An anomaly based distributed detection system for DDoS attacks in Tier-2 ISP networks

In the present computer era, the vulnerabilities inherent in the Internet architecture enable various kinds of attacks. Distributed Denial of Service (DDoS) is one of such prominent attack that is a lethal threat to Internet domain that harnesses its computing and communication resources. The increase in network traffic rates of legitimate traffic and its flow similarity with attack traffic has made the DDoS detection very difficult despite deployment of diversified defense solutions. The ISPs are bound to invest heavily to counter such problems which has a significant impact on company finances. To provide uninterrupted quality services to the end users, ISPs needs to deploy a distributed solution for timely detection and discrimination of attack and behaviorally similar flash events (FE) traffic. Such distributed defense systems can be deployed at source-end, intermediate network-end or at the victim-end location. Since the volume of traffic to be analyzed is very large, the detection accuracy and low computational complexity of the proposed defense solution is always a challenging problem. This paper proposes an ISP level distributed, collaborative and automated (D-CAD) defense system for detecting DDoS attacks and FEs, and has the capability to effectively distinguishing the two. Additionally, D-CAD defense system is also capable of categorizing FE traffic and has low computational complexity. The proposed system is validated in novel software defined networks (SDN) using Mininet emulator. The results show that D-CAD defense system outperformed its existing counterparts on various detection system evaluation metrics.