A novel feature-based framework enabling multi-type DDoS attacks detection

Abstract

Distributed Denial of Service (DDoS) attacks are among the most severe threats in cyberspace. The existing methods are only designed to decide whether certain types of DDoS attacks are ongoing. As a result, they cannot detect other types of attacks, not to mention the even more challenging mixed DDoS attacks. In this paper, we comprehensively analyzed the characteristics of various types of DDoS attacks and innovatively proposed five new features from heterogeneous packets including entropy rate of IP source flow, entropy rate of flow, entropy of packet size, entropy rate of packet size, and number of ICMP destination unreachable packet to detect not only various types of DDoS attacks, but also the mixture of them. The experimental results show that the proposed fives features ranked at the top compared with other common features in terms of effectiveness. Besides, by using these features, our proposed framework outperforms the existing methods when detecting various DDoS attacks and mixed DDoS attacks. The detection accuracy improvements over the existing methods are between 21% and 53%.