ISSN 1000-1239 CN 11-1777/TP

• Paper • Previous Articles     Next Articles

Detecting Distributed Denial of Service Attack Based on Address Correlation Value

Cheng Jieren1,2, Yin Jianping1, Liu Yun1, Cai Zhiping1, and Li Min1   

  1. 1(College of Computer, National University of Defense Technology, Changsha 410073) 2(Department of Mathematics, Xiangnan University, Chenzhou, Hunan 423000)
  • Online:2009-08-15

Abstract: Detecting distributed denial of service (DDoS) attacks is currently a hot topic in the network security field. The characteristics of DDoS attacks and the existing methods to detect DDoS attacks are analyzed, and a novel detection scheme for DDoS attacks based on address correlation value (ACV) is proposed. ACV is designed to reflect the essential features of DDoS attacks, such as the abrupt traffic change, flow dissymmetry, distributed source IP addresses and concentrated target IP addresses. To increase the detection accuracy in various conditions, ACV time series are transformed into a multidimensional vector (MV) by estimating the auto regressive (AR) model parameters using the Yule-Walker method, and then MV is used to describe the state features of network flows. Furthermore, a support vector machine (SVM) classifier, which is trained by MV of ACV time series from normal flow and attack flow, is applied to classify the state of current network flow and identify the DDoS attacks. The experimental results show that ACV time series can be well used to characterize the different state features between DDoS attack flows and normal flows; the scheme can identify the state features of the abnormal flow due to the DDoS attacking flows, and detect DDoS attacks accurately and reduce the false positive drastically.

Key words: network security, distributed denial of service attack, address correlation value, autoregressive model, support vector machine