A Novel DoS and DDoS Attacks Detection Algorithm Using ARIMA Time Series Model and Chaotic System in Computer Networks

• Published in: IEEE communications letters Vol. 20; no. 4; pp. 700 - 703
• Main Authors: Nezhad, Seyyed Meysam Tabatabaie, Nazari, Mahboubeh, Gharavol, Ebrahim A.
• Format: Journal Article
• Language: English
• Published: New York IEEE 01.04.2016; The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
• Subjects: Algorithms; Chaos; Chaos theory; Chaotic communication; Computational modeling; Computer crime; Denial of service attacks; DoS and DDoS detection; Forecasting; IP networks; Lyapunov exponent; Lyapunov exponents; Mathematical models; Predictive models; Time series; Time series analysis; Traffic engineering; Traffic flow; Chaos; DoS and DDoS detection; Lyapunov exponent; Time series
• ISSN: 1089-7798; 1558-2558
• DOI: 10.1109/LCOMM.2016.2517622

This letter deals with the problem of detecting DoS and DDoS attacks. First of all, two features including number of packets and number of source IP addresses are extracted from network traffics as detection metrics in every minute. Hence, a time series based on the number of packets is built and normalized using a Box-Cox transformation. An ARIMA model is also employed to predict the number of packets in every following minute. Then, the chaotic behavior of prediction error time series is examined by computing the maximum Lyapunov exponent. The local Lyapunov exponent is also calculated as a suitable indicator for chaotic and nonchaotic errors. Finally, a set of rules are proposed based on repeatability of chaotic behavior and enormous growth in the ratio of number of packets to number of source IP addresses during attack times to classify normal and attack traffics from each other. Simulation results show that the proposed algorithm can accurately classify 99.5% of traffic states.