An alert analysis approach to DDoS attack detection

Since networked applications have become common place in our daily life, vulnerabilities or attacks on networks are also on the rise. Although a significant number of defense mechanisms have been developed to counter attacks on networks, attackers are often able to evade deployed defense mechanisms. An effective defense mechanism generates alerts when it finds vulnerabilities on a system or in a network. Most DoS/DDoS defense systems generate a large number of false alerts, generating distrust towards them. Therefore, it is essential to analyze these alerts over a period of time to identify correct alerts and to identify attack strategies applied during launching of attacks. The alert correlation process is useful for analyzing multi-step attacks such as DoS/DDoS attacks. In this paper we propose a DDoS attack analysis method using alert correlation. The effectiveness of the method is evaluated on DARPA 2000 datasets.