Anomaly Detection Techniques for Different DDoS Attack Types

Malicious activities in computer network systems often generate patterns in network data that do not conform to normal behaviour. Since the nature of such anomalies may be different for different types of attacks, detection of these is not trivial and may require specific anomaly detection techniques. In this work, we focus on anomaly or outlier detection techniques for DDoS attacks on computer networks. Our main goal is to find such techniques that prove most appropriate for different types of attacks. We restrict our research to fully unsupervised methods, because, in real world scenarios, it is difficult to obtain examples of all possible anomalies, especially that the set of those is constantly growing. To the best of our knowledge, our work is the first that utilizes time-related features in a purely unsupervised manner and that provides a fair comparison between widely known outlier detection methods. We evaluate clustering, autoencoder and LSTM-based techniques on commonly used datasets, i.e. DARPA1998, ISCXIDS2012, CICDDOS2019. Moreover, we propose IQRPACF method that combines IQR with partial autocorrelation function. The proposed method not only does not require to be trained, but also, in most cases, outperforms the other solutions.