Poster: LEADER (Low-Rate Denial-of-Service Attacks Defense)

Low-rate denial-of-service(LRD) attacks are often hard to detect at the network level as they consume little bandwidth. Both the legitimate traffic and the attack traffic look alike. Moreover, the attack traffic often appears to comply with transport protocol, and application protocol semantics. It is the intricacies in the payloads and the dynamics of the attack traffic that induces denial-of-service on servers when processed by specific hardware and software. We introduce Leader, a hybrid approach for applicationagnostic and attack-agnostic detection and mitigation of LRD attacks. Leader operates by learning normal patterns of network, application and system-level resources when processing legitimate external requests. It relies on a novel combination of runtime, system and network monitoring and offline binary program analysis.