DDoS attack detection and wavelets

Lan Li, Kyung Ho Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

47 Citations (Scopus)


This paper presents a systematic method for DDoS attack detection. DDoS attack can be considered system anomaly or misuse from which abnormal behavior is imposed on network traffic. Attack detection can be performed via abnormal behavior identification. Network traffic characterization with behavior modeling could be a good guidance of attack detection. Aggregated traffic has been found to be strong bursty across a wide range of time scales. Wavelet analysis is able to capture complex temporal correlation across multiple time scales with very low computational complexity. We utilize energy distribution based on wavelet analysis to detect DDoS attack traffic. Energy distribution over time would have limited variation if the traffic keeps its behavior over time (i.e. attack-free situation); while an introduction of attack traffic in the network would elicit significant energy distribution deviation in short time period. Our experimental results with typical Internet traffic trace show that energy distribution variance changes markedly causing a "spike" when traffic behaviors affected by DDoS attack In contrast, normal traffic exhibits a remarkably stationary energy distribution. In addition, this spike in energy distribution variance can be captured in early stage of attack, for ahead of congestion build-up, making it an effective attack detection.

Original languageEnglish
Title of host publicationProceedings - International Conference on Computer Communications and Networks, ICCCN
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages7
ISBN (Print)0780379454
Publication statusPublished - 2003
Externally publishedYes
Event12th IEEE International Conference on Computer Communications and Networks, ICCCN 2003 - Dallas, United States
Duration: 2003 Oct 202003 Oct 22


Other12th IEEE International Conference on Computer Communications and Networks, ICCCN 2003
Country/TerritoryUnited States


  • Computational complexity
  • Computer crime
  • Energy capture
  • Filtering
  • IP networks
  • Power generation economics
  • Telecommunication traffic
  • Traffic control
  • Wavelet analysis
  • Web and internet services

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Hardware and Architecture
  • Software


Dive into the research topics of 'DDoS attack detection and wavelets'. Together they form a unique fingerprint.

Cite this