To detect new high-distributed low-rate QoS violation driven by LDoS attack and guarantee high network QoS,a novel recognition scheme was proposed with the consideration of multiple network features in both macro and micro aspects.At micro-level feature, the weighted sum of FLAG control bits was used to describe an internal micro-change in TCP package header.Meanwhile,the power spectral density(PSD) feature ofI-I-Ptriple was calculated in order to reflect the inherent periodicity of LDoS Attack;at macro-level feature,Rfeature was introduced to mark the change in ratio of sent_flow and received_flow. Multi-dimensional observation state sequences can be constituted with these features that further form multi-stream fused hidden Markov model (MF-HMM).MF-HMM was applied to automatically recognize QoS violation.In addition,Kaufman algorithm was used to dynamically adjust and upgrade threshold value.Experiments showed that the approach effectively reduces the false-positive rate and false-negative rate in recognition.Moreover,it has an especially high recognition rate for new high-distributed low-rate QoS violation driven by LDoS even in complexity background network traffic.
