An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection

Abstract Distributed Denial of Service (DDoS) attacks represent a major threat to uninterrupted and efficient Internet service. In this paper, we empirically evaluate several major information metrics, namely, Hartley entropy, Shannon entropy, Renyi’s entropy, generalized entropy, Kullback–Leibler divergence and generalized information distance measure in their ability to detect both low-rate and high-rate DDoS attacks. These metrics can be used to describe characteristics of network traffic data and an appropriate metric facilitates building an effective model to detect both low-rate and high-rate DDoS attacks. We use MIT Lincoln Laboratory, CAIDA and TUIDS DDoS datasets to illustrate the efficiency and effectiveness of each metric for DDoS detection.

[1]  Song Guo,et al.  Fool Me If You Can: Mimicking Attacks and Anti-Attacks in Cyberspace , 2015, IEEE Transactions on Computers.

[2]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[3]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[4]  Jugal K. Kalita,et al.  Packet and Flow Based Network Intrusion Dataset , 2012, IC3.

[5]  Wanlei Zhou,et al.  Chaos theory based detection against network mimicking DDoS attacks , 2009, IEEE Communications Letters.

[6]  Yonghong Chen,et al.  DDoS Detection Method Based on Chaos Analysis of Network Traffic Entropy , 2014, IEEE Communications Letters.

[7]  Wanlei Zhou,et al.  Entropy-Based Collaborative Detection of DDOS Attacks on Community Networks , 2008, 2008 Sixth Annual IEEE International Conference on Pervasive Computing and Communications (PerCom).

[8]  A. Rényi On Measures of Entropy and Information , 1961 .

[9]  Dhruba K. Bhattacharyya,et al.  Network Anomaly Detection: A Machine Learning Perspective , 2013 .

[10]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[11]  D. Goyal,et al.  A Rank Correlation Based Detection against Distributed Reflection DoS Attacks , 2014 .

[12]  Jugal K. Kalita,et al.  Detecting Distributed Denial of Service Attacks: Methods, Tools and Future Directions , 2014, Comput. J..

[13]  Wanlei Zhou,et al.  Traceback of DDoS Attacks Using Entropy Variations , 2011, IEEE Transactions on Parallel and Distributed Systems.

[14]  Seung-Won Shin,et al.  D-SAT: detecting SYN flooding attack by two-stage statistical approach , 2005, The 2005 Symposium on Applications and the Internet.

[15]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[16]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[17]  Chia-Mei Chen,et al.  Detecting botnet by anomalous traffic , 2015, J. Inf. Secur. Appl..

[18]  Kang G. Shin,et al.  Transport-Aware IP Routers: A Built-In Protection Mechanism to Counter DDoS Attacks , 2003, IEEE Trans. Parallel Distributed Syst..

[19]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[20]  Shui Yu,et al.  DDoS Attack Detection at Local Area Networks Using Information Theoretical Metrics , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[21]  Virgil D. Gligor,et al.  The Crossfire Attack , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Raouf Boutaba,et al.  FireCol: A Collaborative Protection Network for the Detection of Flooding DDoS Attacks , 2012, IEEE/ACM Transactions on Networking.