Detection Approach of DDoS Attacks Based on Conditional Random Fields

In recent years,the detection technology based on machine learning algorithms for distributed denial-of-service(DDoS) attacks has made great progress.However,there are still some deficiencies,which are:(1) being unable to make full use of contextual information in both the label and observed features series;(2) making too strong assumptions on the probability distribution of multiple features.Featured with the strong capability in integrating and exploiting contextual information and multiple features,the conditional random fields(CRF) model can be applied to detect DDoS attacks for effectively overcoming the above mentioned problems.A detection approach based on CRF model is proposed in this paper.First,two group of statistics are defined,which include traffic feature conditional entropy(TFCE) and behavior profile deviate degree(BPDD),to depict the characteristics of three types DDoS attacks: TCP flood,UDP flood and ICMP flood.Then,the CRF is trained to build the classification model for the addressed three types of attacks respectively.Lastly,the trained CRF models are used to identify the attacks with model inference.The experimental results demonstrate that the proposed approach can sufficiently exploit the advantages of CRF.The proposed detection approach not only can distinguish between attack traffic and normal traffic accurately,but is also more robust to resist disturbance of background traffic than the similar approaches.