DDoS Flooding Attack Detection Based on Joint-Entropy with Multiple Traffic Features

Distributed Denial of Service (DDoS) attacks are still considered as severe threats to the Internet. Previous works have used information entropy to detect DDoS flooding attacks. However, these methods usually only used source address as the feature of packets, and ignored other features. Besides, the entropy with single variable also has restricts in abnormal detection. In this paper, we propose a new joint-entropy-based DDoS detection solution with multiple features of packets. We choose flow duration, packet length, source address and destination port as the key features to detect different types of DDoS flooding attacks. We carry out the experiments with simulated campus network based on Software-defined Networking (SDN) architecture. The results show that our proposed method can effectively detect attacks of both forged and non-forged source address, and outperforms the previous single-entropy methods in terms of accuracy and false positive rate.

[1]  Nguyen Huu Thanh,et al.  Software defined networking-based one-packet DDoS mitigation architecture , 2017, IMCOM.

[2]  Sunny Behal,et al.  Detection of DDoS attacks and flash events using novel information theory metrics , 2017, Comput. Networks.

[3]  Farouk Kamoun,et al.  Joint Entropy Analysis Model for DDoS Attack Detection , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[4]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[5]  Jianying Zhou,et al.  DDoS Attack Detection Algorithms Based on Entropy Computing , 2007, ICICS.

[6]  Marc St-Hilaire,et al.  Early detection of DDoS attacks against SDN controllers , 2015, 2015 International Conference on Computing, Networking and Communications (ICNC).

[7]  Meng Wang,et al.  An Easy Defense Mechanism Against Botnet-based DDoS Flooding Attack Originated in SDN Environment Using sFlow , 2016, CFI.

[8]  Yang Xu,et al.  DDoS attack detection under SDN context , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[9]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[10]  Rui Wang,et al.  An Entropy-Based Distributed DDoS Detection Mechanism in Software-Defined Networking , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[11]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[12]  Jugal K. Kalita,et al.  An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection , 2015, Pattern Recognit. Lett..

[13]  Claude E. Shannon,et al.  The Mathematical Theory of Communication , 1950 .

[14]  Basil S. Maglaris,et al.  Combining OpenFlow and sFlow for an effective and scalable anomaly detection and mitigation mechanism on SDN environments , 2014, Comput. Networks.

[15]  Jugal K. Kalita,et al.  Network attacks: Taxonomy, tools and systems , 2014, J. Netw. Comput. Appl..

[16]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[17]  Narmeen Zakaria Bawany,et al.  DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions , 2017, Arabian Journal for Science and Engineering.

[18]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .