Detect and Identify DDoS Attacks from Flash Crowd Based on Self-similarity and Renyi Entropy

The paper presents an effective identification method for DDoS attacks and flash crowd in the source-end network. As DDoS attack and flash crowd behavior dramatically increase the number of new (or forged) source IP addresses, the method firstly construct a time series by counting the number of new (or forged) IP addresses in the monitored local area network, and use VTP (variance-time plots) method to verify its self-similarity in normal environments. Then, whittle estimator is used to calculate Hurst index and its confidence interval to detect anomalies. Based on the detection results, in order to accurately identify these two network behaviors, the paper further proposes Renyi entropy based method to distinguish DDoS attack from flash crowd according to the characteristic that DDoS attack and flash crowd cause different degrees of dispersion in source IP address. Finally experimental results indicate that this method can not only detect the mutation of network traffic in real time and reduce false positives, but also accurately distinguish DDoS attack from flash crowd in the background of large network traffic.