Evaluating the impact of traffic sampling on AATAC's DDoS detection

Abstract

As Distributed Denial of Service (DDoS) attack are still a severe threat for the Internet stakeholders, they should be detected with efficient tools meeting industrial requirements.We previously introduced theAATACdetector, which showed its ability to accurately detect DDoS attacks in real time on full traffic, while being able to cope with the several constraints due to an industrial operation, as time to detect, limited resources for running detection algorithms, detection autonomy for not wasting uselessly administrators' time. However, in a realistic scenario, network monitoring is done using sampled traffic. Such sampling may impact the detection accuracy or the pertinence of produced results. Consequently, in this paper, we evaluateAATAC over sampled traffic. We use five different count-based or time-based sampling techniques, and show thatAATAC's resources consumption is in general greatly reduced with little to no impact on the detection accuracy. Obtained results are succinctly compared with those from FastNetMon, an open-source threshold-based DDoS detector.