Frequency Based DDoS Attack Detection Approach
Using Naive Bayes Classification
Ramin Fadaei Fouladi, Cemil Eren Kayatas, and Emin Anarim
Dept. of Electrical and Electronics Engineering, Boğaziçi University, Istanbul, Turkey
Email: ramin.fadaei@boun.edu.tr
Abstract—Being available for their legitimate users is one of
the main concerns of web service servers. One of the main
threats to availability of servers are DDoS attacks. Flooding the
server with bogus packets which leads to overuse the sources of
it, a DDoS attack deprives authorized clients of benefits from
their services. In order to disguise itself from intrusion detection
systems, sophisticated DDoS attack mechanisms are invented
whose packets are very similar to those in normal traffics.
Frequency domain analysis would be a promising alternative
for conventional methods of detection. In this paper we provide
a naive Bayes classifier with two frequency based methods of
discrete Fourier transform and discrete wavelet transform in
order to separate between attack and normal traffics. It founds
that, frequency analysis of DDoS attack can result in good
performance.
Keywords—DFT, DDoS, DWT, IDS, Naive Bayes Classification
I. I NTRODUCTION
Nowadays, Internet and network based applications are
inseparable parts of our daily lives. Confidentiality, integrity
and availability are three important issues of security for
networks [1]. Distributed Denial of Service (DDoS) attack
is the major threat to availability [2], [3]. In this type of
attacks, using spurious packets and hiring a large number of
compromised agents, the attacker tries to prevent legitimate
traffic between clients and a server [4]. During the attack,
the source IP address is also spoofed in order to hide the
identity of the attacker which makes tracing back extremely
difficult [5]. Most intrusion detection systems (IDS) utilize
one of two methods of detection: signature-based (misuse)
and anomaly analysis [6]. In a signature-based method, the
system is trained by a set of known malicious threats. During
the analysis, IDS compare the pattern of ongoing traffic
with its database and any match reports as intrusion. This
method suffers from incapability of detecting new unknown
intrusions [7]. In anomaly-based approach, the normal pattern
is determined and any activity out of this model is reported as
anomalous. Although, this method can detect new intrusions,
the detection probability rate is low [6]. Packet level analysis
and payload examination are the dominant methods which are
implemented in most traditional detection systems [8]. The
contents of arrival packets are scrutinized by the IDS to find
any suspicious activity. Most of the new DDoS attacks mimic
the legitimate web service traffic, which leaves the traditional
methods ineffective in detecting intrusions. Frequency domain
analysis has been found to be promising in detecting DDoS
978-1-5090-1288-6/16/$31.00 ©2016 IEEE 104
attacks [9]. Most part of the DDoS attack energy resides in
lower frequencies in comparison with normal traffic in which
the energy is distributed in different frequencies [9]. Different
literatures have employed the capability of the frequency
based methods to analyze traffic patterns, and to discover
abnormalities [9]–[14]. Using the spectrum energy and simple
thresholding method, authors in [10] separate low rate DoS
attack(LDoS) from normal traffics. The spectral energy within
the main lobe is used as the threshold value. Two stage
reduction of quality (RoQ) attack detection method is proposed
in [11]. At the first stage, wavelet analysis is used to detect
potential attack and then as the next step, autocorrelation
analysis is employed to extract attack characteristics. The
power of spectrum energy in identifying normal TCP traffic is
discussed in [12]. Wavelet filters are used in different anomaly
scenarios in [13]. These filters are found to be quite effective at
exposing the details of anomaly traffics. Authors use Spectral
analysis as one part of their detection of DoS attack method
in [14]. Most of the literatures studying frequency domain
analysis in identifying DoS and DDoS attacks are just carried
out in simulation environments; moreover, these methods are
used as a compliment for other traditional payload analyzing
methods.
In this paper, we contribute to the previous studies by propos-
ing a stand-alone frequency analysis method for DDoS attack
detection. The analysis is done on the traffic flow level of the
network. The coefficients of discrete wavelet transform (DWT)
and Discrete Fourier transform (DFT) are used together as the
features to separate DDoS attack from normal traffic. Wavelet
transform provides us with higher resolution information about
frequency domain in which increases the accuracy of the
detection. Naive Bayes classifier which is fast and easy to
implement, is used to classify attack and normal traffic and
results are compared with a simple thresholding classifier. The
dataset for the DDoS attack is obtained from a real attack of
booter dataset [15]. The normal traffic of Boğaziçi University
is used as the normal traffic in this experiment. All analyses
are implemented in MATLAB R2015a and Weka 3.6 [16],
[17]. The rest of this paper is organized as follow: Section II
is devoted to methodology. Section III presents the discussion
and results followed by conclusion in Section IV.
II. M ETHODOLOGY
In this section, we first introduce the fundamentals of dis-
crete Fourier transform (DFT) and discrete wavelet transform
TSP 2016
(DWT). Then we propose our method of detection.
A. DFT and DWT
Fourier Transform is a method to reveal the frequency com-
ponents of a time series x(t) by mapping from time domain
to frequency domain [18]. It is accomplished by convolving
the signal with complex exponential function. Signals in real
applications are usually discrete ones which are created by
sampling a continuous signal in each T interval and with the
limited length of N . Such a discrete signal xk is transformed
to frequency domain by using DFT which is expressed as:
N −1
1 X
X[fn ] = xk e−j2πfn T (1)
N them are used for training and the rest are left for test part.
k=0
DWT is a linear transform operating on a discrete signal
with the length of an integer of power two. It is used to
decompose the signal into different frequency components
[19]. Figure 1 displays the process of computing DWT, where
H and L denote high and low-pass filters respectively, followed
by a factor 2 down sampling. aj are called scale elements
which are used for the next level of the transform and dj
are called wavelet coefficients. The process of transform can
be continued for j + 1 levels in which only two aj elements
remain. DWT can represent the signal in different resolutions
which is its main feature. The simplest and fastest wavelet
transform algorithm is Haar transform. The Haar low pass filter
LHaar simply averages adjacent entries of its input. The Haar
high pass filter HHaar computes half the difference between
successive input samples.
B. Proposed Method
In order to detect DDoS attacks, passive monitoring is
used in this paper in which off-line dataset is used. A time
series x(t) is generated by sampling the number of packets in
every 1ms. The obtained random signal is further divided into
128-length windows with 64-length overlapped values with
consecutive windows. For each window, we obtain one pair
of coefficients of the power spectral density and Haar wavelet
coefficients which are saved in DFT and DWT matrices
respectively. The absolute value of each row of the acquired
matrices is taken and converted to probability by dividing
its elements by total sum of the values in that row. These
two matrices are used as the features for our naive classifier
method.
C. Training and Test dataset
In order to train and test the method, two datasets are used
for Normal and Attack traffics. Normal Traffic is obtained from
Fig. 1. DWT Cascade
105
the main router of Boğaziçi University. For attack traffic we
use a real UDP-based attack dataset from booters which is used
in [15]. Booters are web-based services that do DDoS attack
as a service for their customers at a very low price [15]. The
attack is DNS-based which belongs to the class of reflection
and amplification. Relatively small size DNS requests whose
source IP addresses are spoofed to the IP address of the victim
(Reflection) are sent to many servers that are used as agents,
in return; each server replies back to the victim with a large
response (amplification). The average rate (Gbps), the number
of misused systems and the average packet per system are 0.33,
54 and 245169.2 respectively. Having preprocessed datasets to
generate aforementioned matrices, first 1000 rows of each of
III. D ISCUSSION AND R ESULTS
In naive Bayes classification method which is based on
Bayes theorem, it is assumed that all features are strong
(naive) independent from each other. Because naive Bayes
classification can be implemented easily without any compli-
cated iterative parameters, it is useful for very large datasets.
Although this method is simple, but it usually outperforms
other sophisticated methods. Bayes theorem provides a way
of calculating the posterior probability, P (c|x) (Posterior
probability), from P (c), P (x), and P (x|c) (Likelihood). Naive
Bayes classifier assumes that the effect of the value of a feature
(x) on a given class (c) is totally independent of the values
of other features. This assumption is called class conditional
independence.
P (x|c)P (c)
P (c|x) = (2)
P (x)
Y
P (c|x) = P (c) P (xi |c) (3)
i
Considering
Q the naive Bayes equation, the likelihood proba-
bility ( i P (xi |c)) could be used as a score of class C. This
score can be used as a threshold to separate attack from normal
traffic.
A. DFT Training
Most part of Internet traffic consists of TCP protocols.
Traffic/congestion mechanisms and round trip time (RTT)
induce periodic patterns to the packet arrival on traffic flows,
therefore; the energy should be distributed in different bound-
aries of frequency [20]. On the other hand, the energy of
DDoS attack resides in lower frequencies [9]. Figure 2 displays
the spectrogram of training dataset of DFT matrices for both
normal and DDoS traffics. Blue and Yellow regions represent
low and high energy respectively. In contrast to main energy
of attack traffic which resides in lower frequencies, the normal
one is distributed in three different bounds of energy. Although
all 64 components of DFT can be used to estimate the
score, but by considering the figure 2, using just the first
ten components would be enough to separate attack from
normal traffics. Figure 3 depicts the normalized histogram of
logarithm values of the attack and normal scores estimated

Fig. 2. Spectrogram of Attack and Normal traffic for DFT analysis, (a)Attack,
(b)Normal
by using first ten components and corresponding receiver
operating characteristic (ROC) and using these scores in a
simple thresholding classification. Considering both histogram
and ROC, -17 is chosen as the threshold parameter to separate
attack from normal traffic.
B. Wavelet Training
Wavelet not only gives information about the presence of
frequencies in the signal, but also provides more knowledge
about their locations as well. Figure 4 displays the Haar
wavelet coefficients of first 1000 rows of training matrices for
both normal and attack traffics. Different bounds of energy
are occupied by the wavelet coefficients of normal traffic
except the boundary approximately between the 10th and 30th
coefficients. DDoS attack energy bound again resides in lower
Fig. 3. Thresholding Classification using scores obtained by the first 10
frequency components of DFT in training dataset , (a)Histogram, (b)ROC
106
Fig. 4. Haar Wavelet Coefficients of Attack and Normal traffic for DWT
analysis, (a)Attack, (b)Normal
frequencies. Because wavelet method analyzes frequency com-
ponents in various scales, the resolution of energy distribution
using wavelet is more than that of DFT method. Taking figure
4 into account, for this method we just use the first 30
coefficients to segregate between attack and normal traffics.
Figure 5 displays the normalized histogram of logarithm value
of the attack and normal scores evaluated by using first 30
components and corresponding ROC using these scores in a
simple thresholding classification. Considering both histogram
and ROC, -63 is chosen as the threshold parameter to separate
attack from normal traffic. In training mode, thresholding
classification in DWT outperforms to that of in DFT.
C. Test Results
The training and test datasets are fed to a naive Bayes
classifier to separate between attack and normal traffics. Test
Fig. 5. Thresholding Classification using scores obtained by the first 30
frequency components of DWT in training dataset , (a)Histogram, (b)ROC
TABLE I. C ONFUSION TABLE FOR BOTH NAIVE AND T HRESHOLDING
METHODS of naive Bayes method, but it can be used as the preliminarily
step of DDoS attack detection in an IDS.
Classifier Dataset Attack Normal Accuracy(%)
Attack 2229 420 R EFERENCES
Thresholding DFT 85.32
Normal 253 1683
Attack 1575 1074 [1] Dimitrios Zissis and Dimitrios Lekkas. Addressing cloud computing
Thresholding DWT 76.55
Normal 1 1935 security issues. Future Generation computer systems, 28(3):583–592,
Attack 2548 101 2012.
Naive Bayes DFT 94.72
Normal 142 1794 [2] Yacine Bouzida, Frédéric Cuppens, and Sylvain Gombault. Detecting
Attack 2303 346 and reacting against distributed denial of service attacks. In Commu-
Naive Bayes DWT 90.64
Normal 81 1855 nications, 2006. ICC’06. IEEE International Conference on, volume 5,
Attack 2564 85 pages 2394–2400. IEEE, 2006.
Naive Bayes DFT+DWT 95.93
Normal 103 1833 [3] Jonathan Trostle. Protecting against distributed denial of service (ddos)
attacks using distributed filtering. In Securecomm and Workshops, 2006,
pages 1–11. IEEE, 2006.
[4] Keyur Chauhan and Vivek Prasad. Distributed denial of service (ddos)
dataset consists of 1936 and 2649 samples of normal and attack techniques and prevention on cloud environment. 2015.
attack traffics respectively. Three different feature sets in- [5] Saman Taghavi Zargar, Jyoti Joshi, and David Tipper. A survey of
defense mechanisms against distributed denial of service (ddos) flooding
cluding DFT, DWT and DFT+DWT (combined feature) are attacks. Communications Surveys & Tutorials, IEEE, 15(4):2046–2069,
provided to the classifier. We also test simple thresholding 2013.
method with the threshold values of -17 and -63 for DFT [6] Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin, and Kuang-
Yuan Tung. Intrusion detection system: A comprehensive review.
and DWT test datasets respectively. The confusion tables of Journal of Network and Computer Applications, 36(1):16–24, 2013.
various experiments are summarized in Table I. [7] Chirag Modi, Dhiren Patel, Bhavesh Borisaniya, Hiren Patel, Avi Patel,
In thresholding method, although the false positive rate of and Muttukrishnan Rajarajan. A survey of intrusion detection techniques
in cloud. Journal of Network and Computer Applications, 36(1):42–57,
classifier using DWT feature is lower, but the classifier treats 2013.
more than 40% of attack samples as normal traffic which [8] Pravin Shinde and Srinivas Guntupalli. Early dos attack detection using
results in lower accuracy. On the other hand, by selecting -17 smoothened time-series andwavelet analysis. In Information Assurance
and Security, 2007. IAS 2007. Third International Symposium on, pages
as the threshold value for the classifier based on DFT feature, 215–220. IEEE, 2007.
we achieve the false positive and false negative rates about [9] Ramin Fadaei Fouladi, Tina Seifpoor, and Emin Anarim. Frequency
15% which yields higher accuracy around 85% compared to characteristics of dos and ddos attacks. In Signal Processing and
Communications Applications Conference (SIU), 2013 21st, pages 1–
76% of DWT based classifier. This result is in contrary with 4. IEEE, 2013.
the outcome during the training, which DWT feature has better [10] Zhijun Wu, Meng Yue, Douzhe Li, and Ke Xie. Sedp-based detection of
performance than DFT for thresholding classifier. low-rate dos attacks. International Journal of Communication Systems,
28(11):1772–1788, 2015.
Similar to thresholding method, DWT-based naive Bayes [11] Kun Wen, Jiahai Yang, Fengjuan Cheng, Chenxi Li, Ziyu Wang, and Hui
classifier has lowest false positive rate, but its accuracy is lower Yin. Two-stage detection algorithm for roq attack based on localized
periodicity analysis of traffic anomaly. In Computer Communication
than those of DFT and combined methods. The combined and Networks (ICCCN), 2014 23rd International Conference on, pages
feature results in lower false positive and false negative rates 1–6. IEEE, 2014.
which improve the accuracy by 1.21% compared to the result [12] Chen-Mou Cheng, HT Kung, and Koan-Sin Tan. Use of spectral
analysis in defense against dos attacks. In Global Telecommunications
of DFT feature alone. It indicates that although, DWT feature Conference, 2002. GLOBECOM’02. IEEE, volume 3, pages 2143–2148.
results in low accuracy, but it can be employed as a compli- IEEE, 2002.
mentary for DFT feature to improve the overall accuracy. [13] Paul Barford, Jeffery Kline, David Plonka, and Amos Ron. A signal
analysis of network traffic anomalies. In Proceedings of the 2nd ACM
All in all, comparing two classifiers, naive Bayes outper- SIGCOMM Workshop on Internet measurment, pages 71–82. ACM,
forms thresholding method for both features and the highest 2002.
accuracy belongs to naive classifier with combined feature. [14] Alefiya Hussain, John Heidemann, and Christos Papadopoulos. A
framework for classifying denial of service attacks. In Proceedings of
the 2003 conference on Applications, technologies, architectures, and
IV. C ONCLUSION protocols for computer communications, pages 99–110. ACM, 2003.
[15] José Jair Santanna, Roland van Rijswijk-Deij, Rick Hofstede, Anna
Shrouding itself with the characteristics of legitimate traffics Sperotto, Mark Wierbosch, Lisandro Zambenedetti Granville, and Aiko
Pras. Bootersan analysis of ddos-as-a-service attacks. In Integrated
makes the detection of DDoS attack burdensome. Examining Network Management (IM), 2015 IFIP/IEEE International Symposium
the payload of packets of an attack which is very similar to on, pages 243–251. IEEE, 2015.
normal one, may results in treating the intruder as a legitimate [16] I MathWorks. Matlab and statistics toolbox release, 2012.
[17] Mark Hall, Eibe Frank, Geoffrey Holmes, Bernhard Pfahringer, Peter
traffic. However, analyzing the frequency attributes of traffics Reutemann, and Ian H Witten. The weka data mining software: an
might improve this weakness. In this paper, DWT and DFT update. ACM SIGKDD explorations newsletter, 11(1):10–18, 2009.
were used to extract features for naive Bayes classifiers. The [18] Ron Bracewell. The fourier transform and iis applications. New York,
5, 1965.
performance of the system using DFT attributes is better [19] Yvette Mallet, Danny Coomans, Jerry Kautsky, and Olivier De Vel.
than using DWT features. Moreover, the combination of two Classification using adaptive wavelets for feature extraction. Pattern
features increased the accuracy of detection. Additionally, Analysis and Machine Intelligence, IEEE Transactions on, 19(10):1058–
1066, 1997.
a simple thresholding method was also implemented which [20] Yu Chen and Kai Hwang. Spectral analysis of tcp flows for defense
again the DFT resulted in more accurate classification. Al- against reduction-of-quality attacks. In Communications, 2007. ICC’07.
though the accuracy of thresholding method is less than that IEEE International Conference on, pages 1203–1210. IEEE, 2007.

107