Online DDoS attack detection using Mahalanobis distance and Kernel-based learning algorithm

Distributed denial-of-service (DDoS) attacks are constantly evolving as the computer and networking technologies and attackers' motivations are changing. In recent years, several supervised DDoS detection algorithms have been proposed. However, these algorithms require a priori knowledge of the classes and cannot automatically adapt to frequently changing network traffic trends. This emphasizes the need for the development of new DDoS detection mechanisms that target zero-day and sophisticated DDoS attacks. In this paper, we propose an online, sequential, DDoS detection scheme that is suitable for use with multivariate data. The proposed algorithm utilizes a kernel-based learning algorithm, the Mahalanobis distance, and a chi-square test. Initially, we extract four entropy-based and four statistical features from network flows per minute as detection metrics. Then, we employ the kernel-based learning algorithm using the entropy features to detect input vectors that were suspected to be DDoS. This algorithm assumes no model for network traffic or DDoS. It constructs and adapts a dictionary of features that approximately span the subspace of normal behavior. Every T minutes, the Mahalanobis distance between suspicious vectors and the distribution of dictionary members is measured. Subsequently, the chi-square test is used to evaluate the Mahalanobis distance. The proposed DDoS detection scheme was applied to the CICIDS2017 dataset, and we compared the results with those given by existing algorithms. It was demonstrated that the proposed online detection scheme outperforms almost all available DDoS classification algorithms with an offline learning process.