Matrix Pearson Correlation Feature Selection and ESPRT for DDoS Anomaly Detection

Authors

  • Basheer Husham Ali Computer Department, Faculty of Engineering, Al-Iraqia University, Baghdad, Iraq
  • Khaled Mansour Al-Rawe College of Administration and Economics, Al-Iraqia University, Baghdad, Iraq
  • Ayad M. Kwad Electrical Department, Faculty of Engineering, Al-Iraqia University, Baghdad, Iraq
  • Omar Abdulkareem College of Administration and Economics, Al-Iraqia University, Baghdad, Iraq
  • Nasri Sulaiman Department of Electrical and Electronic Engineering, Faculty of Engineering, UPM, Malaysia
  • Suphian Mohammed Tariq Computer Department, Faculty of Engineering, Al-Iraqia University, Baghdad, Iraq
Volume: 15 | Issue: 5 | Pages: 27622-27628 | October 2025 | https://doi.org/10.48084/etasr.13223

Received: 7 July 2025 | Revised: 26 July 2025 | Accepted: 2 August 2025 | Online: 7 September 2025


Corresponding author: Basheer Husham Ali

Abstract

Many approaches have been proposed to identify malicious anomalous traffic. Statistical models are techniques that rely on the analysis and investigation of network traffic to obtain a deeper understanding. Combining the Sequential Probability Ratio Test (SPRT) and Entropy (E) is an effective technique that can be used to detect anomalies. The most common anomalies targeting servers are Distributed Denial of Service (DDoS) attacks, which are designed to prevent legitimate users from accessing services provided by a targeted server or controller. The first goal of this study is to detect malicious traffic and identify two different types of DDoS anomalies, NTP and DNS anomalies, which are commonly exploited in reflection or amplification attacks due to their stateless UDP-based nature, by implementing an Entropy and Sequential Probability Ratio Test approach (ESPRT). The second is to select relevant features to improve the detection performance by implementing a Pearson Correlation Coefficient (PCC) approach. The CIC-DDoS2019 dataset was utilized to evaluate the proposed approach. ESPRT achieved high accuracy, ranging from 97.27 to 96.23% when the number of features ranged from 5 to 55, and had a low False Positive Rate (FPR), ranging from 0.01 to 0.03.

Keywords:

DDoS attack, entropy, Pearson correlation, SPRT

Downloads

Download data is not yet available.

References

A. Verma, R. Saha, N. Kumar, G. Kumar, and Tai-Hoon-Kim, "A detailed survey of denial of service for IoT and multimedia systems: Past, present and futuristic development," Multimedia Tools and Applications, vol. 81, no. 14, pp. 19879–19944, Jun. 2022.

A. Sanmorino, L. Marnisah, and H. D. Kesuma, "Detection of DDoS Attacks using Fine-Tuned Multi-Layer Perceptron Models," Engineering, Technology & Applied Science Research, vol. 14, no. 5, pp. 16444–16449, Oct. 2024.

B. H. Ali et al., "Shannon entropy based DDoS attacks detection using combination of machine learning based feature importance techniques," presented at the International Research Conference of Engineering and Applied Sciences 2023: IRCEAS2023, Baghdad, Iraq, 2025, Art. no. 030019.

B. H. Ali, N. Sulaiman, S. A. R. Al-Haddad, R. Atan, S. L. M. Hassan, and M. Alghrairi, "Identification of Distributed Denial of Services Anomalies by Using Combination of Entropy and Sequential Probabilities Ratio Test Methods," Sensors, vol. 21, no. 19, Jan. 2021, Art. no. 6453.

R. Efendi, "Optimizing Neural Network Architecture for Detecting DDOS Attacks using ANN and XGBoost in Imbalanced Networks," Engineering, Technology & Applied Science Research, vol. 15, no. 3, pp. 22518–22526, Jun. 2025.

"DDoS Threat Landscape Report Q2 2022," Resource Library. https://www.imperva.com/resources/resource-library/reports/ddos-threat-landscape-report-q2-2022/.

P. Chen, F. Li, and C. Wu, "Research on Intrusion Detection Method Based on Pearson Correlation Coefficient Feature Selection Algorithm," Journal of Physics: Conference Series, vol. 1757, no. 1, Jan. 2021, Art. no. 012054.

P. Dong, X. Du, H. Zhang, and T. Xu, "A detection method for a novel DDoS attack against SDN controllers by vast new low-traffic flows," in 2016 IEEE International Conference on Communications (ICC), Kuala Lumpur, Malaysia, May 2016, pp. 1–6.

P. Valizadeh and A. Taghinezhad-Niar, "DDoS Attacks Detection in Multi-Controller Based Software Defined Network," in 2022 8th International Conference on Web Research (ICWR), Tehran, Iran, Islamic Republic of, May 2022, pp. 34–39.

R. Li and B. Wu, "Early detection of DDoS based on $varphi$-entropy in SDN networks," in 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), Chongqing, China, Jun. 2020, pp. 731–735.

M. A. Aladaileh, M. Anbar, A. J. Hintaw, I. H. Hasbullah, A. A. Bahashwan, and S. Al-Sarawi, "Renyi Joint Entropy-Based Dynamic Threshold Approach to Detect DDoS Attacks against SDN Controller with Various Traffic Rates," Applied Sciences, vol. 12, no. 12, Jun. 2022, Art. no. 6127.

I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, "Developing Realistic Distributed Denial of Service (DDoS) Attack Dataset and Taxonomy," in 2019 International Carnahan Conference on Security Technology (ICCST), Chennai, India, Oct. 2019, pp. 1–8.

M. H. Nguyen, Y. K. Lai, and K. P. Chang, "An Entropy-based DDoS attack Detection and Classification with Hierarchical Temporal Memory," in 2021 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), Sep. 2021, pp. 1942–1948.

Z. Long and W. Jinsong, "A hybrid method of entropy and SSAE-SVM based DDoS detection and mitigation mechanism in SDN," Computers & Security, vol. 115, Apr. 2022, Art. no. 102604.

J. Li, "Detection of DDoS Attacks based on Dense Neural Networks, Autoencoders and Pearson Correlation Coefficient," M.S. Thesis, Dalhousie University, Canada, 2020.

T. T. Khoei, G. Aissou, W. C. Hu, and N. Kaabouch, "Ensemble Learning Methods for Anomaly Intrusion Detection System in Smart Grid," in 2021 IEEE International Conference on Electro Information Technology (EIT), Mt. Pleasant, MI, USA, May 2021, pp. 129–135.

V. Gaur and R. Kumar, "Analysis of Machine Learning Classifiers for Early Detection of DDoS Attacks on IoT Devices," Arabian Journal for Science and Engineering, vol. 47, no. 2, pp. 1353–1374, Feb. 2022.

Z. S. Dhahir, "A Hybrid Approach for Efficient DDoS Detection in Network Traffic Using CBLOF-Based Feature Engineering and XGBoost," Journal of Future Artificial Intelligence and Technologies, vol. 1, no. 2, pp. 174–190, Sep. 2024.

Downloads

How to Cite

[1]
B. H. Ali, K. M. Al-Rawe, A. M. Kwad, O. Abdulkareem, N. Sulaiman, and S. M. Tariq, “Matrix Pearson Correlation Feature Selection and ESPRT for DDoS Anomaly Detection”, Eng. Technol. Appl. Sci. Res., vol. 15, no. 5, pp. 27622–27628, Oct. 2025.

Metrics

Abstract Views: 32
PDF Downloads: 23

Metrics Information

License

Copyright (c) 2025 Basheer Husham Ali, Khaled Mansour Al-Rawe, Ayad M. Kwad, Suphian Mohammed Tariq, Nasri Sulaiman, Omar Abdulkareem

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors who publish with this journal agree to the following terms:

- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.

- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.

- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.