CCID: Cross-Correlation Identity Distinction Method for Detecting Shrew DDoS

Author/Creator ORCID





Citation of Original Publication

Cheng Huang, Ping Yi, Futai Zou, Yao Yao, Wei Wang, and Ting Zhu, CCID: Cross-Correlation Identity Distinction Method for Detecting Shrew DDoS, Wireless Communications and Mobile Computing Volume 2019, Article ID 6705347, 9 pages,


This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.
Attribution 4.0 International (CC BY 4.0)


This study presents a new method for detecting ShrewDDoS (DistributedDenial of Service) attacks and analyzes the characteristics of the Shrew DDoS attack. Shrew DDoS is periodic to be suitable for the server’s TCP (Transmission Control Protocol) timer. It has lower maximum to bypass peak detection.This periodicity makes it distinguishable from normal data packets. By proposing the CCID (Cross-Correlation Identity Distinction) method to distinguish the flow properties, it quantifies the difference between a normal flow and an attack flow. Simultaneously, we calculated the cross-correlation between the attack flow and the normal flow in three different situations.The server can use its own TCP flow timer to construct a periodic attack flow.The cross-correlation between Gaussian white noise and simulated attack flow is less than 0.3.The cross-correlation between single-door function and simulated attack flow is 0.28. The cross-correlation between actual attack flow and simulated attack flow is more than 0.8. This shows that we can quantitatively distinguish the attack effects of different signals. By testing 4 million data, we can prove that it has a certain effect in practice.