Distributed denial of service (DDoS) attacks servers and computers in various ways, such as flooding traffic. There are three DDoS detection methods, namely anomaly-based, pattern-based and heuristic-based. However, pattern-based methods cannot detect recent attacks, while anomaly-based methods have low accuracy and relatively high false positives. This research proposes increasing accuracy using a heuristic-based DDoS detection method and a new feature. The combination of CSDPayload+N-Gram and CSPayload+N-Gram features is called hybrid N-Gram, which is analysed on four datasets: CIC2017, CIC2019, MIB-2016, and H2NPayload. Next, calculate Chi-square distance (CSD) and cosine similarity (CS) using the N-Gram frequency value results. Subsequently, compute Pearson Chi-square using the N-Gram frequency value results. Compare the CSDPayload+N-Gram and CSPayload+N-Gram, along with the Pearson Chi-square value, to classify it as either DDoS or not. Finally, feature selection based on weight correlation and payload classification employs machine learning algorithms: support vector machine (SVM), K-nearest neighbors (KNN), and neural network (NN). The average accuracy rate for detecting DDoS attacks across four datasets, utilising the CSDPayload+4-Gram and CSPayload+4-Gram features with the SVM algorithm, is 99.71%, which surpasses the accuracy achieved by using KNN (96.22%) and NNs (99.50%) imitation. Thus, the best algorithm for detecting DDoS is SVM with hybrid 4-Gram.

Chi-square distance; distributed denial of service; malware; N-Grams; payload;