Detection of collaborative misbehaviour in distributed cyber-attacks

In this article, we consider the detection of suspiciously high correlation between malicious Internet users that are collaborating in order to cause a Distributed Denial of Service (DDoS) attack. The main goal is to obtain a method for judging correlated misbehaviour among the requests that are issued by different users, aiming to recognize early enough any abnormal behaviour and avoid the full consequences of the DDoS attack. The identification is based on the frequencies with which users issue (simultaneous) requests and is accomplished through the analysis of the data traffic using the requests for connection across the concerned network over a period of time. The paper models normal and malicious behaviour via hidden Markov models, and analyses the performance of the proposed detection method using both mathematical reasoning and simulations. Evaluations of the proposed method on real data sets and comparisons of its performance against existing related methodologies are also provided.