The obtained data were examined with the research questions as a reference. The results are accessible in tables that include an explanation of the feature under investigation as well as the names of the authors who employed it
Q1. What are main detection methods used?
Table 1
Anti-DDOS attack detection methods.
Serial Number
|
Techniques
|
Description
|
1
|
Cluster analysis [24]
|
CA is a way of categorizing data so that items in one group are identical to those in other groups but different from those in other groups. If variables complicated in the attack are dissimilar, we can use cluster analysis to divide normal traffic and every stage of the DDoS assault into separated clusters.
|
2
|
The Correlation analysis [25]
|
Correlation is a term applied to indicate how comparable two flows are. It may, however, suggest zero connection in rare circumstances. Even though the two flows are connected, there is a phase variation between them.
|
3
|
Genetic algorithms [26]
|
This sort of heuristic search is inspired by natural evolution and is known as a genetic algorithm. It is one of the larger families of evolutionary algorithms (EA) that use the principles of natural evolution to solve optimization issues. Genetic algorithms
|
4
|
KNN [27]
|
KNN technique is a feature space prediction approach that uses the k-closest training samples to forecast flow classes. The majority vote of a flow's neighbors is used to classify it.
|
5
|
Filtering of Hop-Count [28]
|
When calculating overall hop count for this IP address, the source IP address is applied as an index. If the packet's determined hop-count ties its stored hop-count, it has been verified.
|
6.
|
Joint Deviation Rate (JDR) [29]
|
JDR (Joint Divergence Rate) is a novel statistic for describing the rate of deviation of network traffic states. The variations of all the numerous characteristics in Network Traffic State are combined in JDR (NTS).
|
7
|
Fuzzy logic [30]
|
On the mean packet between arrival times, a fuzzy estimator is used. It does a good job at understanding the rules, but it has the drawback of not being able to learn them automatically.
|
8
|
Hidden semiMarkov model (HsMM) [31]
|
An HsMM method that detects App-DDoS assaults during a flash crowd event and characterizes the stochastic process as it changes over time.
|
9
|
Firewall [32]
|
As with the previous firewall function, the defender has the ability to select a number that is beginning over which all packets in a flow are discarded.
|
10
|
Cuckoo search [33]
|
The parasitic behaviour of some Cuckoo birds sparked this technique. Cuckoo species are unable to finish their reproductive cycle without a suitable host.
|
The data in the Table 1 above summarizes the findings of 10 different research on how to identify DDoS attacks. The computational and logical capabilities of this approach make it the most preferred for spotting discrepancies in data flow.
Q.2 How precise are the approaches for detecting a DDoS attack?
Flows and DDoS datasets were used in this research, and only studies with a detection or accuracy rate of more than or equal to 99 percent were examined. The following equation may be used to calculate the detection rate: TN DDoS attacks may be detected with high accuracy using these methods.
Table 2
Detection methods of DDoS attack which presented best ratios.
Detection Rate (%)
|
Researches
|
Dataset
|
99.76
|
[34]
|
CAIDA, TUIDS and DARPA
|
98.45
|
[35]
|
Generation of CAIDA 2007, DARPA 2009, BONESI
|
98.34
|
[36]
|
KDD Cup (1999)
|
97.31
|
[37]
|
Knowledge Discovery and Data mining (KDD) Cup (1999)
|
As indicated in Table 2, achieved the highest level of precision with their detection technique. This mechanism was discovered 99.9% of the time. This strategy combines three methods to do this (Random Forest, nearest K-neighbors, and Bagging). Furthermore, because this strategy is network-based, detection occurs during the assault, limiting the impact once the system recognizes it.
Q 3 In a DDOS attack, where are detection measures used?
DDoS detection techniques can be applied at four separate points: source, destination, network, and hybrid. The source of the assault is referred to as source, while the target of the attack is referred to as a destination. The network is where information flows, and hybrid denotes that detection takes place in multiple areas, with collaboration between implementation sites being the norm. The four implementation sites, as well as the writers who use them, are listed in Table 3.
Table 3
Locations where detecting systems are put into place.
Studies
|
Deployment Position
|
Total
|
[38–41]
|
Source
|
3
|
[42–50]
|
Destination
|
7
|
[51–65]
|
Hybrid
|
13
|
[66–70]
|
Network
|
4
|
Network has included the bulk of the detection approaches, accounting for roughly 58 percent of the total quantity, as shown in the table below. As a result, the mechanisms use Networks more frequently while creating a detection method. The Source, on the other hand, is where the approaches are used on a smaller scale since they require a high level of data network collaboration, which limits the creation of a bigger number of data networks of devices capable of anticipating an attack.
Q 4 In a DDOS attack, where are defensive techniques used?
Table 4
Defense Method
|
Benefit
|
Loopholes
|
Defense Architecture (Victim-end) [72]
|
Because web servers that provide harmful services are always attempting to safeguard their resources from legitimate users, this is the most realistic protection approach.
|
During DDoS assaults, the victim's resources, such as broadband networks, are typically overburdened, and these techniques are unable to block traffic from going through the victim's routers.
|
Defense Architecture (Source-end) [73]
|
In the input stage, the mitigation mechanism takes less amount of resources to test the smallest quantity of traffic.
|
DDoS assaults are difficult to detect on the source side since sources are widely dispersed over the network and one source might appear to be normal traffic.
|
Defense Architecture (Core-end) [74]
|
Traffic is aggregated, which means that legitimate packets and malicious packets arrive at the same time at the router, which is the optimum spot to limit all traffic.
|
All Internet routers should employ this discovery approach for optimum accuracy, as being unobtainable on a router might interfere with discovery and espionage methods.
|
Findings suggest that present mitigation measures are only appropriate in certain situations or designs. There are several promising ideas, but they lack experimental evidence, demanding more study to prove their validity and utility in DDoS mitigation. Additionally, there are still questions about the approaches' scalability in real-world circumstances, which is being researched. Data utilized in learning systems may also be outdated, reducing the effectiveness of the solutions that are now in use. The ever-increasing complexity and volume of DDoS assaults necessitate the evaluation of current and future solutions in the context of real-world scenarios. Traffic and infrastructure must be able to mimic real-world conditions in simulation scenarios.