DDoS Attack Detection Method Based on Network Abnormal Behavior in Big Data Environment

TL;DR

This paper introduces a real-time DDoS attack detection method leveraging network abnormal behavior analysis in big data environments, significantly improving detection accuracy and reducing false alarms compared to existing techniques.

Contribution

It proposes a novel detection approach based on network abnormal feature values and real-time series analysis tailored for big data environments.

Findings

Higher detection rate than similar methods

Lower false alarm rate achieved

Reduced missing detection instances

Abstract

Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.