CCID: Cross-Correlation Identity Distinction Method for Detecting Shrew DDoS

الملخص EN

This study presents a new method for detecting Shrew DDoS (Distributed Denial of Service) attacks and analyzes the characteristics of the Shrew DDoS attack.

Shrew DDoS is periodic to be suitable for the server’s TCP (Transmission Control Protocol) timer.

It has lower maximum to bypass peak detection.

This periodicity makes it distinguishable from normal data packets.

By proposing the CCID (Cross-Correlation Identity Distinction) method to distinguish the flow properties, it quantifies the difference between a normal flow and an attack flow.

Simultaneously, we calculated the cross-correlation between the attack flow and the normal flow in three different situations.

The server can use its own TCP flow timer to construct a periodic attack flow.

The cross-correlation between Gaussian white noise and simulated attack flow is less than 0.3.

The cross-correlation between single-door function and simulated attack flow is 0.28.

The cross-correlation between actual attack flow and simulated attack flow is more than 0.8.

This shows that we can quantitatively distinguish the attack effects of different signals.

By testing 4 million data, we can prove that it has a certain effect in practice.