Characterizing flash events and distributed denial-of-service attacks: an empirical investigation

In the information age where Internet is the most important means of delivery of plethora of services, distributed denial-of-service (DDoS) attacks have emerged as one of the most serious threat. Strategic, security, social, and financial implications of these attacks have ceaselessly alarmed the entire cyber community. To obviate a DDoS attack and mitigate its impact, there is an irrevocable prerequisite to accurately detect them promptly. An inherent challenge in addressing this issue is to efficiently distinguish these attacks from characteristically analogous flash events (FEs) which are bona fide occurrences generated by legitimate users. Most of the studies have focused on finding out the unique characteristics of DDoS attacks in isolation, with the peril of false alarms heuristically. To preclude this, it is pertinent to fundamentally focus on identifying the unique characteristics of FE vis-a-vis DDoS attacks ab initio which has been the basis of this work. The aim of this paper is to formulate the taxonomy of FEs and compare the characteristics of FEs and DDoS attacks to segregate these using several empirical metrics. Real and emulation datasets have been used to validate the characteristics of both. The extensive analysis in this study establishes that there are numerous technical dissimilarities that can be exploited to separate these similar looking events. Copyright (c) 2016 John Wiley & Sons, Ltd.