Real-time monitoring model of DDoS attacks using distance thresholds in Edge cooperation networks

Edge networks have an increasing demand for real-time attack detection as the duration of Distributed Denial- of-Service (DDoS) attacks decreases and causes missing of reporting insecure cases. However, the training and testing time of the existing detection model deployed on the edge server side is more expensive and cannot be well applied in practice. In this paper, we propose a real-time monitoring framework for DDoS attacks with edge server-device collaboration to solve these problems. Specifically, the edge server uses the k-means algorithm to represent the model boundaries and builds a separate group of recognition and monitoring models for each device by splitting the feature vectors. Furthermore, each device monitors the generated data in realtime through the model and submits suspicious data to the edge server for analysis. Finally, the server utilizes the k-neighbor algorithm which adds threshold selection and judgment to fine-grained identify updated benign data and specific categories of attack data. Experimental results show that the proposed scheme can effectively monitor benign data and attack data and identify attack types while the train time, test time and storage cost are less than that of the centralized model.