2396 IEEE COMMUNICATIONS LETTERS, VOL. 17, NO. 12, DECEMBER 2013
Validation of Chaos Hypothesis in
NADA and Improved DDoS Detection Algorithm
Xinya Wu and Yonghong Chen
Abstract—With the growth of the Internet, one of the most
common attacks comes in the form of a distributed denial of
service attack. In this paper, we validate that the prediction
error of network traffic is chaotic which is used in NADA
algorithm and improve the DDoS detection algorithm based
on NADA. Firstly, the paper discusses the use of the largest
Lyapunov exponent to validate the chaos hypothesis. Secondly,
we predict the network traffic by using an exponential smoothing
model instead of the forecasting method used in NADA. Then
we analyze the prediction error by using chaos theory and
Back Propagation Neural Network. The experimental results
conducted and discussed in the paper show that our method
can detect DDoS attacks up to 98.04% accuracy.
Index Terms—Distributed denial-of-service (DDoS), Lyapunov
exponents, anomaly detection, chaos models, exponential smooth-
ing model.
I. INTRODUCTION
I
N DDoS attacks, lots of zombie computers are used to
flood the targeted servers - victims, with a huge amount
of information and congestion in order to prevent legitimate
users from accessing them. This makes DDoS attacks a very
serious threat to computer users [1]. Therefore, it is n ecessary
to study a rapid and effective method to detect the abnormal
traffic.
At present, intrusion d etection technology based on the
network traffic has been proposed such as the exponential
smoothing detection [2] and the threshold detection. In [3],
chaos theory has been used to analyze the network traffic in
order to detect mimicking DDo S attacks. In [4], the authors
assumed the prediction error of the network traffic behaved
chaotically, and then proposed an intrusion detection algorithm
based on chaos analysis of the prediction error. In our paper,
we verify the chaos hypothesis proposed in [4]. At the same
time, in [4], the false alarm rate is high r elatively due to the
lower prediction accuracy based on AR forecasting model.
It needs further improvement. So we propose an improved
detection algorithm based on NADA. We use the exponential
smoothing model as forecasting m odel which has higher
prediction accuracy. Experimental results show we have a
lower false alarm rate 0.19% and a higher d etection rate
98.04% contrast to NADA.
Manuscript received April 23, 2013. The associate editor coordinating the
re view of this letter and approving it for publication was M. Leeson.
These authors contributed equally to this work.
The authors are with the School of Commputer Science & Tech-
nology, Huaqiao University, Xiamen, Fujian, China (e-mail: {djandcyh,
xinya621}@163.com).
This work is supported by the National Natural Science Foundation of
China (No. 61370007), the Natural Science Foundation of Fujian Pro vince of
China (No. 2013J01241), and the Huaqiao University Science and T echnology
Foundation (No. 10Y0199 and No. JB-ZR1131).
Digital Object Identifier 10.1109/LCOMM.2013.102913.130932
The organization of this paper is as follows: We briefly
introduce background knowledge about chaotic validation and
our proposed algorithm in section II. Section III discusses
the analysis of our simulated network experiment. Section IV
concludes the paper.
II. D
DOS DETECTION AL GORITHM
A. Judge the chaos characteristics of prediction error of
network traffic
For a dynamic system, if its maximum Lyapunov exponent
is positive, we consider it is chaotic. In this paper, we judge
whether the pred iction error in [ 4] is chaotic by the largest
Lyapunov exponent. The validation steps are as follows:
1) We use the C-C method [5] to determine the embedding
delay. To a time series x = {x
i
|i =1, 2, ..., N }, we recon-
struct a phase space X = {X
i
} with the time delay and the
embedding dimension τ.SinceX
i
is a point in the phase
space, the correlation integral of the embedding time series
is:
C (m, N, r, t)=
2
M (M − 1)
1≤i≤j≤M
θ(r −X
i
− X
j
)
r>0.
(1)
Then we can calculate
S (m, r
j
,t)=
1
t
t
s=1
[C
s
m,
N
t
,r
j
,t
− C
m
s
1,
N
t
,r
j
,t
]
(2)
Δ
¯
S (t)=
1
4
5
m=2
(max {S (m, r
j
,t)}−min {S (m, r
j
,t)})
(3)
we seek the first minimum of Δ
¯
S (t) to get the optimal time
delay τ.
2) Calculate the embedding dimension m by the Cao
method proposed by Lianyue Cao [6]. The relative length of
a point in phase space is defined as:
a(i, d)=
y
i
(d +1)− y
n(i,d)
(d +1)
y
i
(d) − y
n(i,d)
(d)
,
i =1, 2, ..., N − dτ.
(4)
At the same time,
E(d)=
1
N − dτ
n−dτ
i=1
a(i, d) (5)
E1(d)=
E(d)
E(d +1)
(6)
1089-7798/13$31.00
c
2013 IEEE