Low-rate DDoS attacks detection method using data compression and behavior divergence measurement

Abstract Distributed denial of service (DDoS) attacks have been a typical and extremely destructive threat to the Internet. DDoS attack detections suffer from the nonnegligible high complexity of massive traffic flow storage in the high-speed network. Besides, hidden low-rate DDoS (LDDoS) attacks evade the existing detection methods due to the similarity between LDDoS attack traffic and normal traffic. Focusing on these problems, this paper proposes a new low-rate DDoS attack detection method (LDDM) by designing the multidimensional sketch structure and novel measurement methods on network flows. First, the multidimensional sketch structure is designed to aggregate and compress network flows, which contributes to reduce the cost of data storage and enhance detection performance. Then, the improved behavior divergence measurement method based on daub 4 wavelet transform is proposed to calculate the energy percentage of each sketch divergence. This method obtains effective results in distinguishing the normal traffic and attack traffic. Furthermore, a modified weighted exponential moving average method is designed to construct the dynamic threshold of normal network. Meanwhile, a traffic freezing mechanism is proposed to ensure the standardization of the dynamic threshold. Finally, the effectiveness of the LDDM is evaluated using several real low-rate DDoS attack datasets. The comparisons with other methods illustrate our method has a lower false positive rate and false negative rate, as well as higher accuracy in the detection of stealthy low-rate DDoS attacks.