The dependence of society on Information and Communication Technology (ICT) over the past decade has brought with it an increased vulnerability to Distributed Denial-of-Service (DDoS) attacks. These attacks harness the power of thousands, and sometimes tens or hundreds of thousands of compromised computers to attack information-providing web-services and online trading sites, resulting in significant down-time and financial losses. Consequently, the study of DDoS attacks, and the development of techniques to accurately and reliably detect and mitigate their impact is an important area of research. One particular challenge in detecting such attacks is distinguishing them from similar looking Flash Events (FEs), which occur when a server experiences an unexpected surge of requests from its legitimate clients. Distinguishing DDoS attacks from FEs is important because each requires a different set of actions to be undertaken by a network administrator. However, developing and investigating realistic techniques to distinguish between the two is complicated by an extreme lack of experimental datasets that record representative real traffic, whether attack or benign.

The work presented in this thesis addresses the above challenges and makes a number of related contributions.