An unsupervised approach for detecting DDOS attacks based on traffic-based metrics

Recently, distributed denial of service (DDoS) attacks have been widely used to compromise computer systems and a lot of free DDoS attacking tools can be easily obtained from the public network. Although many mechanisms were suggested to prevent DDoS attacks, most of them lack in effectiveness and efficiency. Moreover, trace back and prevention for DDoS intrusions are almost impossible because of the distribution and large number of attacking hosts, and the difficulty of identifying their location due to source IP address spoofing. We define in this paper a new traffic-based metrics named IPTraffic by studying the basic principle of DDoS attacks. An outlier detection algorithm based on Gaussian mixture model (GMM) is used to analyze the value of IPTraffic, and then make intrusion decisions according to the outlier detection result. We evaluate our approach on a live networking environment and the experimental results show that the proposed approach not only can detect DDoS attacks effectively but also provide an efficient response to these attacks.