Spatial correlation detection of DDoS attack

DDoS attack flows distributed in many links exhibit directional nature, they are usually generated by certain tools and originate from different nodes, but have inherent dependencies in spatial when transit in network. This will cause correlation between the traffic where they traverse deviate from norm. By taking advantage of this feature, we propose a spatial correlation detection method deploying in backbone network to combat DDoS attack. In doing so, we first approximately estimate abnormality of every origin destination (OD) flow through comparing observations with predictions, then for OD flows with same destination, extracting spatial correlation between their abnormality estimations by principle component analysis(PCA). Abrupt change of spatial correlation indicates DDoS attack occurs. We evaluate the detection performance of our method in detecting synthetic DDoS attack that injected on real backbone traffic through receiver operating characteristic (ROC) curve. The contribution of this paper is utilizing spatial correlation between attack flows, rather than the volume of attack purely, facilitates us to detect relatively small attack being masked in tremendous traffic of backbone network. Moreover, contrary to the centralized computation of previous network-wide anomaly detection method, our method can be deployed separately in each node, in such a way that our method can adapt to different size of network, and thus scalable.