DDoS Attack Detection Using Three-State Partition Based on Flow Interaction

Abstract

It is challenging to accurately detect Distributed denial of service (DDoS) attack quickly. We propose a novel IP Flow Interaction Behavior Feature (IFF) algorithm based on IP Flow Interaction via IP addresses and ports. IFF can be designed to provide normal profiles for normal flow and reflect the essential features created by different types of DDoS attacks. We define the network flow states into three states as the health state, quasi health state, and abnormal state by Using IFF. Based on former three state partition of network flow states, we present a simple and efficient DDoS attack detection method via self-adapting dual threshold and alarm evaluation mechanism (DASA). Our experiment results demonstrate that IFF can be used as a general DDoS attack diagnosis feature, and DASA can effectively detect abnormal flows containing DDoS attack flow with more accuracy and lower false alarm rate in a short detection time.