A Multimetric Approach for Discriminating Distributed Denial of Service Attacks from Flash Crowds

Distributed Denial of Service (DDoS) attack, whether at the application or network layer, continues to be a critical threat to the Internet. In a DDoS attack, attackers run a massive number of queries through the victim's search engine or database query to bring the server down. This massive number of queries results in a very high traffic generated within a short period of time. Or in the Internet, researchers have identified a legitimate high traffic, known as a flash crow, where a very large number of users simultaneously access a popular web site, which produces a surge in traffic to the web site and might cause the site to be virtually unreachable. Thus the need to be able to discriminate between DDoS attack traffics and flash crowds. In this project, a hybrid discrimination mechanism is proposed to detect DDoS attacks using various features that characterize the DDoS traffics, and that distinguish it from flash crowds. These features include among others the entropy variation, the information distance, and the correlation coefficient.