Skip to Main Content
In this letter, a new model for application layer DDoS attack detection is proposed. With the proposed model, the profiles for a normal user's legitimate traffic pattern and a DDoS attack traffic pattern can be generated. We can detect the DDoS attack traffic with the generated profiles in a short period of time with little consumption of computing resources. We call this model a Timeslot Monitoring Model (TMM). In this model, we extract three key features from monitored network traffic that compose the profiles. The extracted features that can represent the continuity of the traffic are classified into normal or DDoS attack traffic by a support vector machine. As a consequence, the proposed method allows us to extract the attacker's IP address with very high detection rates.