DDoS Flood Attack Detection Based on Fractal Parameters

Distributed denial-of-service (DDoS) flood attack is one of the most popular techniques taken by the hackers to threaten the availability and stability of the Internet. To ensure network usability and reliability, accurate detection of this kind of attack is critical. In this paper, we propose a statistical DDoS flood attack detection method by passively monitoring the abrupt change of network traffic fractal parameters: fractal dimension D and Hurst parameter H. Specifically, we use an autoregressive system to estimate the parameters D and H of normal traffic which are slow changing. If the actual parameters D and H vary significantly from the estimation ones, we assume DDoS flood attack happens. Meanwhile, we propose a maximum likelihood estimate-based detection method to determine the change point of parameters D and H that indicate the occurrence of DDoS flood attack. The test results based on the DARPA intrusion detection evaluation data sets show that both the parameters D and H can indicate the DDoS flood attack effectively.