Detection and preventing Distributed Denial of Service Attack (DDoS) becomes a crucial process for the commercial organization that using the internet these days. Different approaches have been adopted to process traffic information collected by a monitoring stations (Routers and Servers) to distinguish the misbehaving of malicious traffic of DDoS attacks in Intrusion Detection Systems (IDS). In general, data mining techniques can be designed and implemented with the intrusion systems to protect the organizations from malicious. Specifically, unsupervised data mining clustering techniques allow to effectively distinguish the normal traffic from malicious traffic in a good accuracy. In this paper, we present a hybrid approach called centroid-based rules to detect and prevent a real-world DDoS attacks collected from “CAIDA UCSD " DDoS Attack 2007 Dataset” and normal traffic traces from “CAIDA Anonymized Internet Traces 2008 Dataset” using unsupervised k-means data mining clustering techniques with proactive rules method. Centroid-based rules are used to effectively detect the DDoS attack in an efficient time. The Result of experiments shows that the centroid-based rules method perform
better than the centroid-based method in term of accuracy and detection rate. In term of false alarm rates, the proposed solution obtains very low false positive rate in the training process and testing phases. Results of accuracy were more than 99% in training and testing processes. The proposed centroid-based rules method can be used in a real-time monitoring as DDoS defense system.


Network security is one of the most important issues that can be considered by commercial organizations to protect its information from malicious jeopardizing. The problems of detection malicious traffics have been widely studied and still as a hot research topic in the recent decades. Many researches have been designed and implemented an Intrusion Detection System (IDS) to analyse, detect
and prevent the malicious activities such as Distributed /Denial of Service Attack (DDoS/DoS). IDS’s can be classified in two main categories: Misuse Intrusion Detection (MIS) and Anomaly-Intrusion Detection (AID) . Misuse detection constructs from known attack behaviour based on the pattern matching, which can be used later as signature-based for attack possibility. However, Anomaly- ntrusion Detection creates from the long term of normal usage behaviour profile of network traffic. In general, IDS’s can be approached by data mining techniques to identify unusual access or attacks to secure internal networks. Denial of Service attack consists of highly damageable threats able to disturb a CIA (Confidentially, Integrity and Availability) service on the network. It consists of a series of attacks able to degrade the network quality of service in highly predictable manner . A very common example of this attack is Distributed Denial of Service (DDoS) attack. In this instance, multiple computer are being used to send attacks to a victim in the same time during the attacking time. Zombies are common names for the computers under the control of the attacker through Handlers. Handlers are software packages that the attacker uses for communication with the zombies. Zombies may or may not be aware of the fact that are attacking a victim of network. In general, the attacker acquires the control with zombies by communicate with any number of handlers to identify which agents are running to schedule attacks.