A Hybrid Approach to Efficient Detection of Distributed Denial-of-Service Attacks

An automated system for detecting network traffic anomalies caused by Denial-of-Service attacks is proposed. The system is designed as a two-stage architecture incorporating the change-point detection methodology, used for early attack identification, and further spectral profiling, used for confirmation of the attack presence. The proposed system is shown to be robust and capable of achieving excellent results in terms of first, the speed of detection, and more importantly, the balance between the number of correct detections and the number of false positives. This is accomplished through extensive performance evaluation done using real-world traffic traces containing malicious activity captured at a regional Internet Service Provider (ISP).