Overall scheme of defense against DDoS attack from detection to traffic identification

Distributed denial of service(DDoS)attack is a serious threat to Internet security. Target networks and hosts will be overwhelmed by massive traffic when attack happens. It is important for the defense against DDoS attack to detect the attack quickly and accurately,discriminate the attack traffic from legitimate crowd traffic to eliminate attack traffic,and eliminate the attack traffic. The entropy is used to execute real-time statistics of some flow parameters for detecting the attack,and cumulative sum(CUSUM)algorithm is employed to track continuous changes of the entropy. According to the growth of destination IP quantity,victims can be discovered,and then the traffic swarming into the victims is observed emphatically. As the large-scale attack traffic and legitimate crowd traffic are very similar,it is difficult to recognize attack traffic. The correlation coefficient is used in this paper to check the similarity of the flow to discriminate the attack traffic from legitimate crowd traffic,which provides an evidence for subsequent elimination and filtering.