Non-negative Increment Feature Detection of the Traffic Throughput for Early DDoS Attack

One of the major threats to cyber security is distributed denial of service (DDoS) attacks. In this paper, we reveal the non-negative and cumulative increment effect of DDoS traffic throughput that is the feature accurately distinguished DDoS attacking traffic from normal flash crowd traffic. Our scheme can detect a DDoS attack in its early stages based on these feature. It can differentiate DDoS from flash crowd traffic effectively even if DDoS is potential. This scheme detects DDoS attacks with on-line and distributed characteristics. Simulation shows the algorithm's validity and accuracy.