RTVD: A Real-Time Volumetric Detection Scheme for DDoS in the Internet of Things

Distributed Denial of Service (DDoS) attacks are increasingly harmful to the cyberspace nowadays. The attackers can now easily launch a bigger and more challenging DDoS attack both towards and with Internet-of-Things (IoT) devices, due to the fast popularization of them. Because of the characteristic of fast overwhelming, it is important to make fast as well as accurate response to DDoS attacks, and the real-time performance can be even more important to prevent and legitimate the attacks. Among the methods proposed by researchers, the entropy-based detection method provides a sensitive and reliable performance. However, the balance between computational complexity and recognition accuracy remains a challenge. In this paper, we propose a detection method that consists of 3 main parts in different aspects: a sliding time window to fasten the entropy calculation, a single-directional filter to realize early detection during the DDoS progress but not after the crash, and a quintile deviation check algorithm to optimize the detection result. These will eventually lead to a real-time and high-efficient performance to recognize IoT DDoS attacks as soon as possible.


I. INTRODUCTION
It has been decades since the Distributed Denial-of-Service (DDoS) attack pattern first appeared [1], yet the DDoS attacks are still huge challenges. Traditionally, a Denial-of-Service (DoS) attack is characterized by an explicit attempt by attackers to prevent the legitimate use of a service, and a DDoS attack deploys multiple devices, usually millions of devices, to attain this goal [2]. In September 2016, the website of computer security consultant Brian Krebs was hit with 620 Gbps of traffic. The DDoS attacks can do much faster and more severe harm to the Internet, yet the attacks can be even stealthier than DoS attacks are. Due to the differences The associate editor coordinating the review of this manuscript and approving it for publication was Zhenyu Zhou . between DoS and DDoS, the defense strategies can be totally different.
Unfortunately, the security situation is even more severe especially in the era of Internet-of-Things (IoT) today. With the up growing number of IoT devices, attackers can easily take control of far more infected bots than ever before. What's more disturbing is that, the concepts of IoT, such as the modern Internet of Vehicles [3], [4], edge computing [7] and Information-Centric Networking (ICN) [5], [6] etc., are having increasingly stronger computing power [8]. In late 2016, Mirai [9], the ever largest IoT botnet, outbroke in 2016 and launched a DDoS attack on 20th Sept., with the maximum speed of 1.5 Tbps on OVH, the French web host and cloud service provider, and launched another DDoS attack on a DNS management service provider in America, which caused a large-area network paralysis in eastern United States. Many VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/ American websites, including Twitter and Facebook, failed to be accessed by their domain names. In the offline event in Germany, attackers launched a flood scan on 7,547 port with Mirai, about 900,000 Deutsche Telekom routers crashed during the campaign, resulting in a large scale of limited network access. In late November 2017, a Mirai variant was found launching attacks on IoT devices in Argentina through port 23 and 2323 [10]. Besides Mirai, there already exist many IoT botnets such as QBOT, Luabot, Bashlight, Zollard, Remaiten, KTN-RM, etc., and most of them provide the DDoS service. In fact, few IoT viruses exclude the function of DDoS because IoT is perfect to launch a DDoS attack, making the DDoS more threatening.
In an original DDoS attack, the attacker controls a huge number of devices and threads to directly consume the resources of the victim servers. A Direct DDoS Attack itself is simple to understand and realize, but the attacker must prepare an attacking network to manage and control all the devices by adopting a botnet or a Trojan virus, which enriches the cost of an attack. To avoid this problem, or to make the attack more dangerous, the strategy of (Amplified) Reflective Attack is proposed. In a reflective DDoS attack, the attacker takes advantage of the vulnerabilities of those protocols which make more responding resources than requesting ones, such as DNS, NTP, SSDP, etc. The attacker designs and sends some fake request packets, which are claimed to be sent from the victims to the servers running those reflective protocols. Usually, the servers won't check whether the source IP addresses are valid or real and will send the query results to the victim IP addresses.
In another classification of flow quantity, DDoS attacks are divided into Volumetric attacks and Low and Slow attacks. Volumetric attacks are the traditional type of DDoS, and they overwhelm the targets by consuming network, storage or computing resources. Huge Volume DDoS attacks send a high amount of traffic or request packets to a targeted network or device to overwhelm its bandwidth capabilities, connection limit or other network resources. In contrast, Low and Slow attacks, also known as low-rate DDoS attacks (LDDoS) or Slow DDoS attacks, are mainly based on the vulnerabilities of layer-7 protocols and involve ''what appears to be legitimate traffic at a very slow rate'' [11] to occupy and consume the connections. The earliest Slow DDoS is SlowLoris [12], and it is first released by Robert ''RSnake'' Hansen in June 2009, which allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.
Generally, Slow DDoS attacks can go through Volume DDoS detectors, because their packets are usually valid and real, and cause few volume or number of requests, so some researchers claim that Slow DDoS attacks are more technically superior, more dangerous and stealthier than volume attacks. We used to believe that as well, but the reports and data show the result. As is shown in the DDoS Threat Report 2018 Q3 [13], ''The maximum attack size increased 139.84% Year-over-Year to 118Gbps'', and in the Nexusguard Threat Report (DDoS) 2019 Q3 [14], the top attacking vectors are DNS Amplification, HTTP(S) Flood and TCP SYN Flood, as shown in Fig. 1. Since the Huge Volume DDoS attack is still one of the biggest threats in cyberspace and is turning its attacking mode into a brand-new faster one, it is necessary to make the detection more efficient and flexible.
Volume DDoS attacks flood the target in the hopes of slowing or stopping their services. There are 3 main statistical characteristics of the DDoS traffic: 1) Huge traffic size. As in the big data era today, the in-out traffic of a personal web server can easily come to 1000's of Mbps, and when a DDoS attack occurred, typically, the request sizes are in the 100's of Gbps, and reports show that recent attacks have scaled to over 1Tbps.
2) Various source info. Not only does the source Port vary, but the source IP address also varies in a wide range. Usually, the attackers will use the fast-flux technology [15] and an IP/MAC pool for IP spoofing, or will simply generate fake packet heads for those non-source-IP-check protocols. Considering the huge size of network traffic, the range of values can be shocking.
3) Take the effect quickly. The DDoS attack will arouse a huge number of traffic or requests and crash the target victim in a short duration, which means there will be little interaction time for the detection and following defense against the attack.
In this paper, we focus on fastening the detection of volume type DDoS and designed a real-time alarming system. The contribution of this paper is described as follows: 1) We optimize the method of sliding time window to fasten the entropy calculation algorithm; 2) We design a Quintile Deviation Check algorithm to identify the attacks; 3) We redefine a temporal indicator to evaluate the time performance of DDoS detection.
With the 3 contributions, we realize a real-time volumetric detection scheme for DDoS in the Internet of Things.
The rest of this paper is organized as follows. In Section II, we describe the related works on the usage of the sliding time window and DDoS detection methods. In Section III, we list the nomenclature of all the terms, abbreviations and mathematical symbols used in the following paragraphs. In Section IV, we discuss the detection architecture as well as the mathematical theories that our detection is based on. And we set 3 subsections to explain the concepts of Traffic Processor, Entropy Calculator, and Detection & Alarm Module in detail. In Section V, we make simulations on 3 public datasets and a generated dataset to prove and evaluate the detection scheme we propose. In Section VI, we conclude the whole paper and point out the direction of future research.

II. RELATED WORKS
Research works have been done with various strategies to detect DDoS attacks with sliding time window or information entropy methods in recent years.
Early in 2006, the sliding window was used in DDoS detection in [16]. The authors use two adjacent non-overlapping windows: the referenced sliding window and the test sliding window, and use an autoregressive model to recognize anomalous traffic. Reference [18] mentioned a real-time DDoS detection technique, using a sliding window and source IP clusters, and using Spark to meet the distributed demands. In years before the DDoS attacks had the characteristics of a relatively fixed number of packets per second, packet bytes, gap periods, etc. However, the situation has changed and the technique of source IP cluster technique won't work as well as before, but other parts of the research provide many inspirations.
In [19], the authors propose a new two-step method for DDoS attack detection, which combines the approaches of network traffic entropy and the TSK Fuzzy System (TSK-FS), and shows that the TSK-FS DDoS detector reaches enhanced sensitivity and robustness in the detection process. Reference [20] shows a method to identify DDoS attacks by computing entropy and frequency-sorted distributions of selected packet attributes. The authors also use the sliding window to simplify the computation of the entropy, which fastens the calculation, but they didn't discuss the aspect of accuracy in detail. In [21] the authors study information-theoretic methods to detect intrusions in the network. They consider the usage of entropy, conditional entropy and information gain to help partition and setting parameters for existing detection models. On this basis, Virmani et al. proposed an entropy deviation method for network intrusion analysis [22]. They used the variation value of source IP entropy packet-by-packet to classify the benign (trusted) and malicious IP addresses. Reference [17] presented a DDoS attack detection and mitigation system with Software Defined Network (SDN). They collected the network traffic information using the SDN controller and sFlow agents in advance and then identified abnormal network traffic with an entropy-based method and a Support Vector Machine (SVM) classifier. Other researches also mentioned detection or mitigation methods such as Threat Intelligence (TI) information sharing [23] and command lines analysis [24].
Based on all the researches above, entropy works well in the DDoS detection scenario, but the balance between efficiency and accuracy is a big challenge. The mentioned reference [20] uses a sliding window to optimize the time performance, and base on that, our research in this paper does further progress.

III. NOMENCLATURE
To make a clearer expression, in this section, we list all the terms, abbreviations and mathematical symbols that are used in the following paragraphs, as well as their descriptions and definitions. VOLUME 8, 2020

IV. DETECTION ARCHITECTURE AND MATHEMATICAL THEORIES
The detection system consists of 3 parts: a traffic processor, an entropy calculator, and a detection module, and the architecture is shown in Fig. 2. The traffic processor monitors the traffic in the whole network, preprocesses the traffic data and then forwards the data to the entropy calculator. The entropy calculator calculates the real-time entropy values and sends the values to the detection module. The detection module matches the entropy values with the given risk models and decides whether to send out an alarm. In the following sections, we will introduce the mechanism and theories of the 3 parts in detail.

A. TRAFFIC PROCESSOR 1) MONITORING AND THE TIMESTAMP ATTACHED 5-TUPLES
Due to the existence of security vulnerabilities in traditional network architectures, DDoS attacks are becoming increasingly dangerous. To contain the consequence and also to trace the attacks, the industry and academia proposed the concept of software-defined network (SDN), whose centralized control network provides support for the defense against DDoS attacks [25]. Within an SDN environment, we can trace and filter the DDoS traffic, can get the traffic packet in real-time and can make real-time detection and defense.
Since we can get real-time traffic packets, the next thing that matters most is to extract the concerned segments from the input data. The traditional Request-For-Comments (RFC)-defined traffic identifier is the 5-Tuple [26], [27]: [Source IP, Source Port, Destination IP, Destination Port, Protocol]. Analysts use 5-tuples to distinguish between different network flows. Using 5-tuple only will lose time-domain characteristics. To solve this problem, we also append the timestamp of each packet to the tuple as the expiring threshold variable.

2) SINGLE DIRECTIONAL PACKET FILTER
A complete DDoS attack can be divided into 3 stages of preparing, attack accumulating, and saturation. The attackers collect the necessary information and intelligence of the target victims and deploy botnets of Trojans during the preparation stage. After the preparation, the attackers send out a command to launch the attack. As the connection numbers, network resources or computing resources are being gradually occupied, the service capacity keeps declining, and the victims will finally be unable to respond. Most detection methods are based on this characteristic, but this means the attackers have already fulfilled their goals. If we want to prevent the attack before the victims paralyzed, we must further shorten the responding time and latency. However, another problem is that, during the accumulating stage. the victim server can still make responses to the packets, including the malicious ones. We will not only see the victims' IP addresses in the destination IP segment but also see as many attackers' and legal users' IP addresses as well. This will lead to a failure in applying entropy detection until the attack enters the saturation stage.
To eliminate the influences from the victims' response packets, a popular approach is to use flow information instead of packet information, because the network traffic flow will keep only the first packet in the flow. However, this will also lead to false statistical characteristics. Popular flow extractors (e.g., bro and tshark) usually work on a captured pcap file and loses real-time capability. In this paper, we propose a single directional packet filter and tried to advance the detection to the attack accumulation stage. Fig. 3 describes the flow chart of the filter.
The filter takes every sent-in 5-tuple as an input, and only allows the tuples whose direction is the same with the first tuple of a flow to pass. The filter maintains a list to record the identifier of every flow. We reform each 5-tuple into a 3-part array  In the example, we can easily notice that the distribution of source information and destination information becomes unexpectedly the same, and we are unable to locate the attacking event until we remove the response packets.

B. ENTROPY CALCULATOR
Entropy theory is effective in DDoS detection because when an attack occurs, the IP addresses and port numbers of the malicious traffic are provided by thousands of millions of different hosts that are fake, virtual or illegally controlled, while under legal usage. However, they would be confined to a relatively small range, and that will show a sharp contrast from the entropy perspective.

1) OPTIMIZED SLIDING TIME WINDOW
The entropy value can directly represent the distribution of information, but according to Shannon's original entropy formula (1) where w is a constant value and is less than n. Because the series of entropy value describes the trend of the value distribution, the input values that have arrived too long before should have few influences on the current input. Therefore, we can set a proper constant width of a sliding window, i.e. 10 4 packets, and apply the sliding window to the input values to calculate the entropy. Comparing with (1), the upper bound of i is limited to be less than or equal to the width w. The method makes it possible to apply entropy to DDoS detection, but the response time can be further reduced. Taking the result as a basis, we propose 2 methods to further reduce the time complexity.

a: VARIATION UPDATING METHOD
The calculation of the entropy is accumulative. If we apply a sliding time window, we can only recalculate the information content of both the slide-out and slide-in elements, and keep most other unaffected elements the same, thus simplifying the calculation. Supposing that there is an input sequence , and the width of the sliding window is w = 5. Then it is easy to calculate the entropy of the first sliding window: When the window slides forward by a step, the entropy becomes: Giving a subscript of [0 : 4] to the information contents in (2) and [1 : 5] to those in (3), we can get the relation between (2) and (3) [5]) (5) Using this method, the only thing to do is just to count how many times do the slide-in-and-out elements appear within the sliding time window, and the worst time complexity is O(2 * w). Then we calculate the variation of their information contents to update the entropy value, thus getting the generalized (5) with the following hypothesis.
Given an n-length sequence S and a preset sliding window width w (w < n), let H (x) be the entropy value of the x th wlength subsequence of S (marked as S x ), and h x (e) be the information content of an element e in S x . The recurrence formula of entropy writes:

: VALUE COUNTER DICTIONARY AND COUNTER MATRIX
Another realization is to build a dictionary to record the count numbers of every distinct element at every sliding since the very beginning. Taking the previous example, we now record all the count numbers: 3 x 1 s, 1 x 2 and 1 x 3 and record the result as a dictionary d = {x 1 : 3, x 2 : 1, x 3 : 1} to make the result formatted. Now we slide the time window, recount the elements and append the new dictionary to the former one: Because we preset the window width to be 5, it's simple to count the number of all elements. But the situation could be worse as the w goes larger. So we set another variable X to record the to-be-slide-out element. In the example, we set X = x 1 , and after we slide we update the counting number of x 1 from 3 down to 2, and then check whether the newly slide-in element x 4 already exists.
The dictionaries of the whole sliding window can be described in an array: is the value vector of d i . In the example above, the matrix is C = 3 1 1 0 2 1 1 1 . The entropy calculation formula can now be written in a matrix format: Or: 2) JOINT ENTROPY When a DDoS attack occurs, we usually see a sharp climbingup of the entropy of source IP and Ports because of the huge amount of distributed attacking devices. But the situation may be opposite if the target devices are so weak that they can be easily taken down by a few attacking nodes, or the attack is launched by some old-but-still-effective DDoS tools such as ddosim [28]. On the other point of view, we will see a sharp decline of the entropy of destination IP until the number of attack packets reaches the width of the entropy sliding window, and this is a traditional and the most popular detection basis. But actually, the result will be interfered with by some indicators such as the target numbers, policies that motivate traffic to burst up, which is called ''a benign flash crowd'' in Zhao's research [19], etc.
To solve these problems, we combine both source and destination segments and apply joint entropy to the timestamp attached 5-tuples. We use the joint couple of (s_IP, s_Port) instead of the source IP and source port, and then make it joint with destination segments as our final detection basis. We mark (s_IP, s_Port) as s and (d_IP, d_Port) as d, and the final detection basis can be written as (s, d), so that the fake going-down of source IP can be eliminated.

C. DETECTION AND ALARM MODULE 1) BACKGROUND TRAFFIC FILTER
We can now easily find the beginning of attacks even by our eyes, but in practice, the terrible jitters can confuse the computers. It is necessary to eliminate the influences of background noise. Because the entropy values are continuous time series, we can use a Long Short-Term Memory (LSTM) model to predict the following entropy values. The LSTM [29], [30] is an artificial Recurrent Neural Network (RNN) architecture. Unlike standard Feedforward Neural Networks, LSTM has feedback connections and can take past inputs into the calculation, which makes it capable to deal with sequence prediction missions. Bloomberg Business Week wrote: ''These powers make LSTM arguably the most commercial AI achievement, used for everything from predicting diseases to composing music'' [31]. We preset lb as the number of the previous values that LSTM model looks back, send the first lb values as the input sequence, and get a predicted output value p. Then we repeat the process, pump p into the bottom of lb sequence and pop out the top value, send it to LSTM and get the second p value, and so on.

2) QUINTILE DEVIATION CHECK ALGORITHM
As we've got the pre-processed and real-time entropy values, the next thing to do is to make an immediate check and alarm for the suspicious packets. There are many deviation check algorithms: Quartile Deviation [32], [33], Generalized Extreme Studentized Deviate (GESD) [34], Linear Regression, Confidence Interval, etc. In this paper, we concern more about the sensitivity, and the values are nearly continuous, so we decide to redesign the Quartile Deviation algorithm. Quartile Deviation departs ascending sequence values into 4 equal-length subintervals and marks the 3 quartile points as Q1(25%), Q2(50%) and Q3(75%). The deviation value is Q3-Q1, which means 50% of the values are in [Q1, Q3], and the maximum deviation is Q3-Q1.
We made a great modification to the original Quartile Deviation algorithm, and name it as Quintile Deviation Check (abbr. QuinDC). Since we have to consider both directions of the curve trend, we extended the number of subintervals to 5 unequal-length subintervals and named them as Divergent Interval (Upward), Shock Interval (Upward), Convergent Interval, Shock Interval (Downward) and Divergent Interval (Downward) as shown below. The core parameters of QuinDC is the previous average value e and the previous radius value r (half of the value of which in traditional Quartile Deviation algorithm). We set e as the central basis of every test data, and determine the division points with e, e ± r and e ± 2r. If a value falls in the interval of [e − r, e + r], we mark it as 'convergent'; if it falls in the interval of [e − 2r, e − r] or [e + r, e + 2r], we mark it as 'shock'; and if it is larger than e + 2r or less than e − 2r, then we mark it as 'divergent'. Those divergent values are what we concern about, and we can then turn to research what kind of data shows abnormal behavior. We introduce 3 new parameters, N , k and φ to solve this problem.
As is shown in Fig. 5, we apply an N -length sliding window here and divide the N-length sequence into k-length groups in the pattern shown in Fig. 6. Generally, N cannot be divided by k, so we just get rid of the beginning N %k values. Because the sequence or array is checked with a sliding window, this operation won't cause a bad affect on the result.
Finally, we set φ as the threshold of the alarm trigger, and summarize the following two alarm principles: 1) Monotonicity: The average value of all groups must be monotonic.
2) Divergency: φ of the values in the sliding window should be in the divergent intervals determined by the first φ of the sliding window in the previous step. The system will send out an alarm as soon as the 2 principles are both met.

V. SIMULATION AND EVALUATION A. DATASETS SELECTION
In this paper, we use 3 public datasets and a generated dataset for testing. The public datasets are the 1999 DARPA Intrusion Detection Evaluation Data Set [35]- [37], 2009 DARPA DDOS Dataset [38], and the UNB CIC DDoS 2019 Evaluation Dataset [39]. The generated dataset is an emulation SDN-environment DDoS attack traffic generated by IXIA traffic simulator [40]. The 1999 & 2009 DARPA datasets are classical in DDoS evaluation. The CIC DDoS 2019 dataset is the newest dataset that including more modern attacking methods than the previous two datasets. The IXIA dataset is used as a supplement for testing the real-time performance in the SDN environment.
The The IXIA BreakingPoint network tester simulates different DDoS attack scenarios and sends out the traffic packets. In the dataset, the types of DDoS attacks consist of generated simple attacks (such as SYN Flood, UDP Flood, and HTTP Flood) and simulated toolkit attacks (such as TCP and UDP attacks with different frequencies, background traffics or traffic-peak values).

B. SIMULATION OF RTVD DETECTION
Traditionally, we will see the entropy curves of source IP and destination IP in a volumetric DDoS like the black and VOLUME 8, 2020 red curves shown in Fig. 7a, which describe the entropy changes from the occurrence of the attack to its saturation status. But if there are some indicators of specific attacking methods or legal flash crowd etc., like the black and red curves shown in Fig. 7b, it can be difficult to tell when to use the source IP or the destination IP for detection. But after we apply the joint entropy, as the blue curves shown in Fig. 7a and Fig. 7b, the situations become unified. So far, the data preparation has been completed. Now we realize the IoT background packet filter. Fig. 8 shows the real entropy data and its LSTM-predicted data. We can see irregular but legal (for these entropy comes from benign background traffic without any attack) serrations in the real blue entropy line and the highly-coincident predicted red line. We let the LSTM prediction model continuously predict the future entropy with a benign input. Then, we still use a sliding time window, pump the predicted value into the input sequence, then pop out the oldest value. Therefore, the prediction keeps going on. Since we've got the prediction entropy values of the background traffic, we can make a subtraction to eliminate the background noise, thus cutting down the false alarm rate.

C. EVALUATION
We've already been able to receive the traffic from an IoT network and calculate the real-time entropy values of that traffic. The only thing to do is to use QuinDC to find when the attacks occur. Before the final detection, we first made several tests to decide the optimal parameters N , k, φ in QuinDC. We select the traditional Receiver Operating Characteristic (RoC) indices of False Positive Rate (FPR) and False Positive Rate (FPR) to evaluate the QuinDC performance under different parameters.
Generally, the TPR will raise together with the FPR from both 0% to near both 100%, and we hope to find the point where the TPR is as high as possible, and the FPR is as low as possible in the meanwhile. That is to say, what we want is the certain combination of (N , k, φ) that makes the point of (TPR, FPR) closest to the top-left point in the coordinates. In Fig. 9, there are three RoC curves represent IXIA SYN Flood, CIC 2019 DDoS Dataset and DARPA 1999 DDoS Dataset. Since We succeeded in detecting all the DDoS attacks listed in the dataset providers' attackingtimeline files, so we turn to evaluate the TPR and FPR with how many 'attacking packets' will QuinDC identify or omit. According to the result shown in Fig. 9, the best parameter combination is: N = 500, k = 100, φ = 0.4, which means the width of a QuinDC sliding window is 500 packets, the group size is 100 packets, and at least 40% of the values in a sliding window should fall in the I DU which is determined by the first 40% values in the previous sliding window.  The TPR of modern DDoS detection is 100%, and the TPR of attacking packets detection is over 90%, with a low FPR of less than 3%. Furthermore, we redesigned another indicator of Temporal False Omission Rate (TFOR) (10) to evaluate the time performance of response. Traditionally, researchers will use a False Omission Rate (FOR) to evaluate the rate of omitted positive samples.
However, in this paper, we do not care about the other positive samples but want to know how fast can we find the first true attack packet. So we modified (12) and added the temporal variables, and get the TFOR formula as (10).

TFOR =
Alarm Delay Alarm Delay + Elapsed Benign Duration (13) With this revision, we can evaluate a detection scheme to be sensitive and fast with a lower TFOR value. If the system recognizes an attack at its first attacking packet, then the value of Alarm Delay is 0, and the TFOR will be 0%. Otherwise, with the sliding window running, if the system fails to recognize any of the attacking packets, then the TFOR value will raise up and finally reach 100% because there are no packets before the attack and the value of Elapsed Benign Duration is 0. We simulate different types of DDoS attacks from the 4 datasets, and the TFOR results are shown in Fig.10 and listed in detail in Table 2. Most TFOR are less than 0.5% and have an average TFOR of 0.344765%. Also, the scheme can recognize all the volumetric DDoS attacks in an average delay of 0.015172 second.

VI. CONCLUSION
In this paper, we optimized the joint entropy calculation process and designed the algorithm of Quintile Deviation Check (QuinDC) to realize RTVD: a real-time volumetric detection scheme for DDoS in the Internet of Things. The techniques of sliding window, timestamp attached 5-tuple, and single directional packet filter make it possible to do entropy calculation in real-time. Furthermore, the QuinDC provides a lowlatency and accurate performance, so that it can be applied in systems with the real-time requirement, such as intrusion defense systems in IoT environments. In future research, we will try to use LSTM or GRU for directly IoT DDoS detection, and focus on the Slow DDoS, as well as real-time volumetric DDoS taxonomy.
MING LIU is currently a Lecturer with the School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, China. His research interests include cyber threat intelligence, intrusion detection systems, and scalable data analytics.
ZHI XUE is currently a Professor with the School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University, China. His research interests include wireless network security, cloud security, cryptography, and cyber threat intelligence.
XIAOCHEN FAN (Student Member, IEEE) received the B.S. degree in computer science from the Beijing Institute of Technology, China, in 2013. He is currently pursuing the Ph.D. degree with the School of Electrical and Data Engineering, University of Technology Sydney (UTS), Australia. His research interests include mobile and pervasive computing, deep learning, and the IoT.
XIANGJIAN HE is currently a Professor and also the Director of the Computer Vision and Pattern Recognition Laboratory, Global Big Data Technologies Centre (GBDTC), and also a Co-Leader of the Network Security Research Team, Center for Real-time Information Networks (CRIN), University of Technology Sydney. VOLUME 8, 2020