Systems Science & Control Engineering

An Open Access Journal

ISSN: (Print) 2164-2583 (Online) Journal homepage: https://www.tandfonline.com/loi/tssc20

A review of detection approaches for distributed

denial of service attacks

Parneet Kaur, Manish Kumar & Abhinav Bhandari

To cite this article: Parneet Kaur, Manish Kumar & Abhinav Bhandari (2017) A review of detection
approaches for distributed denial of service attacks, Systems Science & Control Engineering, 5:1,
301-320, DOI: 10.1080/21642583.2017.1331768

To link to this article: https://doi.org/10.1080/21642583.2017.1331768

© 2017 The Author(s). Published by Informa

UK Limited, trading as Taylor & Francis
Group

Published online: 20 Jul 2017.

Submit your article to this journal

Article views: 2893

View Crossmark data

Citing articles: 2 View citing articles

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=tssc20
SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL, 2017
VOL. 5, NO. 1, 301–320
https://doi.org/10.1080/21642583.2017.1331768

REVIEW

A review of detection approaches for distributed denial of service attacks

Parneet Kaur, Manish Kumar and Abhinav Bhandari
Department of Computer Engineering, Punjabi University, Patiala, India

ABSTRACT ARTICLE HISTORY

Distributed Denial of Service (DDoS) attacks are the intimidation trials on the Internet that depletes the Received 12 December 2016
network bandwidth or exhausts the victim’s resources. Researchers have introduced various defense Accepted 15 May 2017
mechanisms (such as attack prevention, traceback, reaction, detection, and characterization) against KEYWORDS
DDoS attacks, but such attacks are still growing year by year, and the ideal solutions of this problem DDoS attacks; defense
are eluded so far. In the past, various signature-based and anomaly-based approaches were intro- mechanisms; detection
duced for the detection of DDoS attacks, but only a few of them have focused on the nature of approaches
anomalies. Most of the detection approaches do not provide efficient real-time detection with high
detection rate and low faux pas. In this paper, a classification of detection approaches against DDoS
attacks has been presented with an aim to go deep insight into the DDoS problem for the begin-
ners in this research area. The detection approaches have been explained along with their pluses
and minuses. Further, this review paper includes the different functional classes to which the detec-
tion approaches belong to. In the end, a comparison of signature-based, anomaly-based and hybrid
detection approaches is depicted in tabular form.

1. Introduction
Every computer connected to the Internet is an attrac-
In the present era, the services like banking, electronic tive target for attackers for making bots or zombies,
commerce, social networking (chat rooms) and news- even if the user does not know about it. Zombies are
groups are directed through the Internet (Zhou, Leckie, enrolled through the use of worms, backdoors or Tro-
& Karunasekera, 2010). Denial of Service (DoS) attacks jan horses by sending an e-mail content, a captivating
may impede the rise and continuity of these Internet- link, or a trust-inspiring sender address to the vulnera-
based applications. It disrupts or degrades the network ble machines (Prasad, Mohan, & Rao, 2014; Saman & Tip-
services (by depleting the network bandwidth or router per, 2013). Sometimes, the data originates from a single
processing capacity) or victim resources (by exhausting bot is very small, but the cumulative traffic from a suffi-
disk or database bandwidth, file descriptors, buffers, sock- cient number of bots emerging at the end user’s system
ets, CPU cycles, memory) and stops the legitimate user is enormous that exhaust its resources. Therefore, Low-
from accessing a specific Internet service (Saman & Tip- rate DDoS (LDDoS) attacks are devastating and harder to
per, 2013). Such attacks hog the victim’s resources so expose as the traffic appears to be normal that a partic-
that it cannot respond to the services requested by an ular link can control (Zhang, Cai, Chen, Luo, & Yin, 2012).
authenticated user. On the other hand, High-rate DDoS (HDDoS) attacks are
Distributed Denial of Service (DDoS) attacks are the quickly recognized with the prevailing detection meth-
global attacks and have become a severe problem of ods. Nowadays, DDoS attacks are conducted in the form
today’s Internet. DDoS attacks are adroit in nature that of packet flooding and link flooding attacks. Such attacks
follows the same techniques as regular DoS attacks, but have increased on the Internet because the attacker
performs the attack on a much larger scale through bot- knows what information can be obtained where and how.
nets (Douligeris & Mitrokotsa, 2004) as shown in Figure 1. Due to the presence of vulnerabilities in Internet proto-
A botnet is a wide chain of hundreds or thousands of cols, web applications, and operating systems, it becomes
remotely controlled compromised hosts (zombies or bots easy for the attacker to launch such attacks. Such attacks
or slave agents) under the control of one or more intrud- are performed with the motives like hactivism (to gen-
ers to attack a particular victim. erate media attention), to gain profit through extortion

CONTACT Parneet Kaur [email protected]

© 2017 The Author(s). Published by Informa UK Limited, trading as Taylor & Francis Group.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use,
distribution, and reproduction in any medium, provided the original work is properly cited.
302 P. KAUR ET AL.

Figure 1. Modus operandi of DDoS attacks.

(like blackmailing), personal reasons (like revenge or dis- launched by the attackers (Mousavi, 2014). The average
putes), economical reasons (nastiness) and due to politi- attack volume reached at 48.25Gbps in the first quar-
cal reasons (Prasad et al., 2014). The most common targets ter of 2013, which is 718% more as compared to the
for these dreadful assaults are the gaming, media, web last quarter of 2012 (Mousavi, 2014). In recent times,
applications and software industries. DDoS attacks have become smaller in duration. Accord-
The rest of this paper is organized as follows: Section 2 ing to (Questions to ask your DNS host about DDoS),
describes the background of DDoS attacks and need the largest recorded DDoS attacks have grown 1000%
of detection against DDoS attacks. Section 3 classi- since 2008, from 40 Gbps to 400+ Gbps in 2013 and
fies detection approaches according to their function- such attacks happen at an average rate of 3000 times
alities. Section 4 provides the comparison of detection a day. According to a survey by Verisign, there is an
approaches. Section 5 presents the various issues of exist- increase of 111% in DDoS attacks every year (Verisign).
ing detection approaches. Finally, Section 6 concludes Verisign mitigated 85% more attacks in the fourth quar-
the paper and Section 7 presents the future directions in ter of 2015 as compared to fourth quarter of 2014 (Bis-
this research area. son). In 2015, the largest attack was about 500 Gbps
that disrupted an entire ISP’s network of the coun-
try of Kenya (Baraniuk). DDoS attack was conducted
2. Background and motivation
against the BBC website to 602 Gbps in the first quar-
This section presents the history as well as the basic ter of 2016 (Khandelwal). According to the records in
strategy of DDoS attacks. It also depicts the need of (Woolf, 2016), the largest DDoS attacks in the history
defense mechanisms against such attacks. DDoS attacks was orchestrated in October,2016 using a new Mirai
are not new offenses against web applications (Li, Kao, botnet against the servers of an American company
Zhang, Chuang, & Yen, 2015). Initially, DDoS attacks named as Dyn, that steer much of the Internet’s Domain
were launched in August, 1999 against different orga- Name System (DNS) infrastructure. Mirai was the pri-
nizations and continued attacking the various websites mary source of pernicious attack traffic. Unlike other
like Yahoo, Amazon, Buy.com, CNN and eBay since then botnets, Mirai botnets had used the Internet of Things
(Bhuyan, Kashyap, Bhattacharyya, & Kalita, 2014; Burago- (IoT) devices such as digital cameras and DVR players
hain, Kalita, Singh, & Bhattacharyya, 2015). In 2009, a to bring down the websites (including Twitter, Netflix,
DDoS attack was launched that disrupted the network the Guardian, CNN, Reddit, and many others) in Europe
services of most popular websites like Live Journal, Face- and US. According to the estimates of Dyn, the attack
book, Amazon, and Twitter (Acohido & Swartz, 2009). had prodigious attack strength of 1.2 terabits (1200 giga-
In 2010 and 2011, more than 75,000 computer systems bytes) per second and had intricate ‘100,000 malicious
in 2500 organizations and 4 million computers in 100 agents’. As stated in (Bhandari, Sangal, & Kumar, 2015),
countries were affected by DDoS attacks respectively (Li the average strength of DDoS attacks has been shown in
et al., 2015). Each day, more than 7000 DDoS attacks are Figure 2.
 SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL 303

Figure 2. Strength of DDoS attacks in Gbps (Bhandari et al., 2015).

Basically, DDoS attacks are of two types namely

flooding attacks and vulnerability attacks (Nadiammai &
Hemalatha, 2014; Prasad et al., 2014) as described in
Figure 3. In flooding attacks, the attacker sets a zombies
army to send junk or attack packets to the destination
in order to raise the traffic to a level that a victim can-
not handle and the victim system brings down or crashes
(Prasad et al., 2014). On the basis of attack mechanism,
(Aggarwal & Gupta, 2015) categorize the flooding attacks
into direct and indirect (through reflectors) DDoS attacks.
On the basis of protocol level that is targeted, flood-
ing attacks are grouped into Network/Transport level (Net-
DDoS attacks) and Application level DDoS flooding attacks Figure 3. Types of DDoS attacks.
(App-DDoS attacks) (Saman & Tipper, 2013). The attacks
like TCP, UDP, and ICMP flooding comes under the cat-
Internet hosts like weak protocols, inadequate authenti-
egory of Net-DDoS flooding attacks while HTTP flood-
cation plans, unprotected computer systems and oper-
ing comes under App-DDoS flooding attacks. In (Xie &
ating systems that are used to originate a DDoS attack
Yu, 2009a, 2009b), the authors introduce the App-DDoS
(Gupta, Misra, & Joshi, 2012). Prevention schemes are the
attacks and discuss the incapability of network-level
best solutions to secure the weak systems as well as the
detection methods for catching the App-DDoS attacks.
protocols and are needed to raise the global security
These attacks are growing rapidly, harder to detect and
level (Gupta et al., 2012). Attack detection schemes expose
cause severe problems in accessing a particular on-line
the attacks after they actually happen and characteriza-
service (or web server) as compared to the Net-DDoS
tion departs the attack packets from the normal traffic,
attacks. In vulnerability attacks, the attacker browses for
for example, signature-based and anomaly-based detec-
unprotected openings in the software implementation
tion techniques. Traceback schemes attempt to hinder
and exploits them to bring the system down or to recruit
the malicious packets at their origin and find the attack
zombies for further attacks. These attacks use the exacted
source despite the spoofed source IPs before or after the
performance of different protocols (such as TCP and
attack occurrence. Attack reaction schemes try to mini-
HTTP) to ravage the resources of the victim server and
mize the loss caused by DDoS attack when it is underway.
prevent it from processing events or requests from the
This phase decreases the attack influence and maximizes
authorized users.
the quality of services delivering to the legitimate users
under attack.

2.1. Defense mechanisms

2.2. Detection
DDoS defense system consists of four phases: Attack pre-
vention, Attack detection and characterization, Traceback When a system is under DDoS attack, unexpected fluctua-
and Attack reaction (Douligeris & Mitrokotsa, 2004). Attack tions in the network traffic are noticed. Detection systems
prevention tries to suspend attacks before they actually are software or hardware products that automatically
occur. Attack prevention schemes fix security holes in monitor the abrupt changes in the network and analyze
304 P. KAUR ET AL.

Figure 4. Classification of detection approaches.

the detection process (Gyanchandani, 2012). In the detec- introduction to different metrics has been depicted in
tion phase, DDoS attacks are detected and legitimate order to compare the detection methods.
packets are distinguished from attack packets. Detec-
tion methods recognize DDoS attacks with the directory
of known (or familiar) attack patterns or by identifying
3.1. Approaches
irregularities in standard network behaviour (Douligeris This sub-section begins with the review of existing
& Mitrokotsa, 2004). Due to the lack of clear DDoS attack approaches to DDoS attack detection. Though a diver-
profile or signature, the detection schemes observe unex- sity of detection approaches has been proposed in
pected shifts in IP packet traits or traffic volume to catch the research in preceding years, but the security tools
these appalling attacks. Attack detection methods erect with detection capabilities have several important obsta-
a model or profile by observing the regular functioning cles that remain to be solved. The choice of detec-
of the interface, validate the incoming flux against the tion approach totally depends on the various factors
paradigm and discover oddities with the perpetual shifts such as the type of anomalies, processing data type
in the network. The detection approaches can be imple- and behaviour, working environment of the organiza-
mented locally, to protect a particular victim or remotely, tion, computational cost, and the required security level
to expose propagating attacks in the core network. Early (Raut & Singh, 2014). Moreover, the performance of the
detection and the detection accuracy of DDoS attacks detection schemes depends on how well it is oper-
have become the critical measures for the realization of ated and tested on all network protocols. Nowadays,
a defense system. So, every detection technique should Soft Computing or Artificial Intelligence-based meth-
outline normal traffic intelligently, accurately, and recog- ods are applied extensively for the attack detection
nize aberrations with high normal packet survival ratio, (Singh, Hans, Kumar, & Singh, 2015). On the basis of
low false positive and false negative ratios and it should analysis methods, detection approaches are classified
be cost effective in terms of resource consumption and into Signature-based, Anomaly-based and Hybrid detection
per packet computations. (Agarwal & Mittal, 2012; Wu & Yen, 2009) as described
in Figure 4.

3. DDoS attacks detection: approaches,

3.1.1. Signature-based detection
functional classes and metrics
Signature-based detection is also known as Misuse detec-
This section introduces the classification of different tion, Pattern detection, Knowledge-based or Rule-based
detection approaches and their functional classes. A brief detection. This approach captures the required behaviour
 SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL 305

from the available datasets (such as protocol stipulations, the database if they pass the test and send a sufficient
network traffic occurrences) and also collects facts about number of packets until a session window expire. Various
various attacks and system exposures. It uses the acquired methods are used to construct attack signatures with the
expertise to identify the occurrence of anomalous events help of State Transition Analysis, Expert Systems, Petri Nets,
and produces an alarm if an attack is identified (Garcia- Description Languages and Adept Systems.
Teodoro, Diaz-Verdejo, Macia-Fernandez, & Vazquez,
2009). It uses an index of ‘signatures or patterns’ of pub-
lic attacks and matches the incoming traffic with the
3.1.1.1. State transition analysis. This approach repre-
sents the attack patterns with state transition diagrams
stored patterns to identify the attack instances (Agarwal
(Wu & Yen, 2009). In this approach, an attack is viewed
& Mittal, 2012). This approach is effective only in case
as a chain of actions from an initial state of the system
of known attacks because new attacks or slightly mod-
to the target compromised state (Gyanchandani, 2012). It
ified old and known attacks go unrecognized as they
uses a list of key actions which are required for launching
don’t have signatures in the database (Chauhan, Mishra,
a favourable attack (Raut & Singh, 2014). The complex-
& Kumar, 2012; Lee & Xiang, 2001). The signatures and
ity of the system rises with the increase in a number of
patterns of various attacks consist of several fields of IP
states and parameters that do not remain constant over
packets (source and target IPs, ports and the keywords in
the network. It is an offline-detection mechanism against
the payload of a packet) (Xia, Qu, Hariri, & Yousi, 2005).
DDoS attacks. Wang, Phan, Whitley, and Parish (2010) pro-
Such systems are too slow and depend on the fault con-
pose an Augmented Attack Tree (AAT) based anti-DDoS
ditions (or behaviour) of the victim system. Fault con-
model that captures the network behaviour from the vic-
ditions may arise due to a large number of open TCP
tim server and transforms into state transitions to detect
connections, excessive utilization of bandwidth and due
different types of attacks.
to the exceeded total throughput (Thottan & Ji, 2003).
SNORT (Gupta et al., 2012), BRO (Gupta et al., 2012), IDES
(Xia et al., 2005), and INBOUNDS (Xia et al., 2005) tech- 3.1.1.2. Expert systems. This approach builds a set of
niques are based on signature-based detection approach. rules to specify the well-known attacks and draw some
Nowadays, this approach is followed only by the net- conclusions from the rules and facts. Then the incoming
work administrator (Nadiammai & Hemalatha, 2014). Wu, traffic instances are matched against the rules to check
Tseng, Yang, and Jan (2011) present a detection method whether any rule is satisfied and detect the inconsis-
consists of classification trees and a traffic pattern match- tent behaviour of the system (Thottan & Ji, 2003). But
ing algorithm. The classification trees separate the DDoS this approach requires re-building the rule frequently to
traffic from normal traffic after analyzing the incoming assist the newly discovered vulnerabilities (Gyanchan-
and outgoing packet rate, transmission rate, TCP, SYN and dani, 2012).
ACK flag rate. A pattern matching algorithm is used to
detect the traffic flow that is identical to attack flow and
looks for the origin of the attack. In (Limwiwatkul & Rung- 3.1.1.3. Petri nets. In this approach, complex attacks
sawang, 2004), the authors analyze the TCP/IP packets signatures are written manually by the system administra-
against some well-marked rules and conditions to dis- tors with IDIOT tool (Gyanchandani, 2012). The approach
tinguish the attack and regular traffic. In (Thapngam, Yu, is conceptually simple to build attack signatures and the
Zhou, & Beliakov, 2011), the authors use the transmission signatures are represented in graphical form. It is com-
rate to recognize the attack traffic. This study shows that putationally very expensive to match the complex signa-
transmission rate of attack traffic is high as compared to tures with new traffic instances.
real network traffic because the slave agents under the
command of their masters generate the attack traffic in a
3.1.1.4. Description scripts. Various scripting languages
very short time frame while the regular traffic waits for the
are used to describe attack signatures on the system and
server’s response thereby extend the time period. Such
networks. Scripting languages identify the series of dis-
methods cannot detect efficiently because the attackers
tinct events that are representative of various attacks
can easily send the mimic attack traffic towards the vic-
(Rama, 2011).
tim using flash events. Thomas, Mark, Johnson, and Croall
(2003) describe detection scheme called NetBouncer that
prepares a database of legitimate users. If the incom- 3.1.1.5. Adept systems. This approach uses the human
ing packets do not belong to a legitimate client, then expertise to solve the problem of uncertainties in attack
the packets need to prove their legitimacy through a signatures. Adept systems are prepared based on com-
series of legitimacy tests. The new clients are added to prehensive knowledge of signatures linked with popular
306 P. KAUR ET AL.

attacks that are presented by specialists from their past various parameters of normal traffic (like activity mea-
experience (Rama, 2011). sures i.e. login and logout time for each session, traffic
rate, CPU time used, packet rate for each protocol and
3.1.2. Anomaly-based detection the number of different IP addresses). A statistical infer-
Anomaly-based detection approach (also known as nov- ring analysis (like χ 2 -test) is practiced to decide if an
elty detection, outlier detection, behaviour based or one- unseen case refers to the statistical basis or not. The test
class learning scheme) is capable of detecting new, examples having a low probability (i.e. certain thresh-
unknown and novel (unidentified) attacks. This approach olds or baselines are not met) are declared as anomalies
mirrors the standard network behaviour and compares (Chandola et al., 2009; Garcia-Teodoro et al., 2009; Gyan-
it with the incoming data instances (Alenezi & Reed, chandani, 2012; Lazarevic, 2016). Moreover, the detection
2012). When the divergence between an observed and method assigns a score to each anomalous activity. If the
expected behaviour surpasses a predefined threshold, anomaly score exceeds the baseline, the system gener-
the detection system generates an anomaly alarm; hence ates an anomaly alarm. Statistical methods are deployed
an attack is disclosed (Garcia-Teodoro et al., 2009; Xiang, at any network (source-end, victim-end, and core-end
Li, & Zhou, 2011). Anomaly-based schemes produce a lot network) for the discovery of Net-DDoS attacks (Mirkovic,
of false signals due to the varying nature of a system Prier, & Reiher, 2002; Nguyen & Choi, 2010; Prasad et al.,
or network behaviour and uncertainties present in the 2014) as well as App-DDoS attacks (Jin & Yeung, 2004;
acquired data. The input to a detection approach can be Thottan & Ji, 2003; Xie & Yu, 2009). SSM (Prasad et al.,
in the form of individual data instances (such as an object, 2014), CAT-DCP (Chen, Hwang, & Ku, 2007), ARIMA model
vector, point, observation (Chandola, Banerjee, & Kumar, (Zhang, Jiang, Wei, & Guan, 2009) are widely used sta-
2009) or a collection of data instances. Data instances tistically based detection technique. A batch detection
may or may not relate to each other. Each input instance method has been proposed in (Blazek, Kim, Rozovskii, &
has a set of attributes and each attribute can be discrete, Tartakovsky, 2001), to identify attack instances by ana-
categorical or continuous in nature. Most of the detec- lyzing the statistical changes. D-WARD (Bhuyan et al.,
tion schemes deal with the individual input instances 2014; Mirkovic et al., 2002) and MULTOPS (Gil & Poletto,
in which there is no relationship among the different 2001) techniques offer the features of filtering and rate-
instances (Chandola et al., 2009). On the basis of nature limiting on incoming traffic at the source-end. On the
of anomalies, detection approaches are sub-categorized other hand, COSSACK (Papadopoulos, Lindell, Mehringer,
into Point anomaly, Contextual anomaly, and Collective Hussain, & Govindan, 2003) and DefCOM (Mirkovic &
anomaly-based detection. Collective anomaly detection Reiher, 2005) techniques detect the flooding attacks at
approach has become the most challenging research field the victim-end and inform the filters or the rate lim-
as compared to point and contextual anomaly detection. iters installed at the source-end. In (Chen & Song, 2005),
the authors introduce a perimeter-based method for ISP
3.1.2.1. Point anomaly-based detection. If a single located on boundary routers to detect the attack gener-
data instance is considered as an anomaly as compared ator. CUSUM scheme discussed in (Alenezi & Reed, 2012;
to the remaining dataset, then the approach is known Carl, Kesidis, Brooks, & Rai, 2006) observes the unstable
as Point anomaly-based detection. Nowadays, it is the fluctuations in the traffic from the long-term network per-
most significant and interesting field of the research on formance. When the aggregate difference exceeds the
anomaly-based detection. Various approaches have been threshold, the system generates an anomaly alarm. In
adopted to recognize point anomalies in the network (Peng, Leckie, & Ramamohanarao, 2004; Wang, Zhang,
traffic namely Statistical Methods, Data Mining, Artificial & Shin, 2004), the authors suggests the source IP based
Intelligence (AI) Based, Information Theoretic Based, Nearest detection methods that monitor the changes in network
Neighbour Based Detection which are described below: traffic behaviour at the gateway level. Statistical meth-
Statistical methods: Statistical methods used in ods are categorized into Parametric and Non-parametric
anomaly detection systems prepare a model (Chandola detection.
et al., 2009) or normal profile (Esposito, Mazzariello, Parametric detection: Parametric methods assume that
Oliviero, Romano, & Sansone, 2007; Prasad et al., 2014) to the system has experience of latent distribution and
represent the assumptive behaviour of a system (or net- assess the statistical specifications from the given data
work) and continuously monitors the bi-directional traffic (Garcia-Teodoro et al., 2009). The techniques like Sta-
runs between the victim network and the rest of the Inter- tistical Moments, Operational (or Threshold Based) Model,
net in on-line as well as off-line detection mode (Xie & Gaussian Model, Regression Model and Spectral Analysis
Yu, 2006; Xie & Yu, 2009). This is basically done by mea- comes under the category of parametric detection (Chan-
suring statistical properties (i.e. means and variances) of dola et al., 2009).
 SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL 307

(a) Statistical moments technique detects peculiarities in multivariate time-series

data (Munz & Carle, 2007). Cheng, Kung, and Tan (2002)
In this scheme, a specified confidence range or an introduce a spectral analysis based detection method to
interval is set based on statistical properties (correlations identify the attack flows. An anomaly detection proce-
or moments) like statistical mean, standard deviation. If dure on the basis of wavelet transmutation and the prob-
any event drops outward the set interim i.e. above or ability assumption has been introduced in (Li & Li, 2009).
below the moment, it is declared as anomalous. This A two-phase automated detection method has been pre-
scheme offers more flexibility as compared to opera- sented in (Dainotti, Pescape, & Ventre, 2009) that consist
tional model because the confidence range depends on of the change point detection technique and consecutive
the observations that can vary from user to user (Rama, wavelet alterations to identify the exceptional profiles in
2011). Therefore, it gives higher weights to the recent the network traffic. In (Bhuyan et al., 2014), the authors
activities. introduce an energy distribution based wavelet analysis
for the exposure of DDoS attacks.
(b) Operational (or Threshold based) model Non-parametric detection: In this approach, the sys-
tem has no knowledge of potential distribution and it
In this detection scheme, we compare the given obser- prepares a model from the given observations (Chan-
vation (or an event) with a predefined limit (upper limit dola et al., 2009). Various approaches like Markov Model,
is n and the lower limit is m or 0). When the count of Histogram-Based and Time Series Model come under the
events that occur during a particular period is more than category of non-parametric detection.
‘n’ or less than ‘m’ then the detection system generates
an alarm and detects the anomalies. For example, when (a) Markov model
the count of password failure exceeds the threshold, the
system results in failed log-in (Gyanchandani, 2012; Rama, This approach uses an event counter metric to ascer-
2011; Raut & Singh, 2014). Moreover, the threshold is tain the consistency of particular events on the basis of
based on the mean of various parameters or metrics. This the previous event and uses a state transition matrix to
scheme is effective only if there are not any intermittent define the likelihood of an appropriate event (Gyanchan-
variations in standard data behaviour and the tolerant dani, 2012; Raut & Singh, 2014). This scheme works by
level of an appropriate event needs to be recognized scrutinizing the system at regular interludes and sustains
in advance (Gyanchandani, 2012; Islam & Jamil, 2005). If an account of its state. Each observation in the system is
the malicious activities have more than one event or the treated as a state and whenever an event occurs the sys-
threshold limits are not significant, the scheme cannot tem changes its state (Rama, 2011). When the system’s
detect anomalies efficiently. state changes, if the computed probability of the occur-
rence of that particular state is miniature at a given instant
(c) Spectral analysis then that situation is thought as unusual (Rama, 2011).
In this model, computed state change possibilities are
High-dimensional datasets are used for the detection the isolated parameters to identify anomalies and sys-
purpose. It is very difficult to store, process, transmit tem state is directly perceptible. It looks for the transitions
and understand the huge amount of multidimensional between certain activities or commands where strings of
datasets. It makes the detection technique more com- activities are particularly significant. It is ineffective for
plex and expensive. In order to handle the multidimen- real-time services where a considerable large traffic and
sional datasets effectively, spectral analysis approach is event rates occur in high-speed networks (Patcha & Park,
used (Alenezi & Reed, 2012; Patcha & Park, 2007). This 2007).
approach converts a collection of attributes of correlated
variables into a reduced set of linearly uncorrelated prin- (b) Histogram-based detection
cipal components and outlines the variations in the col-
lected data (Chandola et al., 2009; Xie & Yu, 2009). It Frequency based and counting based histograms are
transforms a high-dimensional space into lower dimen- used to formulate a profile of normal data. A test instance
sional subspaces (such as embeddings or projections), is considered as normal if it comes in any of the contain-
where normal and abnormal behaviour is represented dif- ers (or bins) of the histogram, otherwise, it is treated as
ferently and anomalies are easily identified. This approach anomalous. An anomaly score is ascribed to a test case
is also termed as Signal processing based detection or based on the frequency or height of a particular bin to
Wavelet analysis (Purwanto, Kuspriyanto, Hendrawan, which the instance belongs to. If the test instances slip
Rahardjo, 2014). Principal Component Analysis (PCA) outside or in the empty region in case of small size bins, it
308 P. KAUR ET AL.

results in high false alarm rate. If the anomalous instances bottom-up approaches are used to build a decision tree.
drop in the bins of the histogram in the case of large This method rests on the availability of correct labels for
size bins, it results in high false negative rate. Therefore, standard class instances, which is not feasible. Therefore,
optimal size bins should be preferred to construct the his- the label assigned to each test instance shows some dif-
tograms in order to overcome the high false alarm ratio ficulty in assigning an anomaly score to each test case
and false negative degree. Other variants of histogram (Gyanchandani, 2012). Multi-class techniques use persua-
based non-parametric statistical detection are IS Statis- sive algorithms to separate the instances referring to dis-
tics, Packet Header Anomaly Detection (PHAD), Application tinct classes. In (Lee, Stolfo, & Mok, 1999), the authors
Layer Anomaly detection (ALAD) (Chandola et al., 2009). develop a classifier that extracts the system features to
This scheme is used for system call based and web-based represent the programme and user behaviour in order to
anomaly detection. recognize the anomalies in the network traffic.
Clustering: In clustering data mining techniques, the
(c) Time series model system finds the hidden patterns from unlabelled data
with different proportions (number of attributes). It is
This scheme includes an interlude timer, along with based on natural grouping of similar data instances. The
an event counter (or resource measure) as in the case of entities or records that do not belong to any of the clus-
threshold scheme and a statistical database is prepared ters (i.e. by-product of clusters) are treated as an unusual
that reckons the order, the inter-arrival moments as well activity or an attack (Barbara, Wu, & Jajodia, 2001). Com-
as the values of observations (Garcia-Teodoro et al., 2009; plex data types are handled properly by the support-
Gyanchandani, 2012; Rama, 2011). The observations ing clustering algorithms (Gyanchandani, 2012). As stated
(observed traffic) with low possibilities of their occur- in (Chandola et al., 2009), several clustering algorithms
rence are viewed as anomalous. In this method, anoma- like DBSCAN, ROCK, SNN, FindOut, WaveCluster algorithms
lies are the data points straying from normal patterns. have been introduced to detect the normal clusters
The detection system measures the network behaviour and the residual instances are treated as anomalous.
over time and detects various shifts in behaviour. There- Besides these, various clustering-based methods namely
fore, when the attacks are performed in the form of series, Grid-based, Model-based, Density-based, Partitioning and
they are easily detected. When swift changes in the com- Hierarchical clustering techniques were discussed in (Pei,
mon network behaviour occur due to anomalous condi- Upadhyaya, Farooq, & Govindaraju, 2004). It has been
tions, the scheme cannot detect effectively (Gyanchan- mentioned in (Jin & Yeung, 2004) that clustering methods
dani, 2012). Cabrera (Cabrera et al., 2001) introduce a are applied to extract the HTTP-based flash passes from
detection method using time series analysis that consists the App-DDoS attacks traffic. But, this approach is inef-
of a correlation process and statistical tools like Granger fective in case the new instances (anomalies) form their
Causality Test (GCT) and Auto-Regressive Model for the own clusters among themselves (Chandola et al., 2009;
identification of DDoS attacks. Gyanchandani, 2012).
Data mining: Data mining approach is based on ‘pat- Associative rule mining: Nowadays, this approach is not
tern finding’ (Garg & Chawla, 2011). It uses the statisti- much popular and it is being displaced by other data
cal model to extract the useful, previously ignored (or mining methods. This approach discovers the anomalies
hidden) patterns and their relationships, from the large by analyzing the correlation between different attributes
data stores or entire domain (Aggarwal & Gupta, 2015). (Barbara, Couto, Jajodia, & Wu, 2001; Chauhan et al.,
It decreases the amount of data that must be focused to 2012). It is based on Boolean association rules and finds
detect (or uncover) the real attacks (Dickerson & Dicker- the regularities between the attributes. In case the sys-
son, 2000; Gyanchandani, 2012; Narayana, Prasad, Srivid- tem manipulates a large number of attributes, the detec-
hya, & Ranga, 2011; Raut & Singh, 2014). This approach tion process becomes slow in execution time (Tajbakhsh,
offers high detection accuracy when combines with Artifi- Rahmati, & Mirzaei, 2009). Moreover, processing an abun-
cial Intelligence or Machine Learning methods. Data min- dance of rules is a challenging task for this approach.
ing methods are categorized into Clustering, Classification Artificial intelligence-based detection: In this approach,
and Associative rule mining based detection. the detection system can change its execution procedure
Classification: This approach tries to divine the class of on the basis of recently collected data (Patcha & Park,
a new, previously unseen data instances on the basis of 2007). The system can improve its performance on certain
class-labelled training dataset and a decision tree (or clas- test cases on the basis of prior results. This approach coin-
sification tree) (Ektefa, Memar, Sidi, & Affendey, 2010) is cides with data mining methods or statistical methods
adopted to analyze each instance as normal or malicious which focus on getting the rules that generate the new
(Gyanchandani, 2012; Raut & Singh, 2014). Top-down and data (Garcia-Teodoro et al., 2009; Patcha & Park, 2007). It
 SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL 309

offers the features of robustness, parallelism, and toler- are deployed at victim-end to analyze the network traf-
ance of imprecision, faults, and uncertainty (Prasad et al., fic and sends the attack source IPs to the filtering unit
2014). Machine Learning and Soft Computing methods and attack call component. A classification algorithm was
are the sub-areas under the Artificial Intelligence-based introduced by (Raj & Selvakumar, 2011), that consists of
(AI-based) approach. Machine learning includes the tech- RBP neural networks and Neyman-Pearson cost minimiza-
nologies like Bayesian Decision Theory, Linear Discrimina- tion strategy to distinguish the attack and standard traffic.
tion, Multivariate Methods, Multilayer Perceptrons, Cluster- Bayesian networks: Bayesian approach for DDoS attack
ing, Classification Trees, Local Models, Hidden Markov Mod- detection is used as a combination of Bayesian networks
els and Reinforcement Learning (Wu & Yen, 2009). Different along with statistical methods (Kruegel, Mutz, Robertson,
AI-based detection approaches namely Neural Networks, & Valeur, 2003). Bayesian networks are used to predict
Bayesian Networks, Fuzzy Logic Approach, Genetic Algo- outcomes or discover cause-effect relationships when the
rithms, Support Vector Machines and System Call Sequence system has uncertain or incomplete knowledge of net-
Analysis are discussed below: work traffic. It develops a graphical model that encodes
Neural networks: Neural networks are introduced as the probabilistic correlations (or conditional interdepen-
an alternative to statistical methods that divine the sub- dencies) between distinct variables and predicting events
sequent command on the basis of a series of previous (Chauhan et al., 2012; Wu & Yen, 2009). It captures all the
commands from a particular user. Neural networks are existing knowledge of network traffic and represents the
well trained, purely feed forward and back propagation uncertain knowledge in expert systems. This new tech-
networks that give better results as compared to basic nique is still evolving and mostly used for solving data-
signature matching methods (Gyanchandani, 2012). This analysis problems. Bayesian networks are also known as
approach does not expect any explicit user model to belief networks, Bayesian belief networks, and causal prob-
predict the user’s behaviour (Raut & Singh, 2014). In abilistic networks. This method is induced to both uni-
this approach, neurons are trained with the data col- variates as well as multivariate datasets (Chandola et al.,
lected from the audit logs of various users for a particular 2009), enhances the capacity to expose new attacks and
period. This is basically done to represent the charac- lessens the false alarms to the possible extent. It is an
teristic patterns of normal traffic. Whenever the incom- efficient and principled approach to combine both prior
ing network traffic is served to the prepared neurons knowledge and data as well as avoids the over-fitting of
if its range exceeds a preset threshold then the system data (Gyanchandani, 2012).
generates a signal; hence an anomaly is detected (Chan- Fuzzy logic approach: The concept of fuzziness is used
dola et al., 2009; Patcha & Park, 2007). The reconstruction along with data mining methods for highlighting anoma-
error (i.e. actual output minus desired output) is undeviat- lies or network attacks (Garg & Chawla, 2011). It is based
ingly accepted as an anomaly score for detecting anoma- on fuzzy set hypothesis under which reasoning is esti-
lies. Hopfield Networks, Radial Basis Function (RBF) Based mated rather than accurately procured from classical
(Karimazad & Faraahi, 2011), Replicator Neural Networks predicate logic (Chauhan et al., 2012; Harjinder, 2013). It
(RNN), Linear Vector Quantization Artificial Neural Networks uses fuzzy sets and fuzzy rules to handle a large number of
(LVQ-ANN), Back Propagation Neural Networks (BP-ANN), input parameters (CPU usage time, activity rate, connec-
Resilient Back Propagation (RBP) Neural Networks and Time tion interval) that can be hazy in nature and incomplete
Delay Neural Networks (TDNN) are used for anomaly-based datasets (Dickerson & Dickerson, 2000). Fuzzy systems
DDoS attacks detection (Prasad et al., 2014). Neural net- effectively combine the inputs from various sources and
works detect anomalies from limited, noisy, imprecise or construct if-then rules to describe security attacks (Eskin,
uncertain information and recognize the future unseen Arnold, Prerau, Portnoy, & Stolfo, 2002; Raut & Singh,
patterns along with previously observed attack patterns. 2014). In (Shiaeles, Katos, Karakos, & Papadopoulos, 2012),
Neural networks are deployed at victim-end networks the authors introduced the Fuzzy estimators that detect
and operate in supervised (Buragohain et al., 2015) as DDoS attacks using mean packet inter-arrival times and
well as unsupervised mode (Jalili, Imani-Mehr, Amini, & also find the offending IP addresses in real-time with high
Shahriari, 2005; Prasad et al., 2014). But it is very costly and detection accuracy. It is an effective approach against
time-consuming process as it needs extra time for col- port scans and probes. It relies on attacking explicit rules
lecting and analyzing the training data (or neurons). Jalili for detection rather than building a model for depict-
et al. (2005) propose a detection method called SPUN- ing the current status of the system. A fuzzy reason-
NID that consists of a statistical pre-processor to extract ing based approach along with statistical analysis using
the traffic features and unsupervised neural networks to wavelet transformation and Schwarz information crite-
differentiate the attack and regular traffic. RBF based neu- rion has been introduced in (Xia, Lu, Li, & Tang, 2010) that
ral networks discussed in (Karimazad & Faraahi, 2011), can detect the DDoS traffic accurately and effectively.
310 P. KAUR ET AL.

Genetic algorithms: Genetic algorithms are heuristic & Stolfo, 2003). An IP Address Interaction (IAI) based SVM
quest algorithms based on the development thoughts of classifier has been developed in (Cheng, Yin, Liu, Cai, &
natural selection and eugenics tools to find the approx- Wu, 2009) to identify the DDoS attack flows in a troop of
imate solutions or to determine the optimization enig- regular network flows with high detection accuracy and
mas. It uses the evolutionary algorithm techniques like low false alerts.
selection, crossover (mating or recombination), mutation, System call sequence analysis: System calls are used as
inheritance and elitism (Li, Guo, Tian, & Lu, 2008). It fol- the functional interface between the programme and the
lows the postulate of ‘survival of the fittest’ so whenever operating system kernel. By analyzing the sequence of
many users attempt to obtain the scanty resources, the system calls, we can detect whether the system is under
fittest users dominate the weaker one. A series of itera- attack or not. In this technique, normal system calls are
tions are performed to replace the low fitness users with divided into several short sequences, which can be con-
the help of a fitness function. Genetic algorithms are pro- sidered as data items of the training set (Zu & Hu, 2016).
ficient in acquiring classification rules with the knowledge It applies an algorithm to formulate a normal outline of
collected from incoming traffic and select optimal param- the system on the basis of inter- associations in fixed time
eters for detection process to differentiate the attack series of system calls. When a system call sequence devi-
passes from normal data (Harjinder, 2013). It selects the ates from normal behaviour sequence profile, it can be
fine test cases as the instructing dataset and minimizes treated as anomalous. It maintains a database that col-
the false positive rates when human input is used in lects the normal behaviour of each and every programme
a feedback loop. It is a flexible and robust approach of the system. The database monitors the programme’s
because, in the presence of noise or changing inputs, it behaviour and whenever the sequence of system calls
is not easily affected. The measures like detection rate, for a particular programme is not found in the database,
false positives and the ratio of reduced training dataset the system indicates anomalies (Patcha & Park, 2007).
are combined in a fitness function. So, the system should This approach observes each and every system call so
take care to raise the fitness function defined (i.e. increase it results in high computational overheads and perfor-
the detection rate and decrease the false positives and mance debasement of the monitoring system (Chandola
instances in training dataset) (Li et al., 2008; Patcha & Park, et al., 2009). Moreover, the irregularity of system call leads
2007). This approach involves an assemblage of agents to increase in false positive ratio and makes the distinc-
to monitor the network parameters so there is a need tion of unusual system calls more difficult.
of intra-agent communication and it has a long training Information theoretic-based detection: This approach
procedure. In (Lee, Kim, Lee, & Park, 2012), the authors detects anomalies by auditing the erudition constituents
propose an early detection method that consists of a traf- of a normal dataset with various conjectural estimates
fic matrix using genetic algorithms and a packet based like Entropy, Multiscale entropy, Dominant state anal-
window size for the detection of DDoS attacks. ysis, Hellinger distance, Mahalanobis distance, Relative
Support vector machines: This approach maps the train- uncertainty distribution, Kullback-Leibler divergence dis-
ing data obtained from the primary input space into a tance, Chi-square and Mutual information (Purwanto
higher dimensional characteristic space using kernels and et al., 2014). It finds the irregularities that are presented
acquires the favourable isolating hyper-plane or a deci- in the information content of the normal dataset. It deals
sion boundary in the form of support vectors (Chauhan with different data types like compressed, categorical,
et al., 2012; Gyanchandani, 2012; Rama, 2011; Wu & Yen, sequential, spatial and graphical data in which the data
2009). Then the new incoming instances are mapped into instances are naturally ordered and reduces the com-
the same space and their regions are estimated to which plexity of datasets. Information entropy is defined as a
they belong to. If the new instances do not belong to a measure that computes the incertitude corresponds to a
particular region, they are treated as anomalous (Chan- test instance (Bhandari et al., 2015; Ray, 2004). More ran-
dola et al., 2009). This is basically done to mould a linearly domness associates with the instances results in higher
non-separable problem is into a linearly separable one entropy (Androulidakis, Chatzigiannakis, & Papavassiliou,
(Rama, 2011). Decision boundary is extremely robust to 2009; Bhandari, Sangal, & Kumar, 2016). It identifies the
outliers (Gyanchandani, 2012). This method is superior to anomalous network behaviour but results in high false
neural networks and clustering methods in case of accu- signals due to the low rifts in unusual and standard traf-
racy and speed. It offers high detection accuracy with low fic. Entropy can be calculated on the basis of different
faux pas and handles the unseen data and over-fitting parameters such as the change in packet size distribu-
problems effectively (Nadiammai & Hemalatha, 2014). tion statistics (Agarwal & Mittal, 2012), transmission rate,
One-Class SVM (OCSVM) gives better results as compared IP address rate (Bhatia, Mohay, Tickle, & Ahmed, 2011) and
to One-Class Bayesian Networks (Heller, Svore, Keromytis, URL accessed (Li, Zhou, Li, Hai, & Liu, 2009). As per the
 SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL 311

study in (Park, Li, Gao, Lee, & Deng, 2008), the authors each phase using K-NN classifiers has been developed in
presents an FDD mechanism using randomness checks (Nguyen & Choi, 2010). PAD algorithm discussed in (Heller
to predict the source IP addresses at the server from et al., 2003) is based on density function and compara-
the previous connection requests. Therefore, this method ble to One-Class Support Vector Machine (OCSVM) to find
is used to distinguish the flash events from DDoS traf- unusual events in Windows registry. Density-based detec-
fic because source IP addresses of the attack traffic are tion is not an effective approach in case the dataset of
not foreseeable and act as arbitrary locations on the vic- the normal instances has the varying density regions. To
tim system. In (Zhou, Jia, Wen, Xiang, & Zhou, 2014), overcome this problem, concept of relative density to the
the authors propose a detection unit that reveals the neighbour’s density was proposed in (Breunig, Kriegel,
App-DDoS attacks by obtaining the ratio of the entropy Ng, & Sander, 2000). This approach is mostly deployed
of source IPs and the URL analyzed. The study shows at core-end networks (Bhuyan et al., 2014) and detects
that the above ratio will be large for App-DDoS attacks LDDoS attacks (Prasad et al., 2014; Xiang et al., 2011).
as compared to normal flash events. In (Sachdeva & Table 1 presents the pros and cons of different point
Kumar, 2014), the authors introduce a cluster entropy anomaly-based detection approaches.
concept to differentiate the flash events from DDoS traffic
in which cluster are obtained from the users that pre- 3.1.2.2. Contextual anomaly-based detection. If an
viously access the web-service or belong to the same incoming event is abnormal in a well-defined context or
administration network and the entropy of different clus- situation, then it is recognized as the contextual anomaly
ters is calculated. The study concludes that the value of or conditional anomaly (Song, Wu, Jermaine, & Ranka,
entropy will be small for the predicted flash event from 2007). Every data instance is defined by its contextual
the same network and large for the DDoS attack traffic and behavioural attributes. Contextual attributes help
due to increase in the count of new networks. Informa- in defining the contextual (or neighbour) characteris-
tion entropy-based anomaly detection methods are used tics and behavioural attributes help in defining the non-
in Software Defined Networks (SDN) and Cloud Comput- contextual characteristics for a particular instance (Chan-
ing environment against DDoS attacks (Mousavi, 2014; dola et al., 2009). Various approaches are used to detect
Navaz, Sangeetha, & Prabhadevi, 2013). Entropy-based contextual anomaly to find the deviations in the neigh-
metrics with PCA algorithm detect the anomalies that are bour of an instance (i.e. find deviations from average)
not detected by volume based (HDDOS attacks) detection by using the values of behavioural attributes. Moreover,
methods (Nychis, Sekar, Andersen, Kim, & Zhang, 2008). contextual attributes are expressed in the form of spa-
Features of this method include low false positive rate, tial, graphs, sequential and profile attributes (Chandola
high detection accuracy, on-line detection and the early et al., 2009). Contextual anomalies are similar to point
detection of LDDoS attacks (Agarwal & Mittal, 2012; Xiang anomalies and they are anomalous within a particular
et al., 2011). It is deployed at core-end and victim-end net- context. Therefore, various point anomaly-based detec-
works (Prasad et al., 2014) for the detection of App-DDoS tion techniques (for example Information theoretic based
and LDDOS attacks (Bhandari et al., 2016; Bhuyan et al., detection) are used to identify contextual anomalies in
2014; Xiang et al., 2011). an appropriate circumstance. The contextual anomaly-
Nearest Neighbour-based detection: This approach based detection system identifies a context for the incom-
detects the anomalies that are far from the dense (or ing traffic instance with the help of contextual attributes
close) neighbour of the normal instances and uses the and estimates a freak score for malicious instances with
distance or density based measures to find the similari- the help of a point anomaly-based detection approach.
ties (or distance) between the two or more data instances. This approach helps in detecting the real world anomalies
An anomaly score is estimated for an observation either where data instances within a context tend to be similar. It
on the basis of its distance to its Kth nearest neighbour recognizes the peculiarities that are not exposed by point
(K-NN classifier) (Nguyen & Choi, 2010; Oo & Phyu, 2014) anomaly-based detection methods. In some cases, speci-
or the relative density of test instance. This approach fying a context is not easy, so using contextual anomaly-
deals with both continuous and categorical data types. based detection does not make any sense.
It offers high detection accuracy, early detection, easy
implementation and less computation time (Nguyen & 3.1.2.3. Collective anomaly-based detection. If the
Choi, 2010). In (Eskin et al., 2002; Zhang & Wang, 2006), data instances are related to each other and the assem-
anomaly score the new instance is reckoned as the aggre- blage of data instances is unusual to the residual
gation of its distance from its k nearest neighbours. A dataset, then it is known as the collective anomaly.
proactive detection method that divides the DDoS attack Note that, a single instance in a collective anomaly may
into different phases and analyzes the network status in or may not be anomalous but the collection of such
312 P. KAUR ET AL.

Table 1. Pros and cons of point anomaly-based detection approaches.

Approaches Pros Cons
Statistical methods based • Offer a good detection rate for the ‘zero days’ or an • Difficult to set parameters (or metrics) and unreal-
anomaly detection extremely new attack if there exist statistical character- istic assumptions of a quasi-stationary process that
istics for the network traffic. may affect the threshold level, false positives, and
• Controls the rate limits if an attack is confirmed. false negatives. But such hypotheses do not exist for
• Provides accurate results for long-term malicious activ- high-dimensional real datasets.
ities (i.e. ‘low and slow’ attacks). • Such systems need accurate statistical distributions,
• Prior knowledge about normal activity, security flaws but only a few normal profiles are modelled using
and the attacks themselves, is not required as the purely statistical methods.
expected system behaviour is prepared from observa- • Although it provides accurate and effective results
tions. Therefore, such methods are simpler to manage but it is a time-consuming process (i.e. takes days or
and there is no need to refresh signatures. weeks for results).
• These systems look for individual elements of a par-
ticular activity and generate an alarm when an attack
is detected without waiting for the completion of that
activity.
Data mining based anomaly • Analyzes the lengthy, continuous patterns (i.e. different • It produces very high false positive rate
detection IPs, same activity). • Fail to be applied in real-time detection environ-
• Allow experts to concentrate on actual attacks. ment.
• Classifies the false alarm dynamos and ‘bad’ sensor indi-
cations.
Information theoretic based • Detects anomalies that are present in a huge amount of • The optimal size of the substructures (like sub-
anomaly detection the information content of normal datasets. sequences and sub-graphs) should be preferred to
• Reduce the complexity of dataset. detect anomalies.
• Performance depends on the selected information
theoretic measures.
• Difficult to assign an anomaly score to the test
instances.
Nearest neighbour based • Purely a data-driven approach and operates in unsuper- • Performance decreases as the number of attributes
anomaly detection vised mode. increases.
• The possibility of an anomaly drops to set a dense • Performance depends on the selected distance
neighbour if the approach operates in semi-supervised measure, which is a challenging task to be com-
mode. puted for complex data structures like graphs,
sequences.
• Very small size of samples may adversely affect the
anomaly score computations.
Artificial Intelligence-based • Facility to adjust its execution tactics on the basis of • Performance depends on the input
detection recently collected data. parameters from the system or
• Offers high detection accuracy, but more expensive as user’s point of view.
compared to another detection approaches. • Fail to provide accurate results due
• Deployed at victim-end network and supervised in to lack of sufficient data and learn-
nature. able functions.
• It needs high resource consump-
tion and complex computations for
detecting anomalies.

instances appears as anomalous. In sequence data, graph and the sequential anomalies can be reduced to point
data and spatial data representation, the test cases are anomalies that are easy to handle. There are a num-
related to each other and the relationship among the ber of ways for handling anomalous sequential data
data instances becomes the basis of detecting collec- such as:
tive anomalies. Various approaches have been used for
collective anomaly-based detection such as Sequential • Detects anomalous sequence from a set of sequences
anomaly, Graph anomaly, and Spatial anomaly detec- (Budalakoti, Srivastava, Akella, & Turkov, 2006; Chan &
tion approaches. Various approaches have been used for Mahoney, 2005) and models the sequences with the
collective anomaly-based detection such as Sequential help of various modelling tools like Probabilistic Suf-
anomaly, Graph anomaly, and Spatial anomaly detection fix Tree (PST) and Sparse Markov Trees (SMT) (Chandola
approaches. et al., 2009). It works in semi-supervised and unsuper-
Sequential anomaly detection: This approach deals with vised mode.
sequential data in which the data instances are linearly • Detects anomalous subsequence (or discords) that is
ordered and identifies the subsequences that behave anomalous in a long sequence (Bu et al., 2007) and
as abnormal with respect to the regular behaviour. For works in unsupervised mode.
example time-series data, system call sequence and event • Determine the frequency of a query pattern that is
sequence datasets (Chan & Mahoney, 2005). Note that, anomalous as compared to expected frequency in a
sequences can be univariate and multivariate in nature particular sequence (Chandola et al., 2009).
 SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL 313

Table 2. Summary of detection approaches.

Approaches Pros Cons
Signature (or Knowledge) • The patterns of perversions are filed in a directory or • Unable to identify the new, novel attacks.
based detection database. • Prior knowledge of attack signatures is needed and
• Useful in recognizing only defined and well-known it should be updated regularly. Moreover, Knowledge
attacks in real-time and performs in supervised should be accumulated with finer details for better
mode. detection.
• Deployed at any network (source-end, victim-end • It is very complex and prolonged task as the subsis-
or core-end network). tence of the knowledge base entails thoughtful and
• Offers the features of robustness, scalability, and comprehensive dissection of each vulnerability.
flexibility. • This approach faces the various generalization issues.
Anomaly-based detection • Identifies attack by labelling the activity as either • Difficult to extract the network features so a training
abnormal or normal. phase is needed to recognize normal activity profile.
• Able to expose new, unusual or ‘zero days’ attacks • Setting threshold value is difficult to adjust the false
and exceptional patterns if do not correspond to the positive and the false negative rates.
presumed normal functionalities. • Defining a rule set is difficult.
• A different profile of normal activities can be built • High false positive rate leads to low detection efficiency.
for different systems, applications or networks to • Offers low throughput and are computationally expen-
confuse the attacker what activities it can take with- sive because of the cost of retaining a record of, and
out going identified. perhaps refreshing several system profile metrics.
• It runs in supervised as well as unsupervised mode.
Hybrid detection • Combined use of two or more detection • Exploits benefits of both signature and anomaly-based
approaches. detection procedures so the resulting hybrid systems
• While the hybrid methods still drop some sorts of are not perpetually favourable.
attacks, but its low false notifications rate strength- • Leads to high complexity and implementation cost.
ens the plausibility of exploring most of the alerts.

Graph anomaly detection: This approach deals with the Selvakumar, 2013) are the hybrid detection systems that
graphical data in which the data instances are depicted as are developed from the combination of above detection
points (or vertices) and linked to other vertices through approaches. Moreover, signature-based SNORT method
edges. It detects the sub-graphs that are unusual within is combined with one or more anomaly-based methods
the large graph (Noble & Cook, 2003). Various measures (such as PHAD, NETAD, ALAD, LERAD) in order to develop
like entropy have been applied to the sub-graphs to a hybrid model for real-time detection (Nadiammai &
determine its anomaly score. Hemalatha, 2014). In (Asosheh & Ramezani, 2008), the
Spatial anomaly detection: This approach deals with authors propose a combined data mining procedure for
spatial data and detects the sub-regions (spatial anoma- the automated exposure of attacks that consists of a clus-
lies) that are irregular to rest of the data (Chandola et al., tering (K-mean) and classification (K-nearest neighbour)
2009). It can be used to find contextual and collective algorithms. In (Agarwal & Mittal, 2012), the authors pro-
anomalies. pose a hybrid approach that consists of Entropy-based
and SVM based detection methods that remove the
demerits of both the techniques and results in low false
3.1.3. Hybrid detection
alert rate and high detection accuracy. Sometimes, the
Hybrid approach for DDoS detection combines the two
output of different classifiers such as Bayesian Networks,
or more of above detection strategies. The monitoring
Neural Networks and Decision Tree (DT) are combined
capabilities of a detection system can be improved by
using multiple fusion techniques to improve the sys-
developing a hybrid model that is meant by analyzing
tem’s consummations (Modi et al., 2013). Combining dif-
the regular system behaviour and impertinent attacker
ferent approaches makes the detection system stronger
behaviour. This approach attempts to familiar as well as
but the detection results are not always very good. In
anonymous attacks if it consists of both anomaly and
fact, developing a hybrid detection system from differ-
signature-based detection techniques (Bhuyan & Kalita,
ent approaches that can interoperate effectively and effi-
2012). When a signature-based technique is adopted
ciently is a challenging task (Patcha & Park, 2007). A sum-
along with the anomaly-based technique, then the hybrid
mary of different detection approaches has been con-
system can detect the intruder who tries to change the
ferred in Table 2.
attack patterns stored in the signature database (Patcha
& Park, 2007). It offers the features of both anomaly-
based and signature-based methods like high detec-
3.2. Functional classes
tion rate and low false signal rate (Wu & Yen, 2009).
For example, EMERALD (Patcha & Park, 2007), NeGPAIM A detection approach belongs to one or more differ-
(Botha, Solms, Perry, Loubser, & Yamoyany, 2002), RST- ent functional classes. A review of different detection
SVM (Chen, Cheng, Chen, & Hsieh, 2009), NFBoost (Raj & approaches and the functional classes to which they
314 P. KAUR ET AL.

Table 3. Functional classes of different detection approaches.

Detection approaches

Anomaly-based detection

Data Mining Artificial Intelligence based detection

Nearest Information Signature-
Functional classes Statistical neighbour theoretic CM CBM ARM ANN BN FL GA SVM SCSA based
Core-end detection    – – – – –  – – –
Source-end detection  – −  – – – – – – – – –
Victim-end detection  –   – –  –  –   
Supervised mode  – –   –  –   –  –
Semi-supervised mode  – –  – – –   –  – –
Unsupervised mode     –    –  – – –
Net-DDoS detection  – – – – – – – – –  – –
App-DDoS detection  –   – – – –  – – – 
HDDoS detection – – – – – – – – – –  – –
LDDoS detection –   – – – – – – – – – –
Profiling based  – – – – – – – – –   –
Model based  – –      – –  – –
One-class setting – – –  –    – –  – 
Multi-class setting – – –  – –   – –  – 
CM: Clustering methods; ANN: Artificial Neural Networks; GA: Genetic Algorithms; CBM: Classification based methods; BN: Bayesian Networks; SVM: Support Vector
Machines; ARM: Associative rule mining; FL: Fuzzy Logic; SCSA: System Call Sequence Analysis.

belong to has been shown in Table 3 based on our cur- and predict the class of input variables (incoming traf-
rent literature survey and the different functional classes fic instances). This mode is similar to a predictive model.
are explained below: For example, Classification techniques comes under the
category of supervised data mining (Aggarwal & Gupta,
3.2.1. Source-end, victim-end and core-end detection 2015). In the unsupervised mode, the detection system
The detection approaches depends on the nature of data identifies the hidden functions (or patterns) from a given
that is available either from the end-users (source or vic- dataset without having any trained dataset but it pro-
tim) or the network. The end-user information contains duces less detection accuracy (Nadiammai & Hemalatha,
the data from TCP and UDP packets and it is specific to a 2014). For example, Clustering and Associative rule min-
particular user application. Various detection approaches ing comes under the category of unsupervised data min-
are implemented on either source-end or victim-end. ing (Aggarwal & Gupta, 2015). Approaches that work in
Moreover, the detection approaches deployed at victim- the semi-supervised mode have incomplete training data
end operates in on-line as well as off-line mode (Prasad i.e. training data is meant for only for normal class and
et al., 2014). The network-based information contains the some targets are missing for anomaly class (Nadiammai
data from intermediate or core router’s physical inter- & Hemalatha, 2014). It produces high detection ratio and
faces and their forwarding engines (Thottan & Ji, 2003). low false alerts. Therefore, it is more applicable as com-
The detection approaches implemented at core networks pared to supervised mode. But, it is very difficult to collect
detect anomalies and inform the source to slow down the entire anomalous behaviour in a training dataset.
the data traffic. In (Yu, Guo, & Stojmenovic, 2012), the
authors propose a detection method that monitors the 3.2.3. Profiling-based and modelling-based detection
traffic at edge routers of ISP domains. Most of the Artificial approaches
Intelligence-based detection approaches are deployed at In profiling based approaches, profiles of normal
victim-end (Prasad et al., 2014). behaviour of various real computer system components
(like different types of network traffic, programmes, users)
3.2.2. Supervised, semi-supervised and unsupervised are developed and certain patterns or activity deviations
mode from the normal profile are identified to be considered
DDoS detection approaches can operate in one of the as anomalous (Lazarevic, 2016). UNIX shell commands,
following three modes: Supervised, Semi-supervised and audit events, system calls, keystroke and network pack-
Unsupervised mode (Buragohain et al., 2015). In supervised ages are used as data sources for developing the attack
mode, the detection approach requires a trained dataset profiles (Rama, 2011). In spite of building profiles, dif-
(or a classifier) to find the anomalies, where the trained ferent models like replicator neural networks or unsu-
dataset includes input variables and output classes. The pervised support vector machines are fabricated for the
trained dataset is used to extract the hidden functions attack detection. In model- based approaches, the model
 SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL 315

represents the normal functioning of the system and the false positives (Estevez-Tapiador, Garcia-Teodoro, & Diaz-
anomalies are recognized as divergences from the stan- Verdejo, 2004) and the system generates an anomaly
dard behaviour. alarm of overabundance of false positives. False positive
rate depends on the threshold value, where very low
3.2.4. Net-DDoS and App-DDoS attack detection threshold value results in high false positive rate.
approaches
Most of the approaches discern the Net-DDoS attacks, 3.3.3. False negative (FN)
only a few of them can detect App-DDoS attacks (Xie & If the test instance is abnormal or malicious but it is
Yu, 2006). Swaddler anomaly-based detection technique labelled as innocuous, then it is considered as false neg-
(Cova, Balzarotti, Felmetsger, & Vigna, 2007), Fuzzy esti- atives (Estevez-Tapiador et al., 2004) and the detection
mators (Shiaeles et al., 2012) and K-means clustering (Yu, does not generate an alarm on necessary malicious traf-
Li, Chen, & Chen, 2007; Zhong & Yue, 2010) detects App- fic. The high false negative rate has been noticed if the
DDoS attacks in the real-time environment. threshold value is set too high.

3.2.5. High-rate and low-rate DDoS detection 3.3.4. False alarm rate (FAR)
approaches False alarm rate is considered as a count of false posi-
Most of the detection approaches captures only high- tive or false negative. High false alarm rate initiated in
rate traffic (HDDoS attacks or volume-based attacks), but anomaly detection makes it complicated to relate a dis-
some of them detect only low-rate traffic (LDDoS attacks) tinct anomaly signal with the events that causes them.
or both (Gupta et al., 2012). HDDoS detection strategy is False alarm rate can also be affected if the attacker trains
unable to detect several types of anomalies, which can the detection system to accept the malicious traffic as
be analyzed by Entropy-based detection (Androulidakis normal.
et al., 2009; Lakhina, Crovella, & Diot, 2005; Nychis et al.,
2008). Low rate traffic is difficult to detect because it 3.3.5. Implementation cost
behaves as normal throughout its journey but aggregates It consists of the total cost needed for implementing a
only at the victim network (Xiang et al., 2011). Congestion particular detection technique on the source-end, victim-
Participation Rate (CPR) and Cumulative Amplitude Spec- end or core-end (intermediate) network.
trum (CAS) based approaches are effective in detecting
LDDOS attacks (Zhang et al., 2012). 3.3.6. Reliability
Reliability is defined as how well a detection approach
3.2.6. One-class and multi-class setting
is performing its required functions in a particular time
In one-class based setting, the detection approaches pre-
period under stated conditions or in the case of a failure
pare a single class that represents the usual network
(component or system failure).
behaviour and the entities that do not belong to the class
are treated as anomalous. But in multi-class based setting,
3.3.7. Detection rate
the detection system prepares a set of multiple normal
Detection rate is measured as the number of malicious
classes and the entities that do not belong to any of the
packets identified by the detection approach divided by
multiple classes, are considered as anomalous.
the total number of malicious packets in the dataset.

3.3. Metrics 3.3.8. Detection accuracy

This section presents the various metrics that are cru- Detection accuracy is defined as the degree to which the
cial to compare and assess the performance of different result of a detection approach conforms to the correct
detection approaches: identification of malicious packets of DDoS traffic. Accu-
racy depends on the proportions of false positive and
3.3.1. Complexity false negative rates against detection of DDoS attacks.
This metrics defines the overall complexity of a partic-
ular detection approach related to time, memory stor- 3.3.9. Type of monitoring
age, coordination among different components and the This parameter decides whether a particular approach
computations needed for the detection system. monitors the high or low data rate traffic or identifies
the malicious packets i.e. it decides whether the detec-
3.3.2. False positive (FP) tion approach is traffic volume based or IP attribute
If the test instance is innocuous but the detection system based (Alenezi & Reed, 2012). In (Alenezi & Reed, 2012;
falsely reports it as anomalous, then it is considered as Karimazad & Faraahi, 2011), it has been discussed that
316 P. KAUR ET AL.

Table 4. Comparison of detection approaches.

Detection approaches

Metrics Anomaly-based detection Signature-based detection Hybrid detection

Complexity Medium Low High
False positive rate High Very low Low
False negative rate High Medium Low
False alarm rate High Low Medium
Implementation cost Medium Low High
Reliability Yes Yes –
Detection rate Medium High (only for known attacks) High
Detection accuracy Medium High High
Type of monitoring Traffic monitoring, Packet monitoring Traffic monitoring, Packet monitoring –
Real-time detection Medium High –

anomaly-based detection analyzes both the traffic flow • The detection procedures should rest on a small frac-
characteristic as well packets contents. TOPAS (Munz tion of input (traffic) parameters, and sturdy against
& Carle, 2007), a detection system that allows paral- future trials by the attacker. It should be capable of
lel deployment of different detection algorithms offers handling the masses and functions accurately in high-
packet-based monitoring, on-line analysis, and real-time speed real networks.
detection. • Accurate isolation of HDDoS attack traffic and regu-
lar flash events (with the minimal support needed or
3.3.10. Real-time detection low false alerts), real-time updating of network statis-
The existing approaches must be deployed in real net- tics and quick identification of spoofed IPs is the most
works with a suitable level of detection rate, accuracy, and challenging task in real-time detection environment.
false alarm rate. Preference should be given to detection • Most of the detection methods analyze the packet
speed rather than accuracy in a real-time environment. contents and traffic flow characteristics for the attack
exposures. But the attacker undoubtedly modifies the
4. Comparison of detection approaches packet contents and traffic flow traits, thus the detec-
tion system fails. Moreover, it is very difficult to analyze
In this section, a comparison of detection approaches the encrypted packets (Li et al., 2015). IP attributes
(Alenezi & Reed, 2012; Modi et al., 2013; Ranju, 2014) (IP protocol type, packet-size) based detection tech-
has been presented on the basis of previously discussed niques adversely affect the performance by increasing
parameters. Table 4 presents the comparison of differ- the computational complexity and false positive rate.
ent detection approaches based on our current literature • Nowadays, a combined approach of different detec-
review. tion approaches has become the utmost necessity for
defending against unknown or novel attacks. A single
5. Issues in existing detection approaches router cannot identify that a particular network or a
victim is under attack and adjust its traffic to decrease
• Recent trends show that various detection techniques the impact of DDoS attacks (Reddy, Siva, & Malathi,
are presented in the theory, but only some of them 2013).
run effectively on all protocols and works in the real • Most of the anomaly-based detection methods try to
environment. Developing and enacting an ideal and find the anomalies in network traffic as well packet
real-time detection system is indeed a hard task. In contents. But none of the detection algorithms has
order to suffice the growing demands for detection focused on types of anomalies that it can detect. Type
and response, there are many issues faced by the of the anomalies is associated with the types of bot-
researchers: nets, flash crowds and the types of attacks (Purwanto
• Detection schemes involve complex computations et al., 2014).
due to which time taken by the system is too long
to find the anomalous conditions. Therefore, detec-
tion speed must be given preference over detection
6. Conclusion
accuracy for the disclosure of attacks in real-time. It
should be effective against a variety of attack tools In this review paper, we surveyed on several detection
available today. Therefore, it should not be exposed approaches against DDoS attacks. It is very complicated
to attacks, producing an impending disruption of its to discern which detection approach should be followed
services (Xiang et al., 2011). for a circumstantial dilemma. Signature-based detection
 SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL 317

approach can disclose only known attacks and results Androulidakis, G., Chatzigiannakis, V., & Papavassiliou, S. (2009).
in high detection accuracy with the low false notifi- Network anomaly detection and classification via opportunis-
cations. But the attacker can quickly adjust the attack tic sampling. IEEE Network, 23(1), 6–12.
Asosheh, A., & Ramezani, N. (2008). A comprehensive taxon-
signatures or perform attacks with small variations. There- omy of DDOS attacks and defense mechanism applying in a
fore, the attacks remain unidentified by this approach. smart classification. WSEAS Transactions on Computers, 7(7),
Nowadays, anomaly-based detection approach has been 281–290.
widely used for the detection of Net-DDoS as well as Baraniuk, C. Retrieved from http://www.bbc.com/news/
App-DDoS attacks. The key challenges for this approach technology-35376327
Barbara, D., Couto, J., Jajodia, S., & Wu, N. (2001). ADAM: A
are online analysis, manipulating a huge amount of data
testbed for exploring the use of data mining in intrusion
and the increasing false signal ratio due the presence detection. ACM Sigmod Record, 30(4), 15–24.
of uncertainty in data. Supervised and semi-supervised Barbara, D., Wu, N., & Jajodia, S. (2001). Detecting novel
techniques are fancied for controlling the huge amount network intrusions using Bayes estimators. SIAM, 1–17.
of data but unsupervised techniques are adopted for doi:10.1137/1.9781611972719.28
catching unfamiliar attacks. Nevertheless, such schemes Bhandari, A., Sangal, A., & Kumar, K. (2015). Destination
address entropy based detection and traceback approach
do not fit for the real-time detection. Therefore, imple-
against distributed denial of service attacks. International
menting a mixed approach of supervised and unsuper- Journal of Computer Network and Information Security, 7(8),
vised techniques that can recognize both unknown and 9–20.
known DDoS attacks in the real-time environment is a Bhandari, A., Sangal, A. L., & Kumar, K. (2016). Characteriz-
challenging task. From this review paper, we have con- ing flash events and distributed denial-of-service attacks:
An empirical investigation. Security and Communication Net-
cluded that the researchers have stated different defense
works, 9(13), 2222–2239.
mechanisms against the DDoS attacks. But due to lack of Bhatia, S., Mohay, G., Tickle, A., & Ahmed, E. (2011). Paramet-
benchmarks against which the performance of defense ric differences between a real-world distributed denial-of-
tools may be compared, the best solutions for defending service attack and a flash event. IEEE, 210–217. doi:10.1109/
against such attacks are improbable. ARES.2011.39
Bhuyan, M. H., & Kalita, J. K. (2012). Network anomaly detection:
methods, systems and tools.
7. Scope of future work Bhuyan, M. H., Kashyap, H. J., Bhattacharyya, D. K., & Kalita, J. K.
(2014). Detecting distributed denial of service attacks: Meth-
We strongly believe that a perfect comprehensive real- ods, tools and future directions. The Computer Journal, 57(4),
time defense framework could be the best and effec- 537–556.
tive approach to battle DDoS attacks. Building a defense Bisson, D. Retrieved from http://www.tripwire.com/state-
mechanism as close as to the attack source with an of-security/risk-based-security-for-executives/risk-manage-
ment/report-ddos-attacks-grew-in-number-size-and-sophi-
evitable participation of various service providers offer-
stication-in-q4-2015/
ing a source address validation and filtering features, we Blazek, R. B., Kim, H., Rozovskii, B., & Tartakovsky, A. (2001).
hope to find sooner in the near future. A novel approach to detection of denial-of-service attacks
via adaptive sequential and batch-sequential change-point
Disclosure statement detection methods. Citeseer, 220–226.
Botha, M., Solms, R. V., Perry, K., Loubser, E., & Yamoyany,
No potential conflict of interest was reported by the authors. G. (2002). The utilization of artificial intelligence in a hybrid
intrusion detection system. SAICSIT ’02 Proceedings of the
References 2002 annual research conference of the South African insti-
tute of computer scientists and information technologists on
Acohido, B., & Swartz, J. (2009). Hacker attack takes down Twit- enablement through technology. pp. 149–155.
ter, Facebook, LiveJournal. Hacker attack takes down Twitter, Breunig, M. M., Kriegel, H.-P., Ng, R. T., & Sander, J. O. R.
Facebook, Live Journal, ed. (2000). LOF: Identifying density-based local outliers. ACM, 29,
Agarwal, B., & Mittal, N. (2012). Hybrid approach for detection 93–104.
of anomaly network traffic using data mining techniques. Bu, Y., Leung, O. T.-W., Fu, A. W.-C., Keogh, E. J., Pei, J., &
Procedia Technology, 6, 996–1003. Meshkin, S. (2007). WAT: Finding Top-K discords in time series
Aggarwal, A., & Gupta, A. (2015). Survey on data mining and database. SIAM, 449–454. doi:10.1137/1.9781611972771.43
IP traceback technique in DDoS attack. International Jour- Budalakoti, S., Srivastava, A. N., Akella, R., & Turkov, E. (2006).
nal of Engineering and Computer Science ISSN:2319-7242, 4(6), Anomaly detection in large sets of high-dimensional symbol
12595–12598. sequences.
Alenezi, M., & Reed, M. J. (2012). Methodologies for detecting Buragohain, C., Kalita, M. J., Singh, S., & Bhattacharyya, D. K.
DoS/DDoS attacks against network servers. Proceedings of the (2015). Anomaly based DDoS attack detection. International
seventh international conference on systems and networks Journal of Computer Applications, 123(17), 35–40.
communications—ICSNC, November 18–23, Lisbon, Portu- Cabrera, J. B., Lewis, L., Qin, X., Lee, W., Prasath, R. K.,
gal. pp. 92–98. IARIA. Ravichandran, B., & Mehra, R. K. (2001). Proactive detection
318 P. KAUR ET AL.

of distributed denial of service attacks using mib traffic Seruca, & J. Cordeiro (Eds.), Enterprise information systems VII
variables-a feasibility study. IEEE, 609–622. (pp. 197–204). Dordrecht: Springer.
Carl, G., Kesidis, G., Brooks, R. R., & Rai, S. (2006). Denial-of-service Estevez-Tapiador, J. M., Garcia-Teodoro, P., & Diaz-Verdejo, J.
attack-detection techniques. Internet Computing, IEEE, 10(1), E. (2004). Anomaly detection methods in wired networks:
82–89. A survey and taxonomy. Computer Communications, 27(16),
Chan, P. K., & Mahoney, M. V. (2005). Modeling multiple time 1569–1584.
series for anomaly detection. ICDM ’05 Proceedings of the Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., &
Fifth IEEE International Conference on Data Mining, Novem- Vazquez, E. (2009). Anomaly-based network intrusion detec-
ber 27–30. pp. 90–97. Washington, DC: IEEE Computer tion: Techniques, systems and challenges. Computers & Secu-
Society. rity, 28(1), 18–28.
Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detec- Garg, K., & Chawla, R. (2011). Detection of DDoS attacks using
tion: A survey. ACM Computing Surveys, 41(3), 1–58. data mining. International Journal of Computing and Business
Chauhan, A., Mishra, G., & Kumar, G. (2012). Survey on data min- Research (IJCBR), 2(1).
ing techniques in intrusion detection. Lap Lambert Academic Gil, T. M., & Poletto, M. (2001). MULTOPS: A data-structure for
Publ. bandwidth attack detection. Proceedings of the 10th confer-
Chen, R.-C., Cheng, K.-F., Chen, Y.-H., & Hsieh, C.-F. (2009). ence on USENIX security symposium, August 13–17, Wash-
Using rough set and support vector machine for network ington, DC, USA. IEEE.
intrusion detection system. First Asian conference on intel- Gupta, B., Misra, M., & Joshi, R. C. (2012). An ISP level solution
ligent information and database systems, April 1–3. IEEE. to combat DDoS attacks using combined statistical based
doi:10.1109/ACIIDS.2009.59 approach. arXiv preprint arXiv:1203.2400.
Chen, S., & Song, Q. (2005). Perimeter-based defense against Gyanchandani, R. N. Y. M. (2012). Taxonomy of anomaly
high bandwidth DDoS attacks. IEEE Transactions on Parallel based intrusion detection system: A review. International
and Distributed Systems, 16(6), 526–537. Journal of Scientific and Research Publications, 2(12). ISSN
Chen, Y., Hwang, K., & Ku, W.-S. (2007). Collaborative detec- 2250-3153.
tion of DDoS attacks over multiple network domains. Harjinder, J. M. (2013). A review of machine learning based
Parallel and Distributed Systems, IEEE Transactions, 18(12), anomaly detection techniques. International Journal of Com-
1649–1662. puter Applications Technology and Research, 2(2), 185–187.
Cheng, C.-M., Kung, H., & Tan, K.-S. (2002). Use of spectral analysis Heller, K., Svore, K., Keromytis, A. D., & Stolfo, S. (2003). One class
in defense against DoS attacks. IEEE, 3, 2143–2148. support vector machines for detecting anomalous windows
Cheng, J., Yin, J., Liu, Y., Cai, Z., & Wu, C. (2009). DDos attack detec- registry accesses, 2–9. doi:10.7916/D85M6CFF
tion using IP address feature interaction. International confer- Islam, M. H., & Jamil, M. (2005). Taxonomy of statistical based
ence on intelligent networking and collaborative systems, anomaly detection techniques for intrusion detection. Interna-
November 4–6, Barcelona, Spain. IEEE. tional Conference on Emerging Technologies, Islamabad, pp.
Cova, M., Balzarotti, D., Felmetsger, V., & Vigna, G. (2007). Swad- 270–276, September 17–18.
dler: An approach for the anomaly-based detection of state Jalili, R., Imani-Mehr, F., Amini, M., & Shahriari, H. R. (2005).
violations in web applications. In C. Kruegel, R. Lippmann, & Detection of distributed denial of service attacks using
A. Clark (Eds.), Recent advances in intrusion detection. RAID statistical pre-processor and unsupervised neural networks.
2007 (pp. 63–86). Lecture Notes in Computer Science, Vol. In R. H. Deng, F. Bao, H. Pang, & J. Zhou (Eds.), Informa-
4637. Berlin: Springer. tion security practice and experience (pp. 192–203). ISPEC
Dainotti, A., Pescape, A., & Ventre, G. (2009). A cascade architec- 2005. Lecture Notes in Computer Science, Vol. 3439. Berlin:
ture for DoS attacks detection based on the wavelet trans- Springer.
form. Journal of Computer Security, 17(6), 945–968. Jin, S., & Yeung, D. S. (2004). A covariance analysis model for
Dickerson, J. E., & Dickerson, J. A. (2000). Fuzzy network profil- DDoS attack detection. IEEE, 4, 1882–1886.
ing for intrusion detection. 19th international conference of Karimazad, R., & Faraahi, A. (2011). An anomaly-based method
the North American fuzzy information processing society – for DDoS attacks detection using RBF neural networks, 11.
NAFIPS, July 13–15, Atlanta, GA, USA. IEEE. Khandelwal, S. Retrieved from http://thehackernews.com/2016/
Douligeris, C., & Mitrokotsa, A. (2004). DDos attacks and defense 01/biggest-ddos-attack.html
mechanisms: Classification and state-of-the-art. Computer Kruegel, C., Mutz, D., Robertson, W., & Valeur, F. (2003). Bayesian
Networks, 44, 643–666. event classification for intrusion detection. Proceedings of
Ektefa, M., Memar, S., Sidi, F., & Affendey, L. S. (2010). Intrusion the 19th annual computer security applications conference,
detection using data mining techniques information retrieval & December 8–12, Las Vegas, NV, USA. IEEE.
knowledge management. International conference on infor- Lakhina, A., Crovella, M., & Diot, C. (2005). Mining anomalies
mation retrieval & knowledge management (CAMP), March using traffic feature distributions. ACM, 35, 217–228.
17–18, Shah Alam, Selangor, Malaysia. IEEE. Lazarevic, A. (2016). Anomaly Detection/Outlier Detection in Secu-
Eskin, E., Arnold, A., Prerau, M., Portnoy, L., & Stolfo, S. (2002). rity Applications.
A geometric framework for unsupervised anomaly detection. Lee, S. M., Kim, D. S., Lee, J. H., & Park, J. S. (2012). Detection
In D. Barbará & S. Jajodia (Eds.), Applications of data mining of DDoS attacks using optimized traffic matrix. Computers &
in computer security (pp. 77–101). Advances in Information Mathematics with Applications, 63(2), 501–510.
Security, Vol. 6. Boston, MA: Springer. Lee, W., Stolfo, S. J., & Mok, K. W. (1999). A data mining frame-
Esposito, M., Mazzariello, C., Oliviero, F., Romano, S. P., & San- work for building intrusion detection models. Proceedings of
sone, C. (2007). Real time detection of novel attacks by the 1999 IEEE symposium on security and privacy, May 14,
means of data mining techniques. In C. S. Chen, J. Filipe, I. Oakland, CA, USA. IEEE.
 SYSTEMS SCIENCE & CONTROL ENGINEERING: AN OPEN ACCESS JOURNAL 319

Lee, W., & Xiang, D. (2001). Information-theoretic measures for Papadopoulos, C., Lindell, R., Mehringer, J., Hussain, A., & Govin-
anomaly detection. Proceedings 2001 IEEE symposium on dan, R. (2003). COSSACK: Coordinated suppression of simul-
security and privacy, May 14–16, Oakland, CA, USA. IEEE. taneous attacks. Proceedings DARPA information survivabil-
Li, K., Zhou, W., Li, P., Hai, J., & Liu, J. (2009). Distinguishing DDoS ity conference and exposition, April 22–24, Washington, DC,
attacks from flash crowds using probability metrics. Third inter- USA. IEEE.
national conference on network and system security, October Park, H., Li, P., Gao, D., Lee, H., & Deng, R. H. (2008). Distinguishing
19–21, Gold Coast, Queensland, Australia. IEEE. between fe and ddos using randomness check. In Interna-
Li, M., & Li, M. (2009). A new approach for detecting DDoS attacks tional conference on information security (pp. 131–145). Lec-
based on wavelet analysis. IEEE, 1–5. ture Notes in Computer Science, Vol. 5222. Berlin: Springer.
Li, S.-H., Kao, Y.-C., Zhang, Z.-C., Chuang, Y.-P., & Yen, D. C. Patcha, A., & Park, J.-M. (2007). An overview of anomaly detec-
(2015). A network behavior-based botnet detection mecha- tion techniques: Existing solutions and latest technological
nism using PSO and K-means. ACM Transactions on Manage- trends. Computer Networks, 51(12), 3448–3470.
ment Information Systems (TMIS), 6(1), 3–00. Pei, J., Upadhyaya, S. J., Farooq, F., & Govindaraju, V. (2004). Data
Li, Y., Guo, L., Tian, Z.-H., & Lu, T.-B. (2008). A lightweight web mining for intrusion detection: Techniques applications and Sys-
server anomaly detection method based on transductive tems. 20th international conference on data engineering,
scheme and genetic algorithms. Computer Communications, April 2, Boston, MA, USA. IEEE.
31(17), 4018–4025. Peng, T., Leckie, C., & Ramamohanarao, K. (2004). Proactively
Limwiwatkul, L., & Rungsawang, A. (2004). Distributed denial of detecting distributed denial of service attacks using source
service detection using TCP/IP header and traffic measure- IP address monitoring. In International conference on research
ment analysis. IEEE, 1, 605–610. in networking (pp. 771–782). Lecture Notes in Computer Sci-
Mirkovic, J., Prier, G., & Reiher, P. (2002). Attacking DDoS at the ence, Vol. 3042. Berlin: Springer.
source. Proceedings of the 10th IEEE international conference Prasad, K. M., Mohan, A. R., & Rao, K. V. (2014). Dos and DDoS
on network protocols, November 12–15, Paris, France. IEEE. attacks: Defense, detection and traceback mechanisms-A sur-
Mirkovic, J., & Reiher, P. (2005). D-WARD: A source-end defense vey. Global Journal of Computer Science and Technology, 14(7).
against flooding denial-of-service attacks. IEEE Transactions Purwanto, Y., Kuspriyanto, Hendrawan, Rahardjo, B. (2014). Traf-
on Dependable and Secure Computing, 2(3), 216–232. fic anomaly detection in DDos flooding attack. 8th interna-
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., & Rajarajan, tional conference on telecommunication systems services
M. (2013). A survey of intrusion detection techniques in cloud. and applications (TSSA), October 23–24, Kuta, Indonesia. IEEE.
Journal of Network and Computer Applications, 36(1), 42–57. Questions to ask your DNS host about DDoS. Retrieved from
Mousavi, S. M. (2014). Early detection of DDoS attacks in software http://www.circleid.com/posts/20141016_3_questions_to_
defined networks controller. ask_your_dns_host_about_ddos/
Munz, G., & Carle, G. (2007). Real-time analysis of flow data for net- Raj, P. A., & Selvakumar, S. (2011). Distributed denial of ser-
work attack detection. 10th IFIP/IEEE international symposium vice attack detection using an ensemble of neural classifier.
on integrated network management, May 21–25, Munich, Computer Communications, 34(11), 1328–1341.
Germany. IEEE. Raj, P. A., & Selvakumar, S. (2013). Detection of distributed
Nadiammai, G., & Hemalatha, M. (2014). Effective approach denial of service attacks using an ensemble of adaptive
toward intrusion detection system using data mining tech- and hybrid neuro-fuzzy systems. Computer Communications,
niques. Egyptian Informatics Journal, 15(1), 37–50. 36(3), 303–319.
Narayana, M. S., Prasad, B., Srividhya, A., & Ranga, K. P. (2011). Rama, V. V. (2011). A review of anomaly based intrusion detec-
Data mining machine learning techniques–A study on abnor- tion systems. International Journal of Computer Applications,
mal anomaly detection system. International Journal of Com- 28(7), 26–35.
puter Science and Telecommunications, 2(6). Ranju, N. M. (2014, April). Survey on DDOS attack prevention
Navaz, A., Sangeetha, V., & Prabhadevi, C. (2013). Entropy based and detection techniques. International Journal for Advance
anomaly detection system to prevent DDoS attacks in cloud. Reasearch in Engineering and Technology, 2.
arXiv preprint arXiv:1308.6745. Raut, A. S., & Singh, K. R. (2014). Anomaly based intrusion
Nguyen, H.-V., & Choi, Y. (2010). Proactive detection of DDoS detection-A review. International Journal on Network Security,
attacks utilizing k-NN classifier in an anti-DDoS framework. 5(3), 7–00.
International Journal of Electrical, Computer, and Systems Engi- Ray, A. (2004). Symbolic dynamic analysis of complex systems
neering 4 (4): 247–252. for anomaly detection. Signal Processing, 84(7), 1115–1130.
Noble, C. C., & Cook, D. J. (2003). Graph-based anomaly Reddy, P., Siva, R., & Malathi, C. (2013). Techniques to differ-
detection. In Proceedings of the 9th ACMSIGKDD international entiate DDoS attacks from flash crowd. International Journal
conference on knowledge discovery and data mining of Advanced Research in Computer Science and Software Engi-
(pp. 631–636). New York, NY: ACM Press. neering, 3(6), 295–299.
Nychis, G., Sekar, V., Andersen, D. G., Kim, H., & Zhang, H. (2008). Sachdeva, M., & Kumar, K. (2014). A traffic cluster entropy
An empirical evaluation of entropy-based traffic anomaly detec- based approach to distinguish DDoS Attacks from flash event
tion (pp. 151–156). Proceedings of the 8th ACM SIGCOMM using DETER testbed. ISRN Communications and Networking
conference on Internet measurement, October 20–22, Vou- 2014.
liagmeni, Greece. New York, NY: ACM. Saman, J. J., & Tipper, D. (2013). A survey of defense mechanisms
Oo, T. T., & Phyu, T. (2014). Analysis of DDoS Detection System against distributed denial of service (DDoS) flooding attacks.
based on Anomaly Detection System. IEEE Communications Surveys and Tutorials. 15(4), 2046–2069.
320 P. KAUR ET AL.

Shiaeles, S. N., Katos, V., Karakos, A. S., & Papadopoulos, B. K. Xia, Z., Lu, S., Li, J., & Tang, J. (2010). Enhancing DDoS flood
(2012). Real time DDoS detection using fuzzy estimators. attack detection via intelligent fuzzy logic. Informatica, 34(4),
computers & Security, 31(6), 782–790. 497–507.
Singh, N., Hans, A., Kumar, K., & Singh, M. P. (2015). Comprehen- Xiang, Y., Li, K., & Zhou, W. (2011). Low-rate DDoS attacks
sive study of various techniques for detecting DDoS attacks detection and traceback by using new information met-
in cloud environment. International Journal of Grid and Dis- rics. Information Forensics and Security, IEEE Transactions, 6(2),
tributed Computing, 8(3), 119–126. 426–437.
Song, X., Wu, M., Jermaine, C., & Ranka, S. (2007). Conditional Xie, Y., & Yu, S.-Z. (2006). A novel model for detecting application
anomaly detection. IEEE Transactions on Knowledge and Data layer DDoS attacks. IEEE, 2, 56–63.
Engineering, 19(5), 631–645. Xie, Y., & Yu, S.-Z. (2009a). A large-scale hidden semi-Markov
Tajbakhsh, A., Rahmati, M., & Mirzaei, A. (2009). Intrusion detec- model for anomaly detection on user browsing behaviors.
tion using fuzzy association rules. Applied Soft Computing, IEEE/ACM Transactions on Networking, 17(1), 54–65.
9(2), 462–469. Xie, Y., & Yu, S.-Z. (2009b). Monitoring the application-layer
Thapngam, T., Yu, S., Zhou, W., & Beliakov, G. (2011). Discrim- DDoS attacks for popular websites. IEEE/ACM Transactions on
inating DDoS attack traffic from flash crowd through packet Networking, 17(1), 15–25.
arrival patterns. IEEE conference on computer communica- Yu, J., Li, Z., Chen, H., & Chen, X. (2007). A detection and offense
tions workshops, April 10–15, Shanghai, China. IEEE. mechanism to defend against application layer DDoS attacks.
Thomas, R., Mark, B., Johnson, T., & Croall, J. (2003). Net- Third international conference on networking and services,
bouncer: Client-legitimacy-based high-performance DDoS June 19–25, Athens, Greece. IEEE.
filtering. IEEE, 1, 14–25. Yu, S., Guo, S., & Stojmenovic, I. (2012). Can we beat legitimate
Thottan, M., & Ji, C. (2003). Anomaly detection in IP net- cyber behavior mimicking attacks from botnets? Proceedings
works. IEEE Transactions on Signal Processing, 51(8), 2191– IEEE INFOCOM, March 25–30, Orlando, FL, USA. IEEE.
2204. Zhang, C., Cai, Z., Chen, W., Luo, X., & Yin, J. (2012). Flow level
Verisign. Retrieved from https://www.verisign.com/en_IN/ detection and filtering of low-rate DDoS. Computer Networks,
security-services/ddos-protection/ddos-report/index.xhtml 56(15), 3417–3431.
Wang, H., Zhang, D., & Shin, K. G. (2004). Change-point moni- Zhang, G., Jiang, S., Wei, G., & Guan, Q. (2009). A prediction-
toring for the detection of DoS attacks. IEEE Transactions on based detection algorithm against distributed denial-of-
Dependable and Secure Computing, 1(4), 193–208. service attacks. In Proceedings of the 2009 international con-
Wang, J., Phan, R. C.-W., Whitley, J. N., & Parish, D. J. (2010). Aug- ference on wireless communications and mobile computing:
mented attack tree modeling of distributed denial of services Connecting the World wirelessly (pp. 106–110). New York, NY:
and tree based attack detection method. 10th IEEE interna- ACM.
tional conference on computer and information technology, Zhang, J., & Wang, H. (2006). Detecting outlying subspaces for
June 29–July 1, Bradford, UK. IEEE. high-dimensional data: The new task, algorithms, and perfor-
Woolf, N. (2016, October 26). Retrieved from https://www. mance. Knowledge and Information Systems, 10(3), 333–355.
theguardian.com/technology/2016/oct/26/ddos-attack-dyn- Zhong, R., & Yue, G. (2010). DDos detection system based on data
mirai-botnet mining (pp. 62–65). Proceedings of the second international
Wu, S.-Y., & Yen, E. (2009). Data mining-based intrusion detec- symposium on networking and network security, April 2–4.
tors. Expert Systems with Applications, 36(3), 5605–5612. Zhou, C. V., Leckie, C., & Karunasekera, S. (2010). A survey of
Wu, Y.-C., Tseng, H.-R., Yang, W., & Jan, R.-H. (2011). DDos detec- coordinated attacks and collaborative intrusion detection.
tion and traceback with decision tree and grey relational Computers & Security, 29(1), 124–140.
analysis. International Journal of Ad Hoc and Ubiquitous Com- Zhou, W., Jia, W., Wen, S., Xiang, Y., & Zhou, W. (2014). Detection
puting, 7(2), 121–136. and defense of application-layer DDoS attacks in backbone
Xia, T., Qu, G., Hariri, S., & Yousi, M. (2005). An efficient network web traffic. Future Generation Computer Systems, 38, 36–46.
intrusion detection method based on information theory and Zu, Q., & Hu, B. (2016). Human centered computing: Second inter-
genetic algorithm. 24th IEEE international performance, com- national conference, HCC 2016, Colombo, Sri Lanka, January
puting, and communications conference, April 7–9, Phoenix, 7–9, 2016, Revised selected papers. Springer International Pub-
AZ, USA. IEEE. lishing.