Abstract:
The statistical characteristics of the selected data packets show anomalies under distributed denial of service (DDoS) attacks. The detection of the anomalies is an important task. Some detection methods are based on the hypothesis of data packet rates. This hypothesis, however, is unreasonable in some situations. Other detection methods are based on the statistics of IP addresses and the length of data packets, but their detection accuracy declines rapidly under the IP spoofing attack. In this paper, an HMM-based detection method of DDoS attacks is presented. The method integrates four different detection models against different type attacks. The models are established based on selected normal network data packet attributes, which are the flag bits of TCP packets, the ports of UDP packets, and the type and code of ICMP packets. These packets are from normal audit data. The models simulate the statistical characteristics of normal network data packets. The models are then used to detect the DDoS attacks by processing selected target audit data packets. Experimental results show that this method outperforms other methods reported on the DDoS attacks in adaptability and detection accuracy.