Dual-Level Attack Detection and Characterization for Networks under DDoS

DDoS attacks aim to deny legitimate users of the services. In this paper, we introduce novel dual - level attack detection (D-LAD) scheme for defending against the DDoS attacks. At higher and coarse level, the macroscopic level detectors (MaLAD) attempt to detect congestion inducing attacks which cause apparent slowdown in network functionality. The large volumes attacks are detected early at border routers in transit network before they converge at the victim. At lower and fine level, the microscopic level detectors (MiLAD) detect sophisticated attacks that cause network performance to degrade gracefully and stealth attacks that remain undetected in transit domain and do not impact the victim. These attacks have dramatic impact on victim and are detected at border routers in stub domain near the victim. We employ the concepts of varying threshold and change point detection on entropy to enhance the detection rate. Honeypots help achieve high filtering accuracy. Results demonstrate that in addition to being competitive than other techniques with respect to detection rate and false alarm rate, our scheme is very effective and works well in the presence of different DDoS attacks. The proposed technique provides the quite demanded solution to the DDoS problem.