Anomaly-Based DDoS Attack Detection by Using Sparse Coding and Frequency Domain

Distributed Denial of Service (DDoS) attacks have become one of the most significant problems that affects the user satisfaction by degrading the availability of on-line services. Although intrusion detection systems provide effective mechanism for discriminating various DDoS attacks, they become impotent of detection when bogus packets similar to normal ones are dispatched by the attacker. One idea is to model the normal behavior of the network traffic using time series representation of that traffic together with advanced statistical analysis techniques such as frequency domain analysis for detecting the occurrence frequency (energy) of each basic element in time series. However, frequency domain analysis may become inadequate if the original frequency features are used for the detection anomalies. Therefore, in this work, we propose a hybrid approach that employs frequency domain analysis with sparse representation model to find discriminative characteristics for anomaly-based DDoS detection. The proposed algorithm distinguish abnormal traffic from the normal one based on the energy of time series for the number of packets feature, which is extracted from the time series data by using the sparse representation model. Experimental results show that performance of the proposed algorithm provides better DDoS detection results than the state-of-the-art time-series based approaches in the literature.