An anomaly based distributed detection system for DDoS attacks in Tier-2 ISP networks


In the present computer era, the vulnerabilities inherent in the Internet architecture enable various kinds of attacks. Distributed Denial of Service (DDoS) is one of such prominent attack that is a lethal threat to Internet domain that harnesses its computing and communication resources. The increase in network traffic rates of legitimate traffic and its flow similarity with attack traffic has made the DDoS detection very difficult despite deployment of diversified defense solutions. The ISPs are bound to invest heavily to counter such problems which has a significant impact on company finances. To provide uninterrupted quality services to the end users, ISPs needs to deploy a distributed solution for timely detection and discrimination of attack and behaviorally similar flash events (FE) traffic. Such distributed defense systems can be deployed at source-end, intermediate network-end or at the victim-end location. Since the volume of traffic to be analyzed is very large, the detection accuracy and low computational complexity of the proposed defense solution is always a challenging problem. This paper proposes an ISP level distributed, collaborative and automated (D-CAD) defense system for detecting DDoS attacks and FEs, and has the capability to effectively distinguishing the two. Additionally, D-CAD defense system is also capable of categorizing FE traffic and has low computational complexity. The proposed system is validated in novel software defined networks (SDN) using Mininet emulator. The results show that D-CAD defense system outperformed its existing counterparts on various detection system evaluation metrics.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6


  1. Arbor (2019) Worldwide Infrastructure Security Report (WISR), vol xi. Tech. Rep, Arbor Networks

  2. Barford P, Plonka D (2001) Characteristics of network traffic flow anomalies. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, ACM, pp 69–73

  3. Bawany NZ, Shamsi JA (2019) Seal: SDN based secure and agile framework for protecting smart city applications from DDoS attacks. J Netw Comput Appl 145:102381

    Article  Google Scholar 

  4. Behal S, Kumar K (2017) Detection of DDoS attacks and flash events using information theory metrics-an empirical investigation. Comput Commun 103:18–28

    Article  Google Scholar 

  5. Behal S, Kumar K, Sachdeva M (2017) Discriminating Flash Events from DDoS Attacks: a comprehensive review. IJ Netw Sec 19(5):734–41.

    Google Scholar 

  6. Behal S, Kumar K, Sachdeva M (2018) D-FACE: an anomaly based distributed approach for early detection of DDoS attacks and flash events. J Netw Comput Appl 111:49–63

    Article  Google Scholar 

  7. Beitollahi H, Deconinck G (2014) Connectionscore: a statistical technique to resist application-layer ddos attacks. Ambient Intell Hum Comput J Springer 5(3):425–442

    Article  Google Scholar 

  8. Bhandari A, Sangal AL, Kumar K (2016) Characterizing flash events and distributed denial-of-service attacks: an empirical investigation. Secur Commun Netw 9(13):2222–2239

    Google Scholar 

  9. Bhatia S (2016) Ensemble-based model for DDoS attack detection and flash event separation. In: Future Technologies Conference (FTC), IEEE, pp 958–967

  10. Bhatia S, George M, A Tickle A, Ahmed E (2011) Parametric differences between a real-world distributed denial-of-service attack and a flash event. In: Availability, Reliability and Security (ARES), 2011 Sixth International Conference on, IEEE, pp 210–217

  11. Bhatia S, Mohay G, Schmidt D, Tickle A (2012) Modelling web-server flash events. In: Network computing and applications (NCA), 2012 11th IEEE international symposium on, IEEE, pp 79–86

  12. Bhushan K, Gupta BB (2019) Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. Ambient Intell Hum Comput J Springer 10(5):1985–1997

    Article  Google Scholar 

  13. Bhuyan MH, Bhattacharyya D, Kalita J (2015) An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recognit Lett Elsevier 51:1–7

    Article  Google Scholar 

  14. Bhuyan MH, Bhattacharyya D, Kalita J (2016) E-LDAT: a lightweight system for DDoS flooding attack detection and ip traceback using extended entropy metric. Secur Commun Netw 9(16):3251–3270

    Article  Google Scholar 

  15. Borovkov AA, Utev SA (1984) On an inequality and a related characterization of the normal distribution. Theor Probab Appl 28(2):219–228

    Article  Google Scholar 

  16. Burbea J, Rao CR (1982) Entropy differential metric, distance and divergence measures in probability spaces: a unified approach. J Multivar Anal 12(4):575–596

    MathSciNet  Article  Google Scholar 

  17. Cover TM, Thomas JA (2012) Elements of information theory, 2nd edn. Wiley, Hoboken

    Google Scholar 

  18. Csiszár I, Korner J (1978) Broadcast channels with confidential messages. IEEE Trans Inf Theory 24(3):339–348

    MathSciNet  Article  Google Scholar 

  19. Cui Y, Yan L, Li S, Xing H, Pan W, Zhu J, Zheng X (2016) SD-Anti-DDoS: fast and efficient DDoS defense in software-defined networks. J Netw Comput Appl 68:65–79

    Article  Google Scholar 

  20. Ghorbani AA, Lu W, Tavallaee M (2010) Network attacks. In: Network intrusion detection and prevention. Springer, Boston, MA, pp 1–25

  21. Grosse I, Bernaola-Galván P, Carpena P, Román-Roldán R, Oliver J, Stanley HE (2002) Analysis of symbolic sequences using the jensen-shannon divergence. Phys Rev E 65(4):041905

    MathSciNet  Article  Google Scholar 

  22. Gupta B, Misra M, Joshi RC (2012) An ISP level solution to combat DDoS attacks using combined statistical based approach. arXiv preprint arXiv:12032400

  23. Hanley JA, McNeil BJ (1982) The meaning and use of the area under a receiver operating characteristic (roc) curve. Radiology 143(1):29–36

    Article  Google Scholar 

  24. Jian-Qi Z, Feng F, Ke-Xin Y, Yan-Heng L (2013) Dynamic entropy based DoS attack detection method. Comput Electr Eng 39(7):2243–2251

    Article  Google Scholar 

  25. Joldzic O, Djuric Z, Vuletic P (2016) A transparent and scalable anomaly-based DoS detection method. Comput Netw 104:27–42

    Article  Google Scholar 

  26. Jung J, Krishnamurthy B, Rabinovich M (2002) Flash crowds and denial of service attacks: characterization and implications for CDNS and web sites. In: Proceedings of the 11th international conference on World Wide Web, ACM, pp 293–304

  27. Kang MS, Gligor VD, Sekar V, et al. (2016) Spiffy: Inducing cost-detectability tradeoffs for persistent link-flooding attacks. In: NDSS

  28. Kumar K, Joshi R, Singh K (2007b) An ISP level distributed approach to detect DDoS attacks. In: Innovative algorithms and techniques in automation. Springer, Industrial Electronics and Telecommunications, pp 235–240

  29. Li B, Springer J, Bebis G, Gunes MH (2013) A survey of network flow applications. J Netw Comput Appl 36(2):567–581

    Article  Google Scholar 

  30. Li K, Zhou W, Li P, Hai J, Liu J (2009) Distinguishing DDoS attacks from flash crowds using probability metrics. In: Network and System Security, 2009. NSS’09. Third International Conference on, IEEE, pp 9–17

  31. Lin J (1991) Divergence measures based on the shannon entropy. Inf Theory IEEE Trans 37:145–151

    MathSciNet  Article  Google Scholar 

  32. Lin C, Lin HY, Wu TW, Chen YH, Huang CH (2013) Preserving quality of service for normal users against DDoS attacks by using double check priority queues. Ambient Intell Hum Comput J Springer 4(2):275–282

    Article  Google Scholar 

  33. Oikonomou G, Mirkovic J (2009) Modeling human behavior for defense against flash-crowd attacks. In: Communications, 2009. ICC’09. IEEE International Conference on, IEEE, pp 1–6

  34. Park H, Li P, Gao D, Lee H, Deng RH (2008) Distinguishing between FE and DDoS using randomness check. In: International conference on information security. Springer, Berlin, Heidelberg.

  35. Ranjan S, Swaminathan R, Uysal M, Nucci A, Knightly E (2009) DDoS-Shield: DDoS-resilient scheduling to counter application layer attacks. IEEE/ACM Trans Netw (TON) 17(1):26–39

    Article  Google Scholar 

  36. Sachdeva M, Kumar K, Singh G (2016) A comprehensive approach to discriminate DDoS attacks from flash events. J Inf Secur Appl 26:8–22

    Google Scholar 

  37. Shannon CE (1948) A note on the concept of entropy. Bell System Tech J 27(3):379-423.

    MathSciNet  Article  Google Scholar 

  38. Shin SW, Porras P, Yegneswara V, Fong M, Gu G, Tyson M (2013) Fresco: Modular composable security services for software-defined networks. In: 20th Annual Network & Distributed System Security Symposium, Ndss

  39. Thapngam T, Yu S, Zhou W, Beliakov G (2011) Discriminating DDoS attack traffic from flash crowd through packet arrival patterns. In: Computer Communications Workshops (INFOCOM WKSHPS), 2011 IEEE Conference on, IEEE, pp 952–957

  40. Wang B, Zheng Y, Lou W, Hou YT (2015) Ddos attack protection in the era of cloud computing and software-defined networking. Comput Netw 81:308–319

    Article  Google Scholar 

  41. Wang C, Miu TT, Luo X, Wang J (2017) Skyshield: a sketch-based defense system against application layer ddos attacks. IEEE Trans Inf For Secur 13(3):559–573

    Article  Google Scholar 

  42. Wang X, Guo N, Fangping G, Feng J (2019) Distributed denial of service attack defence simulation based on honeynet technology. Ambient Intell Hum Comput J Springer 2019:1–16

    Google Scholar 

  43. Xu Y, Liu Y (2016) DDoS attack detection under SDN context. In: IEEE INFOCOM 2016-The 35th Annual IEEE International Conference on Computer Communications, IEEE, pp 1–9

  44. Yu S, Zhou W (2008) Entropy-based collaborative detection of DDoS attacks on community networks. In: Pervasive Computing and Communications, 2008. PerCom 2008. Sixth Annual IEEE International Conference on, IEEE, pp 566–571

  45. Yu S, Zhou W, Doss R (2008) Information theory based detection against network behavior mimicking DDoS attacks. Commun Lett IEEE 12(4):318–321

    Article  Google Scholar 

  46. Yu S, Thapngam T, Liu J, Wei S, Zhou W (2009) Discriminating DDOS flows from flash crowds using information distance. In: Network and System Security, 2009. NSS’09. Third International Conference on, IEEE, pp 351–356

  47. Yu S, Guo S, Stojmenovic I (2012a) Can we beat legitimate cyber behavior mimicking attacks from botnets? In: INFOCOM, 2012, IEEE, pp 2851–2855

  48. Yu S, Zhou W, Jia W, Guo S, Xiang Y, Tang F (2012b) Discriminating DDoS attacks from flash crowds using flow correlation coefficient. Parallel Distrib Syst IEEE Trans 23(6):1073–1080

    Article  Google Scholar 

  49. Yu S, Guo S, Stojmenovic I (2013) Fool me if you can: mimicking attacks and anti-attacks in cyberspace. IEEE Trans Comput 64(1):139–151

    MathSciNet  Article  Google Scholar 

  50. Zheng J, Li Q, Gu G, Cao J, Yau DK, Wu J (2018) Realtime DDoS defense using cots SDN switches via adaptive correlation analysis. IEEE Trans Inf For Secur 13(7):1838–1853

    Article  Google Scholar 

Download references


This Research work has been supported by the All India Council for Technical Education (AICTE), New Delhi, India under Research Promotion Scheme (RPS) under Grant No. 8023/RID/RPS-93/2011-12.

Author information



Corresponding author

Correspondence to Sunny Behal.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Bhandari, A., Kumar, K., Sangal, A.L. et al. An anomaly based distributed detection system for DDoS attacks in Tier-2 ISP networks. J Ambient Intell Human Comput 12, 1387–1406 (2021).

Download citation


  • DDoS attacks
  • Network security
  • Entropy
  • Information divergence
  • Flash events
  • Detection