TSD3: A Novel Time-Series-Based Solution for DDoS Attack Detection

Distributed Denial-of-Service (DDoS) attack has long been one of the biggest threats to network security. Most existing approaches collect and analyze the network traffic in a fixed window (e.g., 1min or 5min) to detect ongoing attacks. However, they cannot track temporal information, such as the arriving moments of packets and the persistence of malicious flows in the time dimension, which inevitably harms their effectiveness. To this end, this work proposes a novel solution called Time-Series DDoS Detection (TSD3). First, we design an attention-based traffic sampling algorithm to support short-period (e.g., 1 s) traffic monitoring. The proposed sampling solution can continuously track network flows with limited storage and communication resources and naturally attach the flow records with fine-grained time information, i.e., slice index. Then we perform time-series analysis by encoding the flow records of successive periods to persistence distributions and training a classifier to identify the attacking or normal flows. The experimental results based on real-world network traces show that our approach significantly outperforms the state-of-the-art methods in terms of Accuracy, Recall, and F1-score.