A principal components analysis-based robust DDoS defense system

One of the major threats to cyber security is the Distributed Denial-of-Service (DDoS) attack. In our previous projects, PacketScore, ALPi, and other statistical filtering-based approaches defend DDoS attacks via fine-grain comparisons between the measured current traffic profile and the victim's nominal profile. These schemes can tackle virtually all kinds of DDoS attacks, even never-before-seen attack types, due to the underlying statistics-based adaptive differentiation. The viability of those aforementioned statistical filtering defense systems is based on the premise that attackers do not know the victim's nominal traffic profile and, thus, cannot fake legitimate traffic. However, a sophisticated DDoS attacker might circumvent the defense system by discovering the statistical filtering rules and then controlling zombies to generate flooding traffic according to these discovered rules. This type of sophisticated attack seriously threatens the current Internet and has not yet been solved. In this paper, we propose a Principal Components Analysis (PCA)-based DDoS defense system, which extracts nominal traffic characteristics by analyzing intrinsic dependency across multiple attribute values. The PCA-based scheme differentiates attacking packets from legitimate ones by checking if the current traffic volume of the associated attribute value violates the intrinsic dependency of nominal traffic. The correlation among different attributes makes it more difficult for the attacker to accurately discover the statistic filtering rules and, thus, makes it highly robust to cope with new and more sophisticated attacks.