DDoS Attack Detection Method Based on Network Abnormal Behavior in Big Data Environment
This addresses the problem of time-delay and low detection rates in DDoS attack detection for network security, but it appears incremental as it builds on existing methods with specific improvements.
The paper tackles DDoS attack detection by proposing a method based on network abnormal behavior in big data environments, which filters 'many-to-one' flows and uses a defined network abnormal feature value (NAFV) to improve accuracy, resulting in higher detection rates and lower false alarm and missing rates compared to similar methods.
Distributed denial of service (DDoS) attack becomes a rapidly growing problem with the fast development of the Internet. The existing DDoS attack detection methods have time-delay and low detection rate. This paper presents a DDoS attack detection method based on network abnormal behavior in a big data environment. Based on the characteristics of flood attack, the method filters the network flows to leave only the 'many-to-one' network flows to reduce the interference from normal network flows and improve the detection accuracy. We define the network abnormal feature value (NAFV) to reflect the state changes of the old and new IP address of 'many-to-one' network flows. Finally, the DDoS attack detection method based on NAFV real-time series is built to identify the abnormal network flow states caused by DDoS attacks. The experiments show that compared with similar methods, this method has higher detection rate, lower false alarm rate and missing rate.