Combining cross-correlation and fuzzy classification to detect distributed denial-of-service attacks

Abstract

In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses, As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic, Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function, Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm. © Springer-Verlag Berlin Heidelberg 2006.