Adaptive DDoS-Event Detection from Big Darknet Traffic Data.

This paper presents an adaptive large-scale monitoring system to detect Distributed Denial of Service (DDoS) attacks whose backscatter packets are observed on the darknet (i.e., unused IP space). To classify DDoS backscatter, 17 features of darknet traffic are defined from IPs/ports information for source and destination hosts. To adapt to the change of DDoS attacks, we newly implement an online learning function in the proposed monitoring system, where an SVM classifier is continuously trained with darknet features transformed from packets during a certain period. In the performance evaluation, we use the MWS Dataset 2014 that consists of darknet packets collected from 1st January 2014 to 28th February 2014 (8 weeks). We demonstrate that the proposed system keeps good test performance in the detection of DDoS backscatter (0.98 in F-measure).