DDoS Attack Detection Using IP Address Feature Interaction

Distributed denial-of-service (DDoS) attacks present serious threats to servers in the Internet. We argue that the difference of the goals, manners and results of the interaction behaviors of normal flows and attack flows, which show different characteristics on IP addresses and ports. IAI (TP Address Interaction Feature) algorithm is proposed based on the addresses interaction, abrupt traffic change, addresses many-to-one dissymmetry, distributed source IP addresses and concentrated target addresses. The IAI is designed to describe the essential characteristics of network flow states. Furthermore, a support vector machine (SVM) classifier, which is trained by IAI time series from normal flow and attack flow, is applied to classify the state of current network flows and identify the DDoS attacks. The experiment results show that, IAI can reflect the different characteristics of DDoS attack flows and normal flows; the IAI-based detection scheme can distinguish between normal flows and abnormal flows with DDoS attack flows effectively, and help to identify fast and accurate attack flows when the attacking traffic is hidden among a relatively large volume of normal flows or close to the attacking sources, and it has higher detection and lower false alarm rate compared with related works.