RAD: A Statistical Mechanism Based on Behavioral Analysis for DDoS Attack Countermeasure

Abstract

Nowadays, Distributed Denial of Service (DDoS) attacks are among the most prevailing and costly attacks across the networks which challenge a variety of services. While many defense mechanisms are presented to detect and mitigate DDoS attacks, attackers constantly explore alternative approaches for orchestrating novel DDoS attacks. Distribution of the mechanism and its deployment into different zones can improve the accuracy and coverage of DDoS attack varieties. In this paper, we propose a 3-phase DDoS attack countermeasure, named RAD, based on a statistical model for scoring users in order to detect DDoS attacks. In the first phase, users are classified into either suspicious or benign based on their traffic behavior, being indicated by the number of flows, packets, concurrent connections, and amount of user-generated traffic. In the second phase, we identify a potential attack state using the drop, jitter, and delay processing parameters. In the third phase, relevant policies are enforced on the suspicious class of users and its effects are assessed continuously in order to reduce false alarms. RAD is evaluated through the UNB CICDDoS2019 dataset and is compared with four well-known DDoS detection algorithms. RAD counters DDoS attacks with more than 80% precision, 99% recall, and 89% F1-Measure in CICDDoS2019.