doiSerbia

Distinguishing flooding distributed denial of service from flash crowds using four data mining approaches

Kong Bin (Beijing Jiaotong University, School of Economics and Management, Beijing, China + National Secrecy Science and Technology Evaluation Center, Beijing, China)
Yang Kun (Chinese Academy of Sciences, Institute of Information Engineering, Beijing, China + University of Chinese Academy of Sciences, School of Cyber Security, Beijing, China)
Sun Degang (Chinese Academy of Sciences, Institute of Information Engineering, Beijing, China + University of Chinese Academy of Sciences, School of Cyber Security, Beijing, China)
Li Meimei (Beijing Jiaotong University, School of Computer and Information Technology, Beijing, China + Chinese Academy of Sciences, Institute of Information Engineering, Beijing, China + University of Chinese Academy of Sciences, School of Cyber Security, Beijing, )
Shi Zhixin (Chinese Academy of Sciences, Institute of Information Engineering, Beijing, China + University of Chinese Academy of Sciences, School of Cyber Security, Beijing, China)

Flooding Distributed Denial of Service (DDoS) attacks can cause significant damage to Internet. These attacks have many similarities to Flash Crowds (FCs) and are always difficult to distinguish. To solve this issue, this paper first divides existing methods into two categories to clarify existing researches. Moreover, after conducting an extensive analysis, a new feature set is concluded to profile DDoS and FC. Along with this feature set, this paper proposes a new method that employs Data Mining approaches to discriminate between DDoS attacks and FCs. Experiments are conducted to evaluate the proposed method based on two realworld datasets. The results demonstrate that the proposed method could achieve a high accuracy (more than 98%). Additionally, compared with a traditional entropy method, the proposed method still demonstrates better performance.

Keywords: flooding DDoS, flash crowds, data mining, entropy