DDoS Attack Situation Information Fusion Method Based on Dempster-Shafer Evidence Theory

  • Wei Guo
  • Xiangyan TangEmail author
  • Jieren Cheng
  • Jinying Xu
  • Canting Cai
  • Yulong Guo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11635)


Distributed Denial of Service (DDoS) attacks have caused great damage to the network environment and its services. However, the currently existing single point detection methods for DDoS attack cannot achieve satisfying results. This paper proposes a DDoS attack situation information fusion method based on Dempster-Shafer evidence theory (DS). Firstly, according to the statistics of IP traffic packet, destination IP address data packet, and destination port, the traffic threat value and the traffic weight value based on the target IP address are respectively calculated to indicate the possibility of being attacked and the impact on the network when the attack is performed. Then, the above values were fused to obtain the DDoS attack fusion feature (Network Flow Combination Relevance, CR) to accurately provide an evaluable network situation before and after the attack. Finally, based on the above CR values, a DDoS attack feature fusion model was developed. Combined with DS evidence theory, the network security situation value was given to evaluate the probability of DDoS attack. The experimental results show that compared with similar methods, the proposed method can provide evaluable forecast for potential DDoS attack threats, improve the situational awareness of DDoS attacks, and reduce false alarm rate, missing alarm rate and total error rate.


DDoS attack Network flow feature extraction Dempster-Shafer evidence theory Information fusion 



This work was supported by the Hainan Provincial Natural Science Foundation of China [617048,2018CXTD333]; National Natural Science Foundation of China [61762033, 61702539]; Hainan University Doctor Start Fund Project [kyqd1328]; Hainan University Youth Fund Project [qnjj1444]; Social Development Project of Public Welfare Technology Application of Zhejiang Province [LGF18F020019].


  1. 1.
    Shi, C.: A novel ensemble learning algorithm based on D-S evidence theory for IoT security. CMC: Comput. Mater. Continua 57(3), 635–652 (2018)Google Scholar
  2. 2.
    Arbor Networks: Arbor Networks, 13th Worldwide Infrastructure Security Report.
  3. 3.
    Khaleghi, B., Khamis, A., Karray, F.O., et al.: Multisensor data fusion: a review of the state-of-the-art. Inf. Fusion 14(1), 28–44 (2013)Google Scholar
  4. 4.
    Yager, R.R.: A Framework for Multi-source Data Fusion, 1st edn. Elsevier, Amsterdam (2004)Google Scholar
  5. 5.
    Naumann, F., Bilke, A., Bleiholder, J., et al.: Data fusion in three steps: resolving inconsistencies at schema, tuple-, and value-level. Bull. Tech. Committee Data Eng. 29(2), 21–31 (2006)Google Scholar
  6. 6.
    Snidaro, L., Visentini, I., Bryan, K.: Fusing uncertain knowledge and evidence for maritime situational awareness via Markov logic networks. Inf. Fusion 21(1), 159–172 (2015)Google Scholar
  7. 7.
    Golestan, K., Khaleghi, B., Karray, F., et al.: Attention assist: a high-level information fusion framework for situation and threat assessment in vehicular ad hoc networks. IEEE Trans. Intell. Transp. Syst. 17(5), 1271–1285 (2016)Google Scholar
  8. 8.
    Lin, L.: Multi-sensor information fusion method based on BP neural network. Int. J. Online Eng. 12(5), 53 (2016)Google Scholar
  9. 9.
    Esposito, C., Castiglione, A., Palmieri, F., et al.: Event-based sensor data exchange and fusion in the internet of things environments. J. Parallel Distrib. Comput. 118(2), 328–343 (2018)Google Scholar
  10. 10.
    Chen, B., Ho, D.W.C., Hu, G., et al.: Secure fusion estimation for bandwidth constrained cyber-physical systems under replay attacks. IEEE Trans. Cybern. 48(6), 1862–1876 (2017)Google Scholar
  11. 11.
    Müller, W., Kuwertz, A., Muhlenberg, D., et al.: Semantic information fusion to enhance situational awareness in surveillance scenarios. In: 2017 IEEE International Conference on Multisensor Fusion & Integration for Intelligent Systems, pp. 397–402. IEEE, Korea (2017)Google Scholar
  12. 12.
    Aleroud, A., Karabatis, G.: Contextual information fusion for intrusion detection: a survey and taxonomy. Knowl. Inf. Syst. 52(3), 563–619 (2017)Google Scholar
  13. 13.
    Guo, Y., Yin, C., Li, M., Ren, X., et al.: Mobile e-commerce recommendation system based on multi-source information fusion for sustainable e-business. Sustainability 10(1), 147 (2018)Google Scholar
  14. 14.
    Shi, B., Xie, X.Q.: Research on network security situation forecast method based on D-S evidence theory. Comput. Eng. Des. 34(3), 821–825 (2013)Google Scholar
  15. 15.
    Li, F.J., Qian, Y.H., Wang, J.T., et al.: Multigranulation information fusion: a Dempster-Shafer evidence theory based clustering ensemble method. In: International Conference on Machine Learning and Cybernetics, pp. 58–63. IEEE, Florence (2015)Google Scholar
  16. 16.
    Wu, H., Wang, Z.: Multi-source fusion based security detection method for heterogeneous networks. Comput. Secur. 74, 55–70 (2018)Google Scholar
  17. 17.
    Pereira Junior, V.A., Sanches, M.F., Botega, L.C., Coneglian, C.S., Oliveira, N., Araújo, R.B.: Using semantics to improve information fusion and increase situational awareness. In: Arezes, P., et al. (eds.) Advances in Safety Management and Human Factors. AISC, vol. 491, pp. 101–113. Springer, Cham (2016). Scholar
  18. 18.
    Iglesias, F., Zseby, T., et al.: Analysis of network traffic features for anomaly detection. Mach. Learn. 101, 59–84 (2015)MathSciNetGoogle Scholar
  19. 19.
    Usha, M., Kavitha, P.: Anomaly based intrusion detection for 802.11 networks with optimal features using SVM classifier. Wirel. Netw. 23(8), 1–16 (2016)Google Scholar
  20. 20.
    Cheng, J., Zhou, J., Liu, Q., et al.: A DDoS detection method for socially aware networking based on forecasting fusion feature sequence. Comput. J. 61(7), 959–970 (2018)Google Scholar
  21. 21.
    Hoque, N., Kashyap, H., Bhattacharyya, D.K.: Real-time DDoS attack detection using FPGA. Comput. Commun. 110, 48–58 (2017)Google Scholar
  22. 22.
    Cheng, J., Xu, R., Tang, X., et al.: An abnormal network flow feature sequence prediction approach for DDoS attacks detection in big data environment. Comput. Mater. Continua 55(1), 95–119 (2018)Google Scholar
  23. 23.
    Mehmood, A., Mukherjee, M., Ahmed, S.H., et al.: NBC-MAIDS: Naïve Bayesian classification technique in multi-agent system-enriched IDS for securing IoT against DDoS attacks. J. Supercomput. 74(10), 5156–5170 (2018)Google Scholar
  24. 24.
    Cheng, J., Zhang, C., Tang, X., Sheng, V.S., Dong, Z., Li, J.: Adaptive DDoS attack detection method based on multiple-kernel learning. Secur. Commun. Netw. 2018, 19 p. (2018). Article ID 5198685. Scholar
  25. 25.
    Li, F., Zhang, X., Zhu, J., et al.: Network security situation awareness model based on information fusion. J. Comput. Appl. 35(7), 1882–1887 (2015)Google Scholar
  26. 26.
    Bogler, P.: Shafer-Dempster reasoning with applications to multisensor target integration system. IEEE Trans. Syst. Man Cybern. 17(6), 968–977 (1987)Google Scholar
  27. 27.
    The Cooperative Association for Internet Data Analysis: The CAIDA UCSD “DDoS Attack 2007” Dataset [EB/OL], 05 August 2007Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Wei Guo
    • 1
  • Xiangyan Tang
    • 1
    Email author
  • Jieren Cheng
    • 1
    • 2
  • Jinying Xu
    • 3
  • Canting Cai
    • 1
  • Yulong Guo
    • 1
  1. 1.Key Laboratory of Internet Information Retrieval of Hainan ProvinceHainan UniversityHaikouChina
  2. 2.College of Information Science and TechnologyHainan UniversityHaikouChina
  3. 3.Zhejiang Science and Technology Information InstituteHangzhouChina

Personalised recommendations