Behavioural analysis and signature-based detection of Slowloris

Sammanfattning: It is important to efficiently and correctly be able to detect and classify network traffic, both legitimate and malicious. The slow rate category of DoS attacks makes this task especially hard, as the generated traffic resembles legitimate traffic. This thesis proposes a specialized packet signature for the slow DoS attack Slowloris, as a result of a traffic analysis comparing legitimate traffic and malicious Slowloris traffic. The analysis was performed through packet inspection with a network protocol analyzing tool. The proposed signature focuses on different data sizes of each packet and payload inspection, specifically assessing the beginnings and endings of the payload. To evaluate the signature, it was implemented as a detection tool which was then exposed to normal rate legitimate, slow rate legitimate and malicious traffic. The tool was evaluated by measuring its accuracy and false positive rate. Each evaluation consisted of 100,000 packets and was repeated 50 times, resulting in an evaluation set of five million packets. The tool achieved an average accuracy rate of 98,3% and a false positive rate of 0,0%.