|
| No. | Name | Parameter | DDoS detection level | Evaluation method | Dataset | Performance matrix |
|
| 1 | HADEC: hadoop-based live DDoS detection framework [19] | Timestamps, source IP, destination IP, packet protocol, and packet header | High-rate DDoS: TCP-SYN, HTTP GET, UDP, and ICMP | Experiment | Experiment dataset | Measure utilisation, CPU, and Memory |
| 2 | D-FACE: an anomaly-based distributed approach for early detection of DDoS attacks and flash events [28] | Time window size, packet header, and generalised parameter | High-rate and low-rate DDoS attack and flash crowd | Experiment | MIT Lincoln, CAIDA, and FIFA | accuracy, false-positive rate classification rate, F-measure, and precision |
| 3 | User behaviour analytics-based classification of application layer HTTP GET flood attacks [29] | Request index, response index, popularity index, repetition index, and classifier algorithms | High-rate DDoS attack | Experiment | WorldCup98, Clarknet, and NASA | True positive, true negative, false positive, and false negative |
| 4 | HTTP flood attack detection in the application layer using machine-learning metrics and bio-inspired bat algorithm [30] | Time frame length, maximum number of sessions (ms), page access count (pac), minimum time interval between two pages (mti), and packets observed per each type of packet (PC) | High-rate DDoS attack | Simulation software | CAIDA | True positive, false positive, true negative, false negative, precision, recall, specificity, accuracy, and F-measure |
| 5 | Cloud-based DDoS HTTP attack detection using covariance matrix approach [31] | TCP packet header and Covariance matrix | High-rate DDoS attack | Simulation (MATLAB) | KDD cup 99 and experiment dataset | Detection rate, false positive, false negative, accuracy, error rate, and AUC |
| 6 | MLP-GA-based algorithm to detect application layer DDoS attack (Singh and De [32]) | Number of HTTP count, number of IP addresses, constant mapping function, and fixed frame length | Low-rate DDoS attack | Simulation software | EPA-HTTP, CAIDA 2007, and experiment dataset | Accuracy, false positive, false negative, true positive, and true negative |
| 7 | Real-time DDoS attack detection using FPGA [33] | Source IPs, Source IPs index variation, and packet rate | High-rate HTTP DDoS | Experiments | CAIDA, TUIDS, and DARPA | Accuracy, detection rate, false positive, and false negative |
| 8 | Entropy-based application layer DDoS attack detection using artificial neural networks [2] | HTTP GET request count per connection, IP address variance, HTTP GET request counts, and multilayer perceptron with genetic machine-learning algorithm (MLP-GA) | High-rate DDoS attack | Experiments | Standard EPA-HTTP, experiment dataset, CAIDA 2007, DARPA 2009, and BONESI-generated datasets | Accuracy, sensitivity, and specificity |
| 9 | Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching [34] | Request interval sequence part, and request frequency sequence part | High-rate DDoS attack | Experiments | ClarkNet HTTP, and experiment dataset | Accuracy, detection rate, and false positive |
| 10 | FHSD: an improved IP spoof detection method for web DDoS attacks [35] | Source MAC address, hop count, GeoIP, OS passive fingerprinting, and web browser user agent | High-rate DDoS attack | Experiments | DARPA LLDOS inside 1.0 and experiments dataset | Detection rate |
| 11 | HTTP soldier: an HTTP flooding attack detection scheme with the large-deviation principle [36] | Threshold exponentially weigh moving average algorithm Large deviation probability theory | High-rate DDoS attack | Simulation (NS3) | University web logs | False positive |
| 12 | Defending HTTP web servers against DDoS attacks through busy period-based attack flow detection [37] | Threshold whitelist and blacklist | High-rate DDoS attack | Simulation (OPNET experiment) | Experiment dataset | Detection speed |
|
