Low Rate Denial of Service Discovery via Genetic Programming (GP)

Abstract

Nowadays we depend on technology almost in every aspect of our life. Technology is used in several critical sectors like government, medical, industrial, transportation, financial, and more. Thus, ensuring high availability is essential to provide the required services. However, it is not an easy task to achieve, since many attacks target the availability of the system by performing so-called Denial-of-Service (DoS) attacks. One type of DoS attacks is the Low-rate Denial-of-service (LDoS) attack, where the attack is performed with minimal network traffic generated by the attacker, which makes its detection much harder than for a regular DoS attack. LDoS network traffic appears like legitimate traffic in most cases. Since it is harder to detect and can be performed in several ways, the use of the Artificial Intelligence (AI) field could help in finding ways of discovering how to launch highly efficient LDoS attacks and the knowledge gained could be used to train IDS to efficiently and effectively detect such attacks. This study applies the Genetic Programming (GP) method as an AI approach to investigate ways of discovering LDoS attacks. As part of the study, a client-server simulation was developed to be used as a testing environment. The performance measure developed is the Average Response Time (ART) since its maximization has good chances of yielding a full buffer while minimizing the rejected requests, satisfying LDoS attack behavior. The GP performance was benchmarked with different request arrival approaches to test the effectiveness of GP results. We can regard a DoS attack as a carefully chosen set of times to send service requests. The performed GP experiments were able to synthesize a function that will be used to find the best time to send the next request based on information available to the requester (attacker) in order to perform an LDoS attack. One of the findings was to send requests using an increment of a constant close to the server average service time, which indicates a reasonable attempt to fill up the buffer while considering a low number of rejections.