Detecting distributed denial of service attack based on multi-feature fusion

Abstract

Detection of Distributed denial of service (DDoS) attacks is currently a hot topic in both industry and academia. We present an IP flow interaction algorithm (IFI) merging multi-feature of normal flow and DDoS attack flow. Using IFI time series describe the state of network flow, we propose an efficient DDoS attack detection method based on IFI time series (DADF). DADF employs an adaptive parameter estimate algorithm and detects DDoS attack by associating with the states of IFI time series and an alert evaluation mechanism. Experiment results demonstrate that IFI can well fuse the multiple features of normal flow and DDoS attack flow and it is efficient to be used to distinguish normal flow from DDoS attack flow; DADF can fast detect DDoS attack with higher detection rate and lower false alarm rate under relatively large normal background flows. © 2009 Springer-Verlag Berlin Heidelberg.