A low-rate distributed denial of service (DDoS) attack has the ability to obscure its tra c because it is very similar to legitimate tra c. It can easily evade current detection mechanisms. Rank correlation measures can quantify significant di↵erences between attack tra c and legitimate traffic based on their rank values. In this paper, we use two rank correlation measures, namely, Spearmen Rank Correlation (SRC) and Partial Rank Correlation (PRC) to detect low-rate DDoS attacks. These measures are empirically evaluated using three real-life datasets. Experimental results show that both measures can e↵ectively discriminate legitimate tra c from attack tra c. We find that PRC performs better than SRC in detection of low-rate DDoS attacks in terms of spacing between malicious and legitimate tra c.
Arindom Ain, Monowar H. Bhuyan, Dhruba K. Bhattach