Mathematical Approach as Qualitative Metrics of Distributed Denial of Service Attack Detection Mechanisms

The distributed denial of service (DDoS) attack is one of the most destructive organized cyber-attacks against online services or computers on the network. Despite the existence of many mechanisms to detect DDoS attacks, the problem is still prevalent. This research dissected and analyzed twenty-two existing DDoS attack detection mechanisms, representing all types of DDoS attack defense approaches, to determine the reason for the persistent successful DDoS attacks. This research posits two hypotheses concerning this gap: First, a lack of mathematical function usage by the existing detection mechanisms. The few functions used are limited to logical, statistical, or probability functions, resulting in reduced detection effectiveness. Second, researchers unintentionally or inadvertently miscalculate the mechanisms’ detection accuracy rate by partially using quantitative metrics. This research has three objectives; to propose a set of qualitative metrics based on mathematical functions, to measure the relationship between the quantitative and qualitative metrics in the DDoS attack detection mechanisms, and to prove the relationship between the genuineness of the existing mechanisms’ detection accuracy, and full consideration of quantitative metrics and diversity of qualitative and metrics. The result revealed a correlation rate of 84.22 %, which reflects the correctness of the detection accuracy. Third, identifying the manipulation percentage of reported detection accuracy by employing the correlation rate complement. The result indicated that 15.78 % of the reviewed mechanisms had manipulated or inadvertently miscalculated the accuracy.


I. INTRODUCTION
The dependency on the Internet for all kinds of human activities has grown exponentially in the last few years. The growth is spurred by demands from all sectors (public and private) and by the vast proliferation of emerging technologies such as smart mobile devices, financial technology (fintech), advanced communication technologies, and the Internet of Things and its applications. Unfortunately, the dramatic increase in Internet-facing devices and applications also brought along many challenges, such as exposure to various cyber threats. The most common cyber threats are denial of service (DoS) and distributed denial of service (DDoS) The associate editor coordinating the review of this manuscript and approving it for publication was Wei Yu .
attacks. These types of attacks deliberately target the availability of network services or resources for legitimate users.
Consequently, many organizations are forced to spend substantial effort and resources to secure and protect their network services from such attacks. However, due to the dynamic nature of these types of attacks and the similarity of the DoS/DDoS attack traffic pattern to regular network traffic, identifying and stopping these attacks are very challenging. Therefore, to address the threat of DoS/DDoS attacks, understanding their nature is a must before designing and engineering an effective counter.
DoS and DDoS attacks are considered the two most dangerous and destructive threats that impact individuals, companies, and governments alike [1]. DoS attack is a persistent Internet problem as evidenced by continuous attacks on commercial servers and ISPs. The disruption of network connectivity resulted in many users denied access to online services and vital network resources, such as cloud services, web servers, e-mail servers, and domain name resolvers [2]. However, the most damaging attack is DDoS attacks designed to deprive legitimate users of access to online services or resources [3]. The first well-documented DDoS attack appears to have occurred in August 1999. On 7 th of February the following year, Yahoo! Internet portal was inaccessible for three hours after being hit by what was then considered the first large-scale DDoS attack. Then, Amazon, Buy.com, CNN, and eBay were all hit by DDoS attacks that incapacitated their web servers the following day [4].
This research has three objectives. First, to propose a set of qualitative metrics that can serve as a guideline for researchers employing a mathematical-based approach to detect DoS/DDoS attacks. Second, to identify the reasons for persistent successful DDoS attacks despite many DoS/DDoS attack detection mechanisms with high accuracy rates existed. The second objective is achieved by performing mathematical analysis using the Spearman rank coefficient. Third, reveal the miscalculation of the reported detection accuracy by employing the complement of the correlation rate.
There are three main contributions of this work. First, a set of qualitative metrics based on the usage of logical operations, mathematical functions, probability functions, algebraic functions, calculus functions, or applied mathematical formula by analyzing the existing mathematical-based DDoS attack detection mechanisms. Second, quantifying the correlation between the existing quantitative metrics and the proposed qualitative metrics using the Spearman rank coefficient. Third, a method to calculate actual percentage of the mechanisms' detection accuracy using Spearman rank coefficient's complement percentage.
The remainder of this paper is structured as follows: Section 2 provides the background of the research with subsections on the types of DDoS attacks and the methods of DDoS attack defense mechanisms. Section 3 evaluates the existing related work. Section 4 describes and discusses the evaluation metrics used in this research, including the mathematical approach (the qualitative metrics), quantitative metrics, and the correlation between the quantitative and qualitative metrics. Section 5 describes the research flow, and finally, Section 5 summarizes and concludes this paper. Figure 1 illustrates the organization of this paper.

II. BACKGROUND
This section discusses DoS/DDoS attacks and the various methods employed by DoS/DDoS attack defense mechanisms.

A. DENIAL OF SERVICE/DISTRIBUTED DENIAL OF SERVICE ATTACK
DoS/DDoS attacks continue to cause problems for the internet service providers as well as Internet users. Researchers have been trying to unravel the inner working of DoS/DDoS attacks since its inception [3].
DoS/DDoS attack is a malicious attempt to prevent legitimate users from accessing online services or resources by incapacitating the server that provides the service or bringing down the network connectivity between users and the server [5]. DoS/DDoS attacks accomplish this by flooding the target with traffic or sending specifically crafted packets that trigger a crash. In both instances, the DoS/DDoS attacks deprive legitimate users (i.e., employees, subscribers, or account holders) of the online services or network resources [6].
DoS/DDoS attackers often target web servers of highprofile organizations such as banking, commerce, media companies, or government and trade organizations. Though DoS attacks do not typically result in the theft or significant loss of information or other assets, they can cost the victim a great deal of time and money to handle, its reputation, and lost opportunities [7].
The difference between DoS and DDoS attacks is in the number of attack sources involved. A single attacker triggers a DoS attack. In contrast, multiple attackers trigger a DDoS attack; and by taking advantage of distributed attacks via botnets, a DDoS attack is several times more destructive than DoS [8].
Detecting an ongoing DDoS attack is challenging for several reasons [9]. First, the detection process occurred online, which provides a limited time window for security experts and system administrators to detect and confirm the ongoing attack, which leads to misclassification of the attack. Second, the massive number of attack sources that trigger the attack could comprise a heterogeneous device type. Third, the limited capability of typical network preventive measures (e.g., packet filtering, software parameters tweak, ratelimiting, etc.) despite their usefulness in preventing damages to vital network resources [10]. Finally, it is challenging to distinguish DDoS attacks from flash crowd events due to their network traffic similarity. Therefore, there is a need for an effective and accurate mechanism to detect DDoS attacks in the network [11].

B. METHODS OF DDOS ATTACK DEFENSE MECHANISMS
This section discusses the methods of DDoS attack defense mechanisms, categorized into two groups based on their activity level or location [12].

1) DDOS ATTACK DEFENSE MECHANISMS BASED ON ACTIVITY LEVEL
This section provides the categorization of activity levelbased DDoS attack defense mechanisms, as shown in Table 1.
The activity level-based DDoS attack defense mechanisms have two different sub-categories: preventive and reactive. The preventive category has two groups: attack prevention and DDoS prevention, and the reactive category has three groups: detection strategy, response strategy, and cooperation degree [13], [14].

2) DDOS ATTACK DEFENSE MECHANISMS BASED ON LOCATION
The second category of DoS/DDoS attack defense mechanisms is based on the mechanism's location in the network. The two sub-categories for location-based DDoS attack defense mechanisms are victim network and intermediate network. The victim network category is for mechanisms that run on the victim network, whereas the second sub-category is for mechanisms deployed in the intermediate network [12], [15].

III. RELATED WORKS
There are many mechanisms have been proposed to detect DDoS attacks, such as machine learning and the mathematical based mechanisms. The difference between mathematical-based DDoS detection mechanism and machine learning-based DDoS detection mechanism is that machine learning-based mechanism aims to predict future events or classify an existing material based on training data, i.e., to classify the network traffic as normal traffic or DDoS attacks. On the other hand, mathematical-based DDoS detection mechanism aims to find the relationship between the data points, i.e., find the relationship between two or more features that represent the network traffic. Gogoi   technique, knowledge-based methods, and clustering [16], as shown in Figure 3.

A. STATISTICAL TECHNIQUES
The first category comprises DDoS attack defense mechanisms utilizing statistical-based techniques that generate a statistical model based on a given data [17]. The resulting model is used as the prediction model to classify new incoming data. The unknown instances are detected based on a statistical inference test to decide if it belongs to that model. Table 2 summarizes the existing DDoS attack detection mechanisms employing statistical-based techniques.

B. SOFT COMPUTING TECHNIQUES
The second category comprises DDoS attack defense mechanisms based on soft computing techniques. Soft computing technique applies problem-solving techniques, such as fuzzy logic, probabilistic reasoning, neural networks, and genetic algorithms (Ibrahim Goni & Ahmed Lawal, 2015). Table 3 summarizes the existing DDoS attack detection mechanisms employing soft computing-based techniques.

C. KNOWLEDGE-BASED METHODS
The third category comprises DDoS attack mechanisms utilizing knowledge-based techniques. Knowledge-based techniques attempt to match the traffic or flow patterns against a set of predefined rules. The traffic or flow is flagged as an attack if it fit the rules. Otherwise, the pattern is considered normal. Table 4 summarizes the existing DDoS attack detection mechanisms employing knowledge-based techniques [4].

D. CLUSTERING TECHNIQUES DDOS ATTACK MECHANISMS
The fourth category of DDoS attack mechanisms is clustering-based techniques, a data mining technique known as unsupervised classification. It does not need training with a training dataset, and the strength of clustering is within the algorithm itself. Table 5 summarizes the existing DDoS attack mechanisms employing clustering-based techniques.
After researching the nature of DDoS attacks, DDoS attack detection mechanisms, and comparisons, the paper classified the weaknesses of existing DDoS attack mechanisms based on the taxonomy of [16]. The classified mathematical-based approach is the feeder or input for the next stage.

IV. PROPOSED EVALUATION METRICS
In this paper, both qualitative and quantitative metrics are used to evaluate the existing DDoS attack detection mechanisms in terms of mathematical functions' level of use and accuracy calculation correctness. The details of each metric are in the following subsections.

A. QUALITATIVE METRICS
This section discusses the proposed qualitative metrics based on the study of existing DDoS attack detection mechanisms listed in Section 3. The existing mathematical-based DDoS attack detection mechanisms use various mathematical functions, formulas, and logical operations. The study revealed that the existing DDoS attack detection mechanisms could be classified based on five primary mathematical categories: logical operations, statistical functions, probability functions, algebraic functions, and calculus functions.

1) CATEGORY 1 (LOGICAL OPERATIONS)
indicates the degree of logical operation usage in DDoS attack mechanisms. Logical operations are simple arithmetic operations, such as addition, subtraction, multiplication, division, and comparison operations, such as similar, the biggest, the least, max, min, and counts. Mathematical operation on port number, protocol number, number of packets, number of flows, threshold comparison, packet size, data size, etc., typically uses logical operations.

2) CATEGORY 2 (STATISTICAL FUNCTIONS)
indicates the degree of statistical function usage in DDoS attack mechanisms. Statistical functions include the average, mean, median, mode, variance, standard deviation, percentage, hypothesis, etc. Some examples of statistical function usage are for calculating the average entropy, normalization, and Euclidian distance.

4) CATEGORY 4 (ALGEBRAIC FUNCTIONS)
indicates the degree of algebraic function usage in DDoS attack mechanisms related to matrices, vectors, determinants, etc. Some examples of algebraic function usage include the calculation of discrete Fourier transform (DFT), discrete wavelet transforms (DWT), list, DFT matrix, DWT matrix, norms, etc.

5) CATEGORY 5 (CALCULUS FUNCTIONS)
indicates the degree of the use of calculus functions in DDoS attack mechanisms, which includes sequences, series, limits, derivatives, integrals, etc., and used for integrals in DFT, DWT, summation, product, HaaR, Laplace transform, differential equations, etc.
Other than the five categories listed above, the applied mathematical formula is a mathematical category used in different fields and shows impressive results but not yet widely used or adopted for detecting DDoS attack, as shown in the reported analysis in Table 5 to Table 9. Therefore, we propose adding mathematical formulas as a new qualitative metric under Category 6. The proposed quantitative metrics evaluate the mechanisms discussed in Section 3 by enumerating mathematical functions (the qualitative matrices) used by each mechanism. The results of the evaluation of existing DDoS attack detection mechanisms employing statistical-based techniques, soft-computing, knowledge-based methods, and clustering are shown in Table 6, 7, 8, and 9, respectively. All the numbers tabulated in the tables represent the number of mathematical functions used by each mechanism. Table 6 shows that the algebraic function is the most used mathematical function by mechanisms based on statistical technique with ten function calls, while logical operations are the least with 0%. Only one mechanism in the category uses the applied mathematical formula. In terms of diversity, the mechanism by [21] utilized the most diverse mathematical functions in this category with three different types of mathematical functions and operations, and [20] used the least. Table 7 shows that the probability function is the most used mathematical function in soft computing-based detection techniques with seven occurrences, while logical operations are the least used. The mechanism by [24] uses the most diverse mathematical functions in the soft computingbased category with four different mathematical functions and operations, while the mechanism by [37] and [38] used only one type of them. Table 8 shows that the probability function is the most used mathematical function in the knowledge-based technique category with six calls. No mechanism in this category uses the calculus function and applied mathematical function.
The mechanisms by [28] and [32] use two different mathematical functions, while the others only used one. Table 9 shows that the calculus function is the most used mathematical function in the mechanisms based on clustering techniques with eight calls. However, none uses the logical operation or applied mathematical formula in this category. Two mechanisms by [34] and [35] used three different mathematical functions, while [36] and [33] only use one.

B. THE QUANTITATIVE METRICS
The quantitative metrics used are false-positive (FP), falsenegative (FN), true-positive (TP), and true-negative (TN). These four metrics quantify any detection mechanism's accuracy.
Detection accuracy evaluates the DDoS attack detection mechanism's accuracy in triggering the alert in the presence of a DDoS attack in the network traffic. Equation (1) is the formula to calculate the accuracy of the DDoS attack Unfortunately, mechanisms' detection accuracy is wrongly calculated by ignoring some of the quantitative metrics in the calculation instead of considering all quantitative metrics. Only the calculations that employ all quantitative metrics will achieve a genuine detection accuracy measure. Therefore, detection accuracy's genuineness is proposed as a new quantitative metric to validate the claimed detection accuracy. Equation (2) is the formula to calculate the genuineness of detection accuracy.
Genuineness of detection accuracy = number of metrics used in the mechanism Total number of metrics The genuineness of the detection accuracy formula above validates the mathematical-based DDoS attack detection mechanisms listed in Section 3.

C. CORRELATION BETWEEN THE QUALITATIVE AND QUANTITATIVE METRICS
This research follows three steps to prove the relationship between the proposed qualitative metrics and the existing quantitative metrics. First, analyzing twenty-two existing DDoS attack detection mechanisms using qualitative metrics. Second, using the quantitative metrics to analyze the twentytwo existing DDoS attack detection mechanisms. Third, measuring the correlation between the qualitative and quantitative  metrics by employing the Spearman rank correlation to determine the relationship strength. The details of the three steps are in the following subsections.

1) QUALITATIVE ANALYSIS OF DDOS ATTACK DETECTION MECHANISMS
In this section, the proposed qualitative metrics (logical operations, statistical functions, probability functions, algebraic  functions, and calculus analysis) measure the degree of mathematical operation and functions used by twenty-two existing DDoS detection mechanisms. Table 11 to Table 14 show the analysis of existing DDoS detection mechanisms using the proposed qualitative metrics.
This research reviewed the DDoS attack mechanisms tabulated in Table 6 through Table 9 to create descriptive data using true (T) or false (F) labels. A T label is assigned if the particular mechanism uses a particular qualitative metric; otherwise, it is assigned an F label. Then, the descriptive data is converted into its equivalent numerical value (0 or 1). A value of 1 is assigned to a mechanism if it uses any mathematical operations, function, or formulas, and 0 otherwise. So, the values are added together to obtain the total, which will be the input for the Spearman coefficient calculation.
The research computed the percentage of qualitative metrics used in each DDoS attack mechanism by using Equation (3).

Percentage of qualitative metrics used
= number of metrics used Total number of the metrics The research also computed the percentage of the mechanisms using the qualitative metrics by using Equation (4).

Percentage of mechanisms using qualitative metrics
= number of mechanisms using qualitative metrics Total number of mechanisms (4) Table 11 shows that the probability function is the most frequently used mathematical operation by mechanisms employing statistical-based detection techniques with four occurrences, or equivalent to 66.6 % of the mechanisms. Meanwhile, no mechanism in this category uses logical operation, and only [23] uses the applied mathematical formula. The mechanism by [18] and [21] are the two most diverse mechanisms in this category, with three different types of mathematical functions and operations used (50 %). The other four mechanisms in this category only use two (33.3 %). Table 12 shows that the logical operations, statistical function, and probability functions are the most used mathematical operation (50 %) by DDoS attack detection mechanisms based on soft-computing techniques. The algebraic function and calculus analysis are used by two of six mechanisms in this category. Meanwhile, no mechanism in this category uses the applied mathematical function. The mechanism by [24] and [26] are the most diverse in this category, with four different mathematical functions and operations (66.6 %) used. The mechanism by [25] is the least diverse (16.6 %), which only uses probability functions in their mechanism. Table 13 shows that the use of the statistical functions is the highest at 60 %, while no mechanism in the knowledge-based category employs the calculus analysis and applied mathematical formula. The use of logical operations and algebraic functions is still low at 20 %. Meanwhile, two mechanisms by [28] and [32] are the most diverse in this category. The mechanism by [29], [30], and [31] are the least diverse as they only use one type of mathematical function and operation in their mechanisms. Table 14 shows that four out of five (80 %) mechanisms in the clustering-based technique category use the statistical function. However, no mechanism in this category uses the logical operation and applied mathematical formula. Three mechanisms use calculus analysis (60 %), and two mechanisms use the probability function and algebraic function. The qualitative metric usage by [34] and [35] is the highest at 50 %, while the mechanism by [39] uses the least at 16.6 %.
It is evident that most researchers only employ a few mathematical operations from the list of available mathematical functions. The usage percentages for the logical, statistical, and probability functions in all twenty-two detection mechanisms are 18.2 %, 59.1 %, and 50 %, respectively. Meanwhile, only 36.4 % employ algebraic function and calculus analysis in their mechanisms. Unsurprisingly, the usage percentage of the applied mathematical function is only 4.15 percent.
The diversity of mathematical functions used in detection mechanisms and full consideration of qualitative metrics to VOLUME 9, 2021   calculate the detection accuracy will reflect the proposed mechanism's efficiency in terms of the reported results' genuineness. This claim has been substantiated using the Spearman rank correlation that measures qualitative and quantitative metrics' relationship (refer to Section 4.3.3).

2) QUANTITATIVE ANALYSIS OF DDOS ATTACK DETECTION MECHANISMS
The focus of the qualitative metrics mentioned earlier is to measure the genuineness of the detection accuracy.
This research computes the percentage of quantitative metrics usage by a mechanism using Equation (5).
Percentage of quantitative metrics used = number of metrics used Total number of metrics (5) This research also computes the percentage of quantitative metrics usage by a mechanism using Equation (6).   The proposed quantitative metrics are used to evaluate the mechanisms discussed in Section 3. The results of the evaluation of existing DDoS attack detection mechanisms employing statistical-based techniques, softcomputing, knowledge-based methods, and clustering are shown in Table 15 to Table 18, respectively. Table 15 shows that four mechanisms in the statisticalbased technique category [20]- [22], and [23] use two out of four quantitative metrics (50%) in their detection accuracy calculation. Meanwhile, the other two [18] and [19] are not using any (0%). Table 16 shows that the mechanism by [24] utilizes the most quantitative metrics (50%) while [37], [25], [38], and [27] are not using any (0%). Table 17 shows that the mechanisms by [28] and [31] are the mechanisms using the quantitative metrics the most (50%), while [29], (Lu et al. [30]), and [32]are not using any (0%). Table 18 shows that the mechanism by [39] uses the quantitative metrics the most (75%), while [34] and [36] are not using any (0%).
The study of the DDoS Attacks Detection mechanisms based on the quantitative metrics reveals several notable observations.
Most statistical technique-based mechanisms used two quantitative metrics out of four to calculate the detection accuracy, as shown in Table 15 to Table 18. Therefore, the genuineness of their accuracy calculation is only 50 %. Meanwhile, some mechanisms are still at the conceptual stage, thus not using any quantitative metrics.
The average quantitative metric used by the existing mechanisms based on the statistical technique, soft computing,   knowledge, and clustering is approximately 33.3 %, 12.5 %, 20 %, and 30 %, respectively, on average.
There is a substantial lack of mathematical formulae usage in the existing detection mechanisms. Instead, researchers preferred a few elementary operations or functions from logical operations (18.2 %), statistical functions (59.1 %), and probability functions (50 %) categories, therefore adversely reduce the mechanisms' efficacy and efficiency. The applied mathematical functions are only found in 4.5% of the existing DDoS attack detection mechanisms reviewed.

3) STATISTICAL ANALYSIS
The third step attempts to prove the relationship between DDoS attack detection mechanisms' accuracy and efficiency by applying the Spearman rank correlation. Applied researchers and methodologists alike widely used Spearman rank correlation to measure the strength of relationship between two sets of data. In this research, the first set of data represents the quantitative metrics while the second set of data represents the qualitative metrics. Therefore, Spearman rank correlation is a good fit to measure the relationship between the qualitative and quantitative metrics.
This step maps the quantitative metrics analysis (Table 15  to Table 18) as x-variable and the qualitative metrics (Table 11 to Table 14) as y-variable in Table 19 for twentytwo existing DDoS attack detection mechanisms.
This research measures the quantitative and qualitative metrics' relationship of the existing mechanisms using the Spearman rank correlation (refer to Equation (7)).
Spearman Rank Correlation Coefficient = 1− 6 d 2 n(n 2 −1) The following equation calculates the Spearman rank correlation coefficient: Table 19 clearly shows a strong relationship between the existing quantitative metrics and the proposed qualitative metrics with a coefficient value of 84.22 %. This high correlation rate reflects the genuineness of the reported DDoS attack mechanisms' detection accuracy calculations. Considering the complement of the correlation value represents the mechanisms' accuracy manipulation rate; therefore, the mechanisms' accuracy manipulation rate is approximately 15.78 %.
The research concludes that the lack of qualitative metrics usage in DDoS attack detection mechanisms leads to a less accurate DDoS attack detection. Similarly, a lack of qualitative metrics used in DDoS attack detection mechanisms reduces the genuineness of the calculated mechanisms' accuracy rates.

V. RESEARCH WORKFLOW
This section summarizes the main steps to measure the qualitative and quantitative metrics' relationship of twenty-two existing DDoS attack detection mechanisms.
1. Twenty-two DDoS attack detection mechanisms are selected and grouped according to the technique or method employed (statistical technique, knowledgebased method, soft computing, or clustering) to determine how these criteria impacted DDoS attack mechanisms' efficiency and accuracy. Then, the mechanisms are analyzed using quantitative and qualitative metrics. 2. This research identified each mechanism's mathematical operation and function usage and the mechanism's gaps and drawbacks. Then, the mathematical operations and functions are grouped into six categories (logical operations, statistical functions, probability functions, algebraic functions, calculus analysis, and applied mathematical formulas), representing the qualitative metrics, as shown in Table 11

VI. DISSCUSSION
This research is the first work that combines qualitative and quantitative metrics to check the reported result's genuineness. The proposed method is not limited to the existing mechanisms reviewed in this paper; it can also be generalized to test the manipulation or miscalculation of other types of detection mechanisms' accuracy. This research studied mathematical function usage in twenty-two existing DDoS attack detection mechanisms. The mathematical functions used in the existing mechanisms are classified into six categories (logical operations, statistical functions, probability functions, algebraic functions, calculus functions, and applied mathematical formula). These categories are used as qualitative metrics to measure the mathematical function's usage level in the existing mechanisms.
This study found a lack of mathematical operation or function usage in all mechanisms' phases, preventing high precision. Most researchers limit the use of mathematical operations that fall within the logical, statistical, or probability functions categories based on the usage percentages of 18.2 percent, 59.1 percent, and 50 percent, respectively. In comparison, the usage percentage of mathematical operations from the algebraic function and calculus analysis categories are at 36.4 percent each. Unsurprisingly, the applied mathematical function category's usage percentage is only 4.5 percent. The existing mechanisms do not consider all quantitative metrics in calculating the detection accuracy.
The abovementioned issues related to the qualitative and quantitative metrics answered why DDoS attack issues are still not resolved despite the high detection accuracy rates of many existing DDoS attack detection mechanisms.
This research pointed out for the first time that the correlation between the quantitative and qualitative metrics in a particular mechanism reflects its efficiency; the higher the correlation value, the better the efficiency, and vice versa. We employed the Spearman rank correlation to measure the qualitative and quantitative metrics' relationship. The high value of Spearman rank correlation (84.22) indicates a strong relationship between the quantitative and qualitative metrics for the particular mechanisms. Meanwhile, the Spearman rank correlation complement can be interpreted as representing the mechanism's lack of efficiency. In other words, it means, based on our research finding, the percentage of the inaccuracy of the reported mechanisms' accuracy rates is 15.78 %. To eliminate the inaccurate detection rate calculation for the existing and future mathematical based DDoS flooding attack detection mechanisms, researchers must measure and calculate all four quantitative metrics and diversify the qualitative metrics in their mechanisms. Finally, it is worthwhile to mention that datasets play a significant role in the evaluation of DDoS detection mechanisms' accuracy. For example, testing the detection mechanism using the same dataset used to train the detection model will increase detection mechanisms' accuracy. But testing the detection mechanism using a different dataset than the one used to train the detection model could reduce DDoS detection mechanisms' accuracy.

VII. CONCLUSION
DDoS attacks are costing many organizations significant losses in terms of financial and resources. There is also trust erosion of the users and the public at large. A comprehensive presentation of the existing DDoS detection mechanisms will provide researchers with a deep understanding and insight into the mechanisms' nature, allowing them to improve the mechanisms' accuracy in the future by addressing the mechanisms' limitations.
This research pointed out the reasons for DDoS attacks' continuous occurrences despite many highly accurate detection mechanisms by reviewing the existing DDoS attack detection mechanisms' methods. We posit two hypotheses to explain this gap: First, weakness in the mathematical function usage by the existing mechanisms. Most mechanisms only employ a limited set of operations within the logical, statistical, or probability function categories, which affect the efficiency in terms of DDoS attack detection mechanisms' accuracy. Second, researchers knowingly manipulate or inadvertently calculate the mechanisms' accuracy by partially using the quantitative and qualitative metrics.
This research identified a mathematical approach (qualitative metrics) that may help researchers to improve the performance, effectiveness, and efficiency of DDoS detection mechanisms in the future. The authors believe that to enhance the DDoS attack detection mechanism's effectiveness, the mathematical operation and function usage should extend to include a new mathematical function, such as applied mathematical functions. Applied mathematical functions have been employed in different fields and showed impressive results but are not yet widespread in network security, specifically in mathematical-based DDoS attack detection.
In the future, more mathematical-based mechanisms will be analyzed in addition to exploring different statistical analyses to measure the correlation coefficient between the qualitative and quantitative metrics. Meanwhile, this research opens the avenue for future researchers to replicate these steps for other DDoS attack detection mechanisms that use different approaches, such as deep learning or rule-based approaches.