DDoS detection using active and idle features of revised CICFlowMeter and statistical approaches

Distributed Denial of services (DDoS) attack is one of the most dangerous attacks that targeted servers. The main consequence of this attack is to prevent users from getting their legitimate services by bringing down targeted victim. CICFlowMeter tool generates bi-directional flows from packets. Each flow generates 83 of different features. The research focuses on 8 features which are active min (f1), active mean (f2), active max (f3), active std (f4), idle min (f5), idle mean (f6), idle max (f7), and idle std (f8). CICFlowMeter tool has several problems that affected on the detection accuracy of DDoS attacks. The idle and active based feature of Shannon entropy and sequential probability ratio test (SE-SPRT) approach was implemented in this research. The problems of original CICFlowMeter were presented, and the differences between original and revised version of CICFlowMeter tool were explored. The DARPA database and confusion matrix were used to evaluate the detection technique and present the comparison between two versions of CICFlowMeter. The detection method detected neptune and smurf attacks and had higher accuracy, f1-score, sensitivity, specificity, and precision when revised version of CICFlowMeter used to generate flows. However, the detection method failed to detect neptune attack and had higher miss-rate, lower accuracy, lower f1-score, and lower specificity, and lower precision when original version used in generating flows.