{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T13:27:39Z","timestamp":1777901259149,"version":"3.51.4"},"reference-count":40,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2019,12,29]],"date-time":"2019-12-29T00:00:00Z","timestamp":1577577600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No.61772189,No.61702173"],"award-info":[{"award-number":["No.61772189,No.61702173"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100004735","name":"Natural Science Foundation of\u00a0Hunan Province","doi-asserted-by":"publisher","award":["No.2019JJ40037"],"award-info":[{"award-number":["No.2019JJ40037"]}],"id":[{"id":"10.13039\/501100004735","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Low-rate denial of service (LDoS) attacks reduce the quality of network service by sending periodical packet bursts to the bottleneck routers. It is difficult to detect by counter-DoS mechanisms due to its stealthy and low average attack traffic behavior. In this paper, we propose an anomaly detection method based on adaptive fusion of multiple features (MAF-ADM) for LDoS attacks. This study is based on the fact that the time-frequency joint distribution of the legitimate transmission control protocol (TCP) traffic would be changed under LDoS attacks. Several statistical metrics of the time-frequency joint distribution are chosen to generate isolation trees, which can simultaneously reflect the anomalies in time domain and frequency domain. Then we calculate anomaly score by fusing the results of all isolation trees according to their ability to isolate samples containing LDoS attacks. Finally, the anomaly score is smoothed by weighted moving average algorithm to avoid errors caused by noise in the network. Experimental results of Network Simulator 2 (NS2), testbed, and public datasets (WIDE2018 and LBNL) demonstrate that this method does detect LDoS attacks effectively with lower false negative rate.<\/jats:p>","DOI":"10.3390\/s20010189","type":"journal-article","created":{"date-parts":[[2019,12,30]],"date-time":"2019-12-30T05:49:41Z","timestamp":1577684981000},"page":"189","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":17,"title":["Low-Rate DoS Attacks Detection Based on MAF-ADM"],"prefix":"10.3390","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0749-4336","authenticated-orcid":false,"given":"Sijia","family":"Zhan","sequence":"first","affiliation":[{"name":"College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dan","family":"Tang","sequence":"additional","affiliation":[{"name":"College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jianping","family":"Man","sequence":"additional","affiliation":[{"name":"College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Rui","family":"Dai","sequence":"additional","affiliation":[{"name":"College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiyin","family":"Wang","sequence":"additional","affiliation":[{"name":"College of Computer Science and Electronic Engineering, Hunan University, Changsha 410082, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2019,12,29]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Jhaveri, R.H., Patel, S.J., and Jinwala, D. (2012, January 7\u20138). DoS Attacks in Mobile Ad Hoc Networks: A Survey. Proceedings of the Second International Conference on Advanced Computing & Communication Technologies, Rohtak, Haryana, India.","DOI":"10.1109\/ACCT.2012.48"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"44","DOI":"10.1016\/j.ipl.2018.06.001","article-title":"Low Rate Cloud DDoS Attack Defense Method Based on Power Spectral Density Analysis","volume":"138","author":"Neha","year":"2018","journal-title":"Inf. Process. Lett."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"685","DOI":"10.1016\/j.future.2018.07.017","article-title":"An early detection of low rate DDoS attack to SDN based data center networks using information distance metrics","volume":"89","author":"Sahoo","year":"2018","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_4","unstructured":"Cao, J., Li, Q., Xie, R., Sun, K., Gu, G., Xu, M., and Yang, Y. (2019, January 14\u201316). The CrossPath Attack: Disrupting the SDN Control Channel via Shared Links. Proceedings of the 28th USENIX Security Symposium (USENIX Security 19), USENIX, Santa Clara, CA, USA."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"De Almeida, M.P., J\u00fanior, D.S., Tim\u00f3teo, R., Villalba, G., Javier, L., and Tai-Hoon, K. (2018). New DoS Defense Method Based on Strong Designated Verifier Signatures. Sensors, 18.","DOI":"10.3390\/s18092813"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Gao, J., Chai, S., Zhang, B., and Xia, Y. (2019). Research about DoS Attack against ICPS. Sensors, 19.","DOI":"10.3390\/s19071542"},{"key":"ref_7","first-page":"2169","article-title":"A Novel Low-Rate Denial of Service Attack Detection Approach in ZigBee Wireless Sensor Network by Combining Hilbert-Huang Transformation and Trust Evaluation","volume":"7","author":"Chen","year":"2019","journal-title":"IEEE Access"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Renuka, K., Kumar, S., Kumari, S., and Chen, C.M. (2019). Cryptanalysis and Improvement of a Privacy-Preserving Three-Factor Authentication Protocol for Wireless Sensor Networks. Sensors, 19.","DOI":"10.3390\/s19214625"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Afianti, F., Wirawan, I., and Suryani, T. (2018). Dynamic Cipher Puzzle for Efficient Broadcast Authentication in Wireless Sensor Networks. Sensors, 18.","DOI":"10.3390\/s18114021"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"234","DOI":"10.1016\/j.comnet.2019.01.007","article-title":"Introducing the SlowDrop Attack","volume":"150","author":"Cambiaso","year":"2019","journal-title":"Comput. Netw."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Thomas, J.D.C. (2019). Efficient DDoS flood attack detection using dynamic thresholding on flow-based network traffic. Comput. Secur., 284\u2013295.","DOI":"10.1016\/j.cose.2019.01.002"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"1854","DOI":"10.4304\/jsw.9.7.1854-1861","article-title":"Research on the Aggregation and Synchronization of LDDoS Attack Based on Euclidean Distance","volume":"9","author":"Yue","year":"2014","journal-title":"J. Softw."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"749","DOI":"10.1109\/TCNS.2016.2550858","article-title":"Sustainability of Service Provisioning Systems Under Stealth DoS Attacks","volume":"4","author":"Paschos","year":"2017","journal-title":"IEEE Trans. Control Netw. Syst."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Marnerides, A.K., Pezaros, D.P., Kim, H.C., and Hutchison, D. (2013, January 9\u201313). Internet traffic classification using energy time-frequency distributions. Proceedings of the 2013 IEEE International Conference on Communications, Budapest, Hungary.","DOI":"10.1109\/ICC.2013.6654911"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"3815","DOI":"10.1002\/sec.1302","article-title":"A new metric for flow-level filtering of low-rate DDoS attacks","volume":"8","author":"Stimsek","year":"2016","journal-title":"Secur. Commun. Netw."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1016\/j.comnet.2019.01.031","article-title":"Sequence Alignment Detection of TCP-targeted Synchronous Low-rate DoS Attacks","volume":"152","author":"Wu","year":"2019","journal-title":"Comput. Netw."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Stimsek, M., and Senturk, A. (2018). Fast and lightweight detection and filtering method for low-rate TCP targeted distributed denial of service (LDDoS) attacks. Int. J. Commun. Syst.","DOI":"10.1002\/dac.3823"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"6705347","DOI":"10.1155\/2019\/6705347","article-title":"CCID: Cross-Correlation Identity Distinction Method for Detecting Shrew DDoS","volume":"2019","author":"Huang","year":"2019","journal-title":"Wirel. Commun. Mob. Comput."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"426","DOI":"10.1109\/TIFS.2011.2107320","article-title":"Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics","volume":"6","author":"Xiang","year":"2011","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"98","DOI":"10.1109\/CC.2017.7961367","article-title":"Low-Rate DoS Attack Flows Filtering Based on Frequency Spectral Analysis","volume":"14","author":"Wu","year":"2017","journal-title":"China Commun."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Thangavel, S., and Kannan, S. (2019). Detection and trace back of low and high volume of distributed denial-of-service attack based on statistical measures. Concurr. Comput. Pract. Exp., e5428.","DOI":"10.1002\/cpe.5428"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Kuzmanovic, A., and Knightly, E.W. (2003, January 25\u201329). Low-rate TCP-targeted denial of service attacks: The shrew vs. the mice and elephants. Proceedings of the ACM SIGCOMM 2003 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, Karlsruhe, Germany.","DOI":"10.1145\/863955.863966"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1016\/j.comnet.2018.02.029","article-title":"Power Spectrum Entropy based Detection and Mitigation of Low-Rate DoS Attacks","volume":"136","author":"Zhaomin","year":"2018","journal-title":"Comput. Netw."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Paxson, V., Allman, M., Chu, H.J., and Sargent, M. (2011). Computing TCP\u2019s Retransmission Timer. Techn. Rep.","DOI":"10.17487\/rfc6298"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Chertov, R., Fahmy, S., and Fahmy, S. (2006, January 1\u20133). Emulation versus simulation: A case study of TCP-targeted denial of service attacks. Proceedings of the International Conference on Testbeds & Research Infrastructures for the Development of Networks & Communities, Barcelona, Spain.","DOI":"10.1109\/TRIDNT.2006.1649164"},{"key":"ref_26","first-page":"2981","article-title":"Adaptive EWMA Method Based on Abnormal Network Traffic for LDoS Attacks","volume":"9","author":"Tang","year":"2014","journal-title":"Math. Probl. Eng."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"285","DOI":"10.1049\/iet-ifs.2018.5097","article-title":"Detecting LDoS Attack Bursts based on Queue Distribution","volume":"13","author":"Yue","year":"2019","journal-title":"IET Inf. Secur."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"559","DOI":"10.1109\/TDSC.2015.2443807","article-title":"Low-Rate DoS Attacks Detection Based on Network Multifractal","volume":"13","author":"Wu","year":"2016","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1016\/j.comnet.2016.09.017","article-title":"MAF-SAM: An effective method to perceive data plane threats of inter domain routing system","volume":"110","author":"Guo","year":"2016","journal-title":"Comput. Netw."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Tang, D., Dai, R., Tang, L., Zhan, S., and Man, J. (2018, January 29\u201331). Low-Rate DoS Attack Detection Based on Two-Step Cluster Analysis. Proceedings of the 20th International Conference Information and Communications Security, Lille, France.","DOI":"10.1007\/978-3-030-01950-1_6"},{"key":"ref_31","first-page":"1590","article-title":"Detection of LDDoS Attack Based on Kalman Filtering","volume":"36","author":"Wu","year":"2008","journal-title":"Acta Electron. Sin."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"3533","DOI":"10.1016\/j.comnet.2011.06.027","article-title":"Joint time-frequency sparse estimation of large-scale network traffic","volume":"55","author":"Jiang","year":"2011","journal-title":"Comput. Netw."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"1231","DOI":"10.1109\/TSP.2003.810293","article-title":"Short-time Fourier transform: Two fundamental properties and an optimal implementation","volume":"51","author":"Ata","year":"2003","journal-title":"IEEE Trans. Signal Process."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Liu, F.T., Ting, K.M., and Zhou, Z.H. (2009, January 15\u201319). Isolation Forest. Proceedings of the Eighth IEEE International Conference on Data Mining, Pisa, Italy.","DOI":"10.1109\/ICDM.2008.17"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2133360.2133363","article-title":"Isolation-Based Anomaly Detection","volume":"6","author":"Liu","year":"2012","journal-title":"ACM Trans. Knowl. Discov. Data"},{"key":"ref_36","unstructured":"Fall, K., and Varadhan, K. (2019, April 30). The NS Manual. Available online: http:\/\/www.isi.edu\/nsnam\/ns\/."},{"key":"ref_37","unstructured":"LBNL, and ICSI (2019, May 27). LBNL\u2019s Internal Enterprise Traffic. Available online: http:\/\/www.icir.org\/enterprise-tracing."},{"key":"ref_38","unstructured":"(2019, August 15). Packet Traces from WIDE Backbone. MAWI Group Working. Available online: http:\/\/mawi.wide.ad.jp\/."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"e2993","DOI":"10.1002\/dac.2993","article-title":"An adaptive KPCA approach for detecting LDoS attack","volume":"30","author":"Zhang","year":"2015","journal-title":"Int. J. Commun. Syst."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Liu, H., and Kim, M.S. (2010, January 23\u201327). Real-Time Detection of Stealthy DDoS Attacks Using Time-Series Decomposition. Proceedings of the IEEE International Conference on Communications, Cape Town, South Africa.","DOI":"10.1109\/ICC.2010.5501975"}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/20\/1\/189\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:46:30Z","timestamp":1760190390000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/20\/1\/189"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,12,29]]},"references-count":40,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2020,1]]}},"alternative-id":["s20010189"],"URL":"https:\/\/doi.org\/10.3390\/s20010189","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,12,29]]}}}