Identifying anomalous traffic using dynamic programing based differential analysis

Abstract

This paper proposes an identification method of anomalous traffic such as DDoS attacks. Identification results are represented as a set of aggregated flows; such as source/destination IP address ranges(prefixes), source/destination port numbers and protocols and can be used as ACL (Access Control List) rules at routers. We set requirements for the identification can be summarized as the following three conditions; 1) covering the anomalous traffic, 2) avoiding to cover normal traffic, 3) with small number of aggregated flows. To accomplish these requirements, we propose a method to generate a set of aggregate flow that achieves the highest score representing the requirements by comparing before and after attacks and searching a optimal set with dynamic programming to avoid exponential computation explosion.