(Short Paper) Effectiveness of Entropy-Based Features in High- and Low-Intensity DDoS Attacks Detection

DDoS attack detection using entropy-based features in network traffic has become a popular approach among researchers in the last five years. The use of traffic distribution features constructed using entropy measures has been proposed as a better approach to detect Distributed Denial of Service (DDoS) attacks compared to conventional volumetric methods, but it still lacks in the generality of detecting various intensity DDoS attacks accurately. In this paper, we focus on identifying effective entropy-based features to detect both high- and low-intensity DDoS attacks by exploring the effectiveness of entropy-based features in distinguishing the attack from normal traffic patterns. We hypothesise that using different entropy measures, window sizes, and entropy-based features may affect the accuracy of detecting DDoS attacks. This means that certain entropy measures, window sizes, and entropy-based features may reveal attack traffic amongst normal traffic better than the others. Our experimental results show that using Shannon, Tsallis and Zhou entropy measures can achieve a clearer distinction between DDoS attack traffic and normal traffic than Renyi entropy. In addition, the window size setting used in entropy construction has minimal influence in differentiating between DDoS attack traffic and normal traffic. The result of the effectiveness ranking shows that the commonly used features are less effective than other features extracted from traffic headers.

[1]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[2]  Georgios Loukas,et al.  Protection Against Denial of Service Attacks: A Survey , 2010, Comput. J..

[3]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[4]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[5]  Jie Zhang,et al.  An advanced entropy-based DDOS detection scheme , 2010, 2010 International Conference on Information, Networking and Automation (ICINA).

[6]  Yonghong Chen,et al.  DDoS Detection Method Based on Chaos Analysis of Network Traffic Entropy , 2014, IEEE Communications Letters.

[7]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[8]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[9]  Sung-Ho Kim,et al.  DDoS attack detection by using packet sampling and flow features , 2014, SAC.

[10]  Jugal K. Kalita,et al.  E-LDAT: a lightweight system for DDoS flooding attack detection and IP traceback using extended entropy metric , 2016, Secur. Commun. Networks.

[11]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[12]  Richard R. Brooks,et al.  Deceiving entropy based DoS detection , 2015, Comput. Secur..

[13]  Marc St-Hilaire,et al.  Early detection of DDoS attacks against SDN controllers , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).