Mcandrew, RobertHayne, StephenWang, Haonan2020-01-042020-01-042020-01-07978-0-9981331-3-3http://hdl.handle.net/10125/64534We present an approach for Distributed Denial of Service (DDoS) attack detection and mitigation in near-real time. The adaptive unsupervised machine learning methodology is based on volumetric thresholding, Functional Principal Component Analysis, and K-means clustering (with tuning parameters for flexibility), which dissects the dataset into categories of outlier source IP addresses. A probabilistic risk assessment technique is used to assign “threat levels” to potential malicious actors. We use our approach to analyze a synthetic DDoS attack with ground truth, as well as the Network Time Protocol (NTP) amplification attack that occurred during January of 2014 at a large mountain-range university. We demonstrate the speed and capabilities of our technique through replay of the NTP attack. We show that we can detect and attenuate the DDoS within two minutes with significantly reduced volume throughout the six waves of the attack.10 pagesengAttribution-NonCommercial-NoDerivatives 4.0 InternationalMachine Learning and Cyber Threat Intelligence and Analyticsddosfunctional principal component analysisk-means clusteringnetwork monitoringunsupervised learningAn Unsupervised Approach to DDoS Attack Detection and Mitigation in Near-Real TimeConference Paper10.24251/HICSS.2020.792