Researchers in the Department of Computer Science & Engineering at Tezpur University, located in Assam, India published a long essay on Anomaly based DDoS Attack Detection in 2015 in the International Journal of Computer Applications. What follows is a short summary of the work by Chaitanya Buragohain, Manash Jyoti Kalita, Santosh Singh and Dhruba K. Bhattacharyya.
Approaches to DDoS mitigation can be broadly broken into three types, depending on where they are deployed: victim-end, source-end and immediate router defense. Most current methods of protection favor the victim-end category, which demands real-time or near real-time detection and high accuracy in detection.
Existing methodologies employed for DDoS attack detection can be broken into four primary categories:
- Statistical Methods – Statistical approaches are commonly used to identify DDoS attacks, either in a centralized or a distributed mode. Most of these methods are deployed at the victim-end and try to handle attacks with a minimum number of features.
- Soft Computing Method – Soft computing techniques such as Fuzzy reasoning and Artificial Neural Network are used to identify DDoS attacks. These are generally supervised and perform well for already-known attacks.
- Knowledge Based Model – A knowledge-based method can be used at both the victim-end and the intermediate network.
- Other Data Mining and Machine Learning Methods – Data mining and machine learning methods are increasingly being used to identify DDoS attacks. Note: this field has grown exponentially since the essay by Bhattacharyya et al was written.
Bhattacharyya et al propose a new detection method, which although also using a statistical approach, additionally “uses an ensemble of feature selectors using PCA based feature selector and correlation based feature selector.” They add, “A weighted majority based voting is used to combine the output of each individual feature selector. The weight of each feature selector (FS) is decided on the individual performance of each FS. In this proposed experimentation, it has been observed that the performance of information gain (IG) based on FS is best.”
The researchers say that this method can work both at the raw traffic level and at the preprocessed traffic feature level. Attempts to detect DDoS attacks at the raw traffic level involve selecting a minimum number of attributes, such as source IP, destination IP, timestamp, etc., and the use of a faster packet rate analyser algorithm over a t-second window interval. The algorithm can be divided into three parts: (i) rate analyzer (ii) packet rate analyzer (iii) protocol rate analyzer. The researchers claim that this algorithmic approach is a near real-time one.
The full essay can be read here.