SFDEM: A Single Flow Detection Enabled Method for DDoS Attacks in IoT with Feature Mapping

To address the slow response time of existing detection modules to modern multi-type Internet of Things DDoS(Distributed Denial of Service) attacks, their low feature differentiation, and poor detection performance, we proposed SFDEM, a single flow detection enabled method with feature mapping. Initially, SFDEM employs a queue to store previously arrived flow. The features of the end-queue flow are represented by the overall characteristics of the queue, which enables SFDEM to detect the single flow upon its arrival with low latency. Second, we design a multidimensional reconstruction encoder and introduce the derivative function of the hyperbolic tangent function to enhance the similarity of the same type of flow and the differentiation between different types of flow. Finally, SFDEM employs machine learning classifiers to detect DDoS attacks using the mapped features of the flow. On the CICDDoS2019 and the Bot-IoT datasets, the average metrics value of SFDEM is a maximum of 12.01% higher than other existing methods.