Flow and unified information-based DDoS attack detection system for multi-topology IoT networks

Abstract

Internet of Things (IoT) networks are vulnerable to Distributed Denial of Service (DDoS) attacks, which can degrade their Quality of Service (QoS). In general, DDoS attacks are classified into high- and low-volume attacks. Existing statistical-based methods for DDoS attack detection in IoT networks are effective only for high-volume or low-volume attacks, but not for both. The majority of research in this domain relies on single-dimensional analysis and static thresholds. In response to these limitations, this paper introduces a Flow and Unified Information-based DDoS (FLUID) attack detection system, a lightweight statistical approach, for DDoS attack detection in IoT networks. The FLUID system incorporates multi-dimensional analysis by integrating unified information and flow behavior to effectively identify both high- and low-volume DDoS attacks. FLUID utilizes entropy and distance metrics, such as Kullback–Leibler (KL) divergence and greedy bin-packing, as unified information measures to distinguish legitimate traffic from malicious activity. Additionally, it examines flow behavior to gain insights into network traffic patterns. Notably, the FLUID system maintains its lightweight nature through a streamlined set of network features and optimized computational efficiency. Evaluations on real-world IoT client/server and Event-Driven Architecture (EDA) testbeds with the ToN-IoT, CICIDS 2017, CICIDS 2019, and DoS/DDoS-MQTT-IoT datasets show that the FLUID system can achieve over 90% detection accuracy for both high- and low-volume DDoS attacks.