| Author/ Date | Detection Technique | Performance Evaluation metrics | Datasets | Tools used | Advantages | Disadvantages | Limitations | |
| Csubak, Szucs, Voros, and Kiss, 2016 | Big data Testbed for Network Attack detection | Packets per second rate | Simulated network traffic using NS3, Normal traffic data ranging from MBs to GBs | 1) Snort 2) NS3 3) Wireshark, 4) Python-dpkt package | 1) Using Snort, a user defines their own rules for which network traffic is analyzed against 2) Snort can analyze and log network packets in real time. 3) Big data testbed is capable of handling hundreds of GB network traffic | 1) Since the technique checks the already set packet rates threshold, attacks occurring below the set threshold are undetectable | 1) The technique has not been applied on large scale rather only tested via simulation | |
| Chen Xu, Mahalingam Ge, Nguyen, Yu, and Lu, 2016 | Cloud computing based network monitoring and threat detection system for critical infrastructures | Traffic volume per minute to detect abnormal behavior | Uses real Large traffic data from logs | 1) Hadoop 2) Spark 3) Mysql database 4) PHP with AJAX | 1) Three-fold solution of network monitoring, threat detection, and system performance 2) Fast data processing by concurrently running Hadoop and Spark 3) Easy for network administrators to detect any abnormal network behaviors | 1) Accuracy level relies on collected data samples. 2) Cannot detect dynamic attacks 3) New components require extra monitoring agents | 1) Accuracy of the detection greatly relies on collected traffic information 2) The technique is only suitable for analyzing static data | |
| Osanaiye, Choo, and Dlodlo, 2016 | Conceptual Cloud DDoS change-point detection framework | Packet inter-arrival time (IAT) | Conceptual network traffic data. No simulation or real data tests done. | 1) CUSUM algorithm | 1) Easily detects abnormal packet pattern by comparing with normal packet behavior 2) Able to detect DDoS attacks using statistical anomaly 3) IAT feature helps determine the probability of a DDOS attack long before it occurs | 1) Abnormally based attacks cannot learn new attack types 2) Leads to a lot of false positives and false negatives and no optimal threshold is set | 1) There is no standard mechanism to determine the optimal threshold for determining abnormal traffic | |
| Borisenko, Smirnov, Novikova, and Shorov, 2016 | DDOS attack detection in cloud computing using Data Mining Techniques | Incoming network traffic data vectors | Uses Hping to simulate SYN, NTP, and HTTP-based traffic data, source IP and port, destination IP and ports, packets, data bytes length | 1) Real Service in Virtual Network Framework (RSVNet) 2) Ansible 3) Siege 3.1.0 4) Hping | 1) The technique performs test on real and virtual nodes 2) RSVNet is used to implement and create new protection mechanisms, and attack scenarios 3) Fast data processing and prediction of less than one second 4) This technique can be tailored to independently detect TCP, UDP, and ICMP flood attacks | 1) For attack detection, powers have to be set to act as threshold and hence the process is not dynamic in nature 2) Separate attacks require separate classification models | 1) The technique has no capacity for complex attacks | |
| Hameed, Ali, and IT Security Labs, June 2015 | Live DDOS Detection with Hadoop | File size, number of files before detection, path to save captured file | Real-time Live network traffic | 1) HADEC 2) Apache Hadoop | 1) Ability to analyze huge volume of DDOS flood attacks in less time | 1) Hadoop does not offer parallelism for small log files 2) Capturing consumes over half of the overall detection | 1) Using small log files implies reduced number of attackers | |