Classifying DDoS Attacks by Hierarchical Clustering Based on Similarity

With the researching for detection and defense against distributed denial of service (DDoS) attacks, researchers constantly advanced network security systems, and attackers in turn improve their tools to survive from new security systems. Both of the variety and sophistication of DDoS attack tools are growing rapidly. Therefore, an abstract, formalized description and taxonomy is needed to identify and classify existing attack tools and their late editions. Besides, the taxonomy should be scalable to deal with new attacks. This paper proposes a novel and abstract method for describing DDoS attacks with characteristic tree, three-tuple, and introduces an original, formalized taxonomy based on similarity and hierarchical clustering method. Through classifying 12 real DDoS attack tools, the taxonomy is evaluated. The results show that to complicated attack samples, this taxonomy can classify them accurately. In addition, it is important for developing realistic models of DDoS simulation and for performing attacks detection and analysis as a plug-in. It can also be packaged as an automated tool to aid in rapid response to DDoS attacks