An Abnormal Network Flow Feature Sequence Prediction Approach for DDoS Attacks Detection in Big Data Environment

Distributed denial-of-service(DDoS)is a rapidly growing problem with the fast development of the Internet.There are multitude DDoS detection approaches,however,three major problems about DDoS attack detection appear in the big data environment.Firstly,to shorten the respond time of the DDoS attack detector;secondly,to reduce the required compute resources;lastly,to achieve a high detection rate with low false alarm rate.In the paper,we propose an abnormal network flow feature sequence prediction approach which could fit to be used as a DDoS attack detector in the big data environment and solve aforementioned problems.We define a network flow abnormal index as PDRA with the percentage of old IP addresses,the increment of the new IP addresses,the ratio of new IP addresses to the old IP addresses and average accessing rate of each new IP address.We design an IP address database using sequential storage model which has a constant time complexity.The autoregressive integrated moving average(ARIMA)trending prediction module will be started if and only if the number of continuous PDRA sequence value,which all exceed an PDRA abnormal threshold(PAT),reaches a certain preset threshold.And then calculate the probability that is the percentage of forecasting PDRA sequence value which exceed the PAT.Finally we identify the DDoS attack based on the abnormal probability of the forecasting PDRA sequence.Both theorem and experiment show that the method we proposed can effectively reduce the compute resources consumption,identify DDoS attack at its initial stage with higher detection rate and lower false alarm rate.

A DDoS Attack Information Fusion Method Based on CNN for Multi-Element Data

Traditional distributed denial of service(DDoS)detection methods need a lot of computing resource,and many of them which are based on single element have high missing rate and false alarm rate.In order to solve the problems,this paper proposes a DDoS attack information fusion method based on CNN for multi-element data.Firstly,according to the distribution,concentration and high traffic abruptness of DDoS attacks,this paper defines six features which are respectively obtained from the elements of source IP address,destination IP address,source port,destination port,packet size and the number of IP packets.Then,we propose feature weight calculation algorithm based on principal component analysis to measure the importance of different features in different network environment.The algorithm of weighted multi-element feature fusion proposed in this paper is used to fuse different features,and obtain multi-element fusion feature(MEFF)value.Finally,the DDoS attack information fusion classification model is established by using convolutional neural network and support vector machine respectively based on the MEFF time series.Experimental results show that the information fusion method proposed can effectively fuse multi-element data,reduce the missing rate and total error rate,memory resource consumption,running time,and improve the detection rate.