A Behavior-Based Method for Distinction of Flooding DDoS and Flash Crowds

  • Degang Sun
  • Kun Yang
  • Zhixin Shi
  • Bin Lv
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10412)


DDoS and Flash Crowds are always difficult to distinguish. In order to solve this issue, this paper concluded a new feature set to profile the behaviors of legitimate users and Bots, and proposed an idea employed Random Forest to distinguish DDoS and FC on two widely-used datasets. The results show that the proposed idea can achieve distinguishing accuracy more than 95%. With comparison with traditional methods-Entropy, it still has a high accuracy.


Flooding DDoS Flash crowds Random Forest User behavior analysis Entropy 


  1. 1.
    Mansfield-Devine, S.: The growth and evolution of DDoS. Netw. Secur. 2015(10), 13–20 (2015)CrossRefGoogle Scholar
  2. 2.
    Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of the 11th International Conference on World Wide Web, pp. 293–304. ACM (2002)Google Scholar
  3. 3.
    Xie, Y., Yu, S.-Z.: A large-scale hidden semi-Markov model for anomaly detection on user browsing behaviors. IEEE/ACM Trans. Netw. (TON) 17(1), 54–65 (2009)CrossRefGoogle Scholar
  4. 4.
    Oikonomou, G., Mirkovic, J.: Modeling human behavior for defense against flash-crowd attacks. In: 2009 IEEE International Conference on Communications, pp. 1–6. IEEE (2009)Google Scholar
  5. 5.
    Thapngam, T., Yu, S., Zhou, W., Beliakov, G.: Discriminating DDoS attack traffic from flash crowd through packet arrival patterns. In: 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp. 952–957. IEEE (2011)Google Scholar
  6. 6.
    Yu, S., Guo, S., Stojmenovic, I.: Fool me if you can: mimicking attacks and anti-attacks in cyberspace. IEEE Trans. Comput. 64(1), 139–151 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Yu, S., Thapngam, T., Liu, J., Wei, S., Zhou, W.: Discriminating DDoS flows from flash crowds using information distance. In: Proceedings of the third International Conference on Network and System Security, NSS 2009, pp. 351–356. IEEE (2009)Google Scholar
  8. 8.
    Saravanan, R., Shanmuganathan, S., Palanichamy, Y.: Behavior-based detection of application layer distributed denial of service attacks during flash events. Turkish J. Electr. Eng. Comput. Sci. 24(2), 510–523 (2016)CrossRefGoogle Scholar
  9. 9.
    Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual captcha. In: 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, vol. 1, pp. I–134 (2003)Google Scholar
  10. 10.
    Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)CrossRefzbMATHGoogle Scholar
  11. 11.
  12. 12.

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina

Personalised recommendations