Detecting Distributed Denial of Service Attack Based on Address Correlation Value

Detecting distributed denial of service (DDoS) attacks is currently a hot topic in the network security field. The characteristics of DDoS attacks and the existing methods to detect DDoS attacks are analyzed, and a novel detection scheme for DDoS attacks based on address correlation value (ACV) is proposed. ACV is designed to reflect the essential features of DDoS attacks, such as the abrupt traffic change, flow dissymmetry, distributed source IP addresses and concentrated target IP addresses. To increase the detection accuracy in various conditions, ACV time series are transformed into a multidimensional vector (MV) by estimating the auto regressive (AR) model parameters using the Yule-Walker method, and then MV is used to describe the state features of network flows. Furthermore, a support vector machine (SVM) classifier, which is trained by MV of ACV time series from normal flow and attack flow, is applied to classify the state of current network flow and identify the DDoS attacks. The experimental results show that ACV time series can be well used to characterize the different state features between DDoS attack flows and normal flows; the scheme can identify the state features of the abnormal flow due to the DDoS attacking flows, and detect DDoS attacks accurately and reduce the false positive drastically.