddos attack detection based on statistical analysis

Distributed denial of service (ddos) attacks are of two kinds viz. high-rate ddos (hrddos) attacks and low-rate ddos (lrddos) attacks. a shrew attack is a lrddos attack that can prove to be more harmful than a hrddos attack since they are not easily noticeable and are stealthy. they cause tcp flows to attain near-zero throughput by sending attack pulses of very short bursts synchronized with the tcp retransmission timeout (rto) value. consequently, it compels the tcp packets to be dropped whenever it tries to retransmit again after the timeout. thus, it may endanger the victim systems if not detected for a long time and reduce the overall quality of services without being noticed. in this paper, we perform the analysis of the network traffic based on a statistical approach where the deviation in the behavior of the flows is analyzed based on the packets sent during the normal and attack conditions. to do this, we determine the participation of a flow in congestion and its adherence to the legitimate tcp-compliant nature during attack conditions based on a priority determiner d. the shrew attack flows exhibit higher values of $d$ as they do not adhere to the tcp compliance and tend to contribute to more congestion to disrupt a server. this nature of attack flows enables us to filter them based on the values of $d$ and mitigate them by blocking these flows. the experimental results on various scenarios demonstrated high accuracy to substantiate the efficacy of the proposed method.