Denial of service attack detection based on a non Gaussian and multiresolution traffic modeling

We design Distributed Denial of Service (DDoS) detection procedures based on a non Gaussian modeling of the marginal distributions of aggregated Internet traffic. The theoretical and practical relevances of this modeling is illustrated and discussed. From this modeling, various statistical distances (Mean Quadratic Distance of Kullback Divergence) between an observation and a reference time window are computed. We show and illustrate that anomalously large values observed on these distances betray major changes in the statistics of Internet times series and correspond to the occurrences of illegitimate anomalies such as DDoS attacks. Hence, thresholding these distances enables the design of attack detection procedures. Their central feature lies in their being multiresolution in nature: time series aggregated at several levels are jointly analyzed. The assessment of the statistical performance of detection procedures in Internet is a difficult issue as no repository of traffic containing well-documented attacks is available. To overcome this, we decided and chose to perform our own collection of DDoS attacks (with precisely controlled characteristics) and collected the corresponding traffic. This enables us to evaluate the performance (detection versus false alarm probabilities) of the proposed detection procedures and to show that they present satisfactory performance with a 1 min reaction time, even for attacks whose intensity is low.