A method for detecting distributed denial of service attacks based on behavior distribution

A distributed denial of service(DDoS) attack is a common network attack and it is difficult to prevent.A DDoS attack usually generates a huge amount of packages in a very short time and exhausts the resources of the host and network which are attacked.Consequently,DDoS attack is a great threat to the stability of high-speed networks.Many studies have shown that the attack packages are generated by one or several functions.Therefore,the attack packages always share some features that valid packages do not have.This paper introduces the concept of behavior distribution.When suspicious flows arrive at a server,the software calculates the differences in their behavior distribution.If the difference is lower than the threshold,it is deemed a DDoS attack.Otherwise,it is a valid access.The NS-3 experimental results indicate that this method can effectively distinguish a DDoS attack from a valid access and thus contain an attack as soon as possible.