{"references": ["J.B.D. Cabrera, et al. \"Proactive detection of distributed denial of service\nattacks using MIB traffic variables\u00d4\u00c7\u00f6a feasibility study\", Proceedings of\nthe seventh IFIP/IEEE International Symposium on Integrated Network\nManagement, Seattle, May, 2001, pp. 1-14.", "S. Chebrolu, A. Abraham, and P. J. Thomas, \"Feature deduction and\nensemble design of intrusion detection systems\", Computers & Security,\nVol. 24, issue 4, pp. 295-307. 2005.", "D. Gavrilis, and E. Dermatas, \"Real-time detection of distributed denialof-\nservice attacks using RBF networks and statistical features\",\nComputer Networks, Vol. 48, issue 2, pp. 235-245. 2005.", "G. Guo, H. Wang, D. Bell, Y. Bi, and K. Greer, \"Using kNN model for\nautomatic text categorization\", Soft Computing - A Fusion of\nFoundations, Methodologies and Applications, Vol. 10, No. 5, pp. 423-\n430. 2006.", "S. Haykin, Neural Networks: A Comprehensive Foundation, Upper\nSaddle River, Prentice Hall, New Jersey, 1994.", "J. Ioannidis, and S. M. Bellovin, \"Implementing pushback: router-based\ndefense against DDoS attacks\", Presented at Network and Distributed\nSystem Security Symposium, 2002.", "M. Kim, H. Na, K. Chae, H. Bang, and J. Na, \"A Combined Data Mining\nApproach for DDoS Attack Detection\", ICOIN 2004, LNCS 3090,\nSpringer-Verlag, Berlin Heidelberg, pp. 943-950.", "K. Lee, J. Kim, K. H. Kwon, Y. Han, and S. Kim, \"DDoS attack\ndetection method using cluster analysis\", Expert Systems with\nApplications, 2007, Vol. 34, pp. 1659-1665.", "H. W. Lee, \"SVM Based Packet Marking Technique for Traceback on\nMalicious DDoS Traffic\", ICOIN 2006, LNCS 3961, Springer-Verlag,\nBerlin Heidelberg, pp. 754-763.\n[10] S. C. Lin, and S. S. Tseng, \"Constructing detection knowledge for DDoS\nintrusion tolerance\", Expert Systems with Applications, 2004, Vol. 27,\npp. 379-390.\n[11] R. Mahajan, S. M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S.\nShenker, \"Controlling high bandwidth aggregate in the network\", ACM\nSIGCOMM Computer Communication Review, 2002, Vol. 32, No. 3\npp. 62 - 73.\n[12] J. May, J. Peterson, and J. Bauman, \"Attack detection in large\nnetworks\", Proceedings of the DARPA Information Survivability\nConference & Exposition II (DISCEX -01), 2001, Vol. 1, pp.15-21.\n[13] MIT Lincoln Lab, 2000, DARPA intrusion detection scenario specific\ndatasets,\nhttp://www.ll.mit.edu/IST/ideval/data/2000/2000_data_index.html.\n[14] T. M. Mitchell, Machine Learning, MacGraw Hill, New York, 1996.\n[15] K. Park, and H. Lee, \"A proactive approach to distributed DoS attack\nprevention using route-based packet filtering\", Tech. Rep. CSD-00-017,\nDepartment of Computer Sciences, Purdue University, 2000.\n[16] F. Sebastiani, \"Machine learning in automated text categorization\",\nACM Computing Surveys, Vol. 34, issue 1, Consiglio Nazionale delle\nRicerche, Italy, 2002, pp. 1-47.\n[17] A. Sharma, A. K. Pujari, and K. K. Paliwal, \"Intrusion detection using\ntext processing techniques with a kernel based similarity measure\",\nComputers & Security, 2007, Vol. 26, issue 7-8, 2007, pp. 488-495.\n[18] B. Todd, \"Distributed Denial of Service Attacks\", 2000.\nhttp://www.linuxsecurity.com/resource_files/intrusion_detection/ddosfaq.\nhtml\n[19] X. Xu, Y. Sun, and Z. Huang, \"Defending DDoS Attacks Using Hidden\nMarkov Models and Cooperative Reinforcement Learning\", Yang C.C.\net al. (Eds.): PAISI 2007, LNCS 4430, Springer-Verlag, Berlin\nHeidelberg, pp. 196-207.\n[20] A. Yaar, A. Perrig, and D. Song, \"Pi: a path identification mechanism to\ndefend against DDos attack\", Proceedings of the IEEE Symposium on\nSecurity and Privacy, 2003, pp. 93-107."]}

Distributed denial-of-service (DDoS) attacks pose a serious threat to network security. There have been a lot of methodologies and tools devised to detect DDoS attacks and reduce the damage they cause. Still, most of the methods cannot simultaneously achieve (1) efficient detection with a small number of false alarms and (2) real-time transfer of packets. Here, we introduce a method for proactive detection of DDoS attacks, by classifying the network status, to be utilized in the detection stage of the proposed anti-DDoS framework. Initially, we analyse the DDoS architecture and obtain details of its phases. Then, we investigate the procedures of DDoS attacks and select variables based on these features. Finally, we apply the k-nearest neighbour (k-NN) method to classify the network status into each phase of DDoS attack. The simulation result showed that each phase of the attack scenario is classified well and we could detect DDoS attack in the early stage.