A Hybrid Approach to Detect DDoS Attacks Using KOAD and the Mahalanobis Distance.

Distributed Denial of Service (DDoS) attacks continue to adversely affect internet-based services and applications. Various approaches have been proposed to detect different types of DDoS attacks. The computational and memory complexities of most algorithms, however prevent them from being employed in online manner. In this paper, we propose a novel victim end online DDoS attack detection framework based on the celebrated Kernel-based Online Anomaly Detection (KOAD) algorithm and the Mahalanobis distance. We have employed the KOAD algorithm to adaptively model the normal behavior of network traffic, and then constructed the normal and abnormal datasets based on the results of KOAD. Subsequently, the Mahalanobis distance metric was calculated between datapoints of the abnormal and normal subsets. Finally, the chi-square test was used on the Mahalanobis distance values to segregate the DDoS attack datapoints from the normal ones. We have validated our algorithm on simulated DDoS scenarios, as well as real baseline data from a company operating in cyber security. Our results have revealed that our proposed hybrid approach boosts the performance of sole KOAD algorithm and Mahalanobis distance in detecting DDoS traffic in terms of both false positive and detection rates.