A novel measure for low-rate and high-rate DDoS attack detection using multivariate data analysis

Abstract

Distributed Denial of Service (DDoS) attack is a major security threat for networks and Internet services. The complexity and frequency of occurrence of DDoS attacks are growing in parallel with rapid developments of the Internet and associated computer networks. A significant number of network security tools are available on the Internet to generate network attacks as well as to defend and analyze network attacks. Attackers can generate attack traffic similar to normal network traffic using sophisticated attacking tools. In such a situation, many defense solutions fail to identify DDoS attacks in real-time. DDoS attack traffic typically behaves differently from legitimate network traffic in terms of traffic features. Statistical properties of various features can be analyzed to distinguish the attack traffic from legitimate traffic. In this paper, we introduce a statistical measure called Feature Feature Score (FFSc) for multivariate data analysis to distinguish DDoS attack traffic from normal traffic. We extract three features of network traffic, viz., entropy of source IPs, variation of source IPs and packet rate to analyze the behavior of network traffic for attack detection. The method is validated using CAIDA DDoS 2007 and MIT DARPA datasets.