DDoS attack forecasting based on online multiple change points detection and time series analysis

Attack forecasting is a proactive approach to defend against cyber-attacks, as it helps in predicting future threats beforehand. In this paper, we propose a Distributed Denial of Service (DDoS) forecasting system, which is composed of two main components: the forecaster and the forecasting decision-making. The forecaster component uses a novel concept in cyber-attack forecasting, which combines time series forecasting analysis and multiple change points detection. The proposed concept improves forecasting accuracy compared to conventional statistical forecasting techniques, as it considers the abrupt and multiple changes in time series, where the multiple change points detection approach can help with auto-updating the forecasting models. Based on the proposed concept, we combine three time series analysis models and two change point detection algorithms to provide six forecasting method variants. Moreover, we propose an improved forecasting model named Ensemble Forecasting based on Time Series Analysis and Multiple Change Point Detection, which selects at each forecasting step the time series analysis model that exhibits the best accuracy and combines it with the change point detection algorithm. The proposed forecasting methods allow online learning as they can dynamically adapt to new observations. The forecasting decision-making component uses the output of the forecaster component, which is the number of forecasted attack flows and forecasting accuracy, and performs a risk assessment to alert the system administrator and take appropriate countermeasure decisions in advance. Experimentation results on CICDDoS2019 dataset show that the proposed methods significantly improve DDoS forecasting accuracy compared to traditional statistical forecasting models, such as Autoregressive, Exponential Smoothing, and Moving Average.