DDoS attack detection using signal processing and statistical approaches

Abstract

DDoS attacks cause a variety of changes in the properties of the attributes in the network traffic. Modeling these changes using signal processing and statistical ap proaches provides detection of these attacks. This thesis focuses on detecting DDoS attacks using time series analysis, sparse signal representation methods, and statistical modeling. We also investigate the effect of DDoS attacks on traffic features in a sta tistical manner. In addition, we propose two simple but effective network-based DDoS attack detection methods based on the statistical signal processing approach, using the advantage of statistical changes in traffic features. We propose a novel DDoS detection framework using the Matching Pursuit algo rithm to detect resource depletion type DDoS attacks. We use multiple characteristics of network traffic simultaneously to detect low-density DDoS attacks efficiently. The proposed method uses the dictionary produced from the parameters of the network traf fic using the K-SVD algorithm. Dictionary generation using network traffic provides legitimate and attack traffic models and adds adaptability to the proposed method to network traffic. We also implement DDoS detection approaches that use Matching Pursuit and Wavelet techniques and compare them using two different data sets. Addi tionally, we offer a hybrid DDoS detection framework that combines these approaches with a decision-making mechanism using an artificial neural network. We evaluate the proposed methods with two different data sets. In the hybrid intrusion detection sys tem with more than one attack, the detection performances of other approaches have decreased. In contrast, the proposed method achieves true-positive rates higher than 99% with a false positive rate lower than 0.7%.