Towards real-time ML-based DDoS detection via cost-efficient window-based feature extraction

Distributed denial of service (DDoS) detection is still an open and challenging problem. In particular, sophisticated attacks, e.g., attacks that disguise attack packets as benign traffic always appear, which can easily evade traditional signature-based methods. Due to the low requirements for computing resources compared to deep learning, many machine learning (ML)-based methods have been realistically deployed to address this issue. However, most existing ML-based DDoS detection methods are highly dependent on the features extracted from each flow, which incur remarkable detection delay and computation overhead. This article investigates the limitations of typical ML-based DDoS detection methods caused by the extraction of flow-level features. Moreover, we develop a cost-efficient window-based method that extracts features from a fixed number of packets periodically, instead of per flow, aiming to reduce the detection delay and computation overhead. The newly proposed window-based method has the advantages of well-controlled overhead and wide support of common routers due to its simplicity and high efficiency by design. Through extensive experiments on real datasets, we evaluate the performance of flow-based and window-based methods. The experimental results demonstrate that our proposed window-based method can significantly reduce the detection delay and computation overhead while ensuring detection accuracy.