A crf-based method for ddos attack detection

Abstract

For the low accuracy of detection and high false-positive rate (FPR) problems in the traditional DDoS attack detection methods, the method based on conditional random fields (CRF) is introduced. The CRF-based model could make full use of the multi-feature fusion together, while it does not demand the characteristics that are independent strictly. The IP flow quintuple entropy conception is put forward as the detection multi-feature vector, which is named as the IPE including the quintuple entropy of the header part of the packets. Our experiments revealed that the multi-feature vector IPE runs well and the CRF-based model detecting method outperforms the other machine learning (ML) methods such as k-nearest neighbor (KNN), support vector machine (SVM), etc. The value of IPE leaps obviously when the DDoS attacks happened under the DARPA 2000 dataset. Simultaneously, the CRF-based method has a better detection performance (more than 90%) and lower FPR (less than 3%), as well as a strong ability of antibackground- noise and good robustness under TFN2K attacking dataset.