BCDM: An Early-Stage DDoS Incident Monitoring Mechanism Based on Binary-CNN in IPv6 Network

Abstract

The rapid adoption of IPv6 has increased network access scale while also escalating the threat of Distributed Denial of Service (DDoS) attacks. By the time a DDoS attack is recognized, the overwhelming volume of attack traffic has already made mitigation extremely difficult. Therefore, continuous network monitoring is essential for early warning and defense preparation against DDoS attacks, requiring both sensitive perception of network changes when DDoS occurs and reducing monitoring overhead to adapt to network resource constraints. In this paper, we propose a novel DDoS incident monitoring mechanism that uses macro-level network traffic behavior as a monitoring anchor to detect subtle malicious behavior indicative of the existence of DDoS traffic in the network. This behavior feature can be abstracted from our designed traffic matrix sample by aggregating continuous IPv6 traffic. Compared to IPv4, the fixed-length header of IPv6 allows more efficient packet parsing in preprocessing. As the decision core of monitoring, we construct a lightweight Binary Convolution DDoS Monitoring (BCDM) model, compressed by binarized convolutional filters and hierarchical pooling strategies, which can detect the malicious behavior abstracted from input traffic matrix if DDoS traffic is involved, thereby signaling an ongoing DDoS attack. Experiment on IPv6 replayed CIC-DDoS2019 shows that BCDM, being lightweight in terms of parameter quantity and computational complexity, achieves monitoring accuracies of 90.9%, 96.4%, and 100% when DDoS incident intensities are as low as 6%, 10%, and 15%, respectively, significantly outperforming comparison methods.