Sliding-mode observers for real-time DDoS detection

This paper proposes a sliding-mode observer for real-time DDoS detection on network routers, which will be used for connection-oriented services. The developed observers estimate the traffics going through the routers and identify those connections without the following-up packets based on the real-time queue length information inside the routers. These identified traffics are suspicious DDoS attacks which are considered as disturbance in the simplified TCP/IP model of the router. With the observers in use, when DDoS attacks are launched, it has an abrupt change in the disturbance component which could be recognized easily. The proposed observer-based DDoS detection could be installed inside the routers associated with the firewalls. The web server has an overall picture of the entire system, based on which the priority service could be implemented. As a result, the suspicious anomalous could be ranked as the lowest priority for processing and may lead to deep investigation to those suspicious traffics. This proposed mechanism makes optimal use of resource at the bottleneck links to ensure the diverse QoS requirements for high security applications that requires real-time DDoS detection. NS-2 simulation results validate the effectiveness of the proposed method.