DDoS flooding attack detection scheme based on F-divergence

The nature of the threats carried by Distributed Denial of Service (DDoS) attack requires effective detection as well as efficient response methods. However, feature-based schemes are unsuitable for real-time detection due to their complicated calculations and most of the statistical-based schemes do not distinguish DDoS attacks from legitimate changes. Besides, it is impossible to set a threshold that takes into account both false positives and false negatives. A hard threshold reduces the risk of false negatives but significantly increases the rate of false positives. In contrast, a soft threshold can easily be exploited by attackers to insert a malicious traffic that respects the conduct of good flow. To avoid these defects, we suggest a two-stage approach based on the detection of breaks in the distribution of connections size. A connection is defined as the aggregate traffic between two IP addresses, where one address belongs to the police address set, and the other is a foreign address. The connection size is measured in number of packets. To achieve our goal, we employ Total Variation Distance (TVD) to measure horizontal and vertical similarity among flows. We investigate a class of intelligent denial of service attacks which, unlike high-rate attacks, are difficult for other’s schemes to detect. The experimental results indicate that our scheme can detect DDoS flooding attacks accurately. The effectiveness of our approach, even against intelligent attacks, is around 90%.