How the classification of DDoS detection items and the items necessary for DDoS detection were chosen?
Six DDoS detection categories were identified by referring to R. Braga, E. Mota and A. Passito, "Lightweight DDoS flooding attack detection using NOX/OpenFlow," IEEE Local Computer Network Conference, 2010, pp. 408-415, doi: 10.1109/LCN.2010.5735752. Average of Packets per flow, Average of Bytes per flow, Average of duration per flow, Percentage of pair flow, Growth of single flow, Growth of different ports. Through this, the Total Packer Number was extracted based on the Average of Packets per flow, and the Total Data Size was extracted through the Average of Bytes per flow. In addition, different src IP, Port and Same dst IP, and Port Pair were extracted through Percentage of pair flow and Growth of different ports. After extracting these four attributes, the three attributes to be set on the X, Y, and Z axes were continuously changed src IP by several zombie PCs due to the nature of the DDoS attack, so the src IP and same dst IP pairs were classified, and large amounts of traffic during attacks, so use the number of packets and the size of data.
