Change trend of averaged Hurst parameter of traffic under DDOS flood attacks

Distributed denial-of-service (DDOS) flood attacks remain great threats to the Internet though various approaches and systems have been proposed. Because arrival traffic pattern under DDOS flood attacks varies significantly away from the pattern of normal traffic (i.e., attack free traffic) at the protected site, anomaly detection plays a rote in the detection of DDOS flood attacks. Hence, quantitatively studying statistics of traffic under DDOS flood attacks (abnormal traffic for short) are essential to anomaly detections of DDOS flood attacks. References regarding qualitative descriptions of abnormal traffic are quite rich, but quantitative descriptions of its statistics are seldom seen. Though statistics of normal traffic are affluent, where the Hurst parameter H of traffic plays a key role, how H of traffic varies under DDOS flood attacks is rarely reported. As a supplementary to our early work, this paper shows that averaged H of abnormal traffic usually tends to be significantly smaller than that of normal one at the protected site. This abnormality of abnormal traffic is demonstrated with test data provided by MIT Lincoln Laboratory and explained from a view of Fourier analysis. (C) 2005 Elsevier Ltd. All rights reserved.