Abstract
This letter deals with the problem of detecting DoS and DDoS attacks. First of all, two features including number of packets and number of source IP addresses are extracted from network traffics as detection metrics in every minute. Hence, a time series based on the number of packets is built and normalized using a Box-Cox transformation. An ARIMA model is also employed to predict the number of packets in every following minute. Then, the chaotic behavior of prediction error time series is examined by computing the maximum Lyapunov exponent. The local Lyapunov exponent is also calculated as a suitable indicator for chaotic and nonchaotic errors. Finally, a set of rules are proposed based on repeatability of chaotic behavior and enormous growth in the ratio of number of packets to number of source IP addresses during attack times to classify normal and attack traffics from each other. Simulation results show that the proposed algorithm can accurately classify 99.5% of traffic states.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
