Detection of DDoS attacks and flash events using information theory metrics-An empirical investigation

Investigates the preeminence of GE and GID metrics in detecting DDoS attacks.Proposes the use of GE and GID metrics to discriminate HR-DDoS attacks from FEs.The GID metric is shown to compare favorably with popular information distance measures.Proposed methodology is generalized, and hence can detect future attacks and FE events. Preeminence of Generalized Entropy (GE) and Generalized Information Distance (GID) detection metrics as compared to extensively used Shannon Entropy, KL Divergence, and other popular detection metrics in detecting DDoS attacks and Flash Events, Sunny Behal, Krishan Kumar, Journal of Computer Communications.Display Omitted A Distributed Denial of Service (DDoS) attack is an austere menace to extensively used Internet-based services. The in-time detection of DDoS attacks poses a tough challenge to network security. Revealing a low-rate DDoS (LR-DDoS) attack is comparatively more difficult in modern high speed networks, since it can easily conceal itself due to its similarity with legitimate traffic, and so eluding current anomaly based detection methods. This paper investigates the aptness and impetus of the information theory-based generalized entropy (GE) and generalized information distance (GID) metrics in detecting different types of DDoS attacks. The results of GE and GID metrics are compared with Shannon entropy and other popular information divergence measures. In addition, the feasibility of using these metrics in discriminating a high-rate DDoS (HR-DDoS) attack from a similar looking legitimate flash event (FE) is also verified. We used real and synthetically generated datasets to elucidate the efficiency and effectiveness of the proposed detection scheme in detecting different types of DDoS attacks and FEs. The results clearly show that the GE and GID metrics perform well in comparison with other metrics and have reduced false positive rate (FPR).

[1]  Fei Wang,et al.  A new multistage approach to detect subtle DDoS attacks , 2012, Math. Comput. Model..

[2]  Wanlei Zhou,et al.  Traceback of DDoS Attacks Using Entropy Variations , 2011, IEEE Transactions on Parallel and Distributed Systems.

[3]  Joshua A. Alcorn,et al.  A framework for large-scale modeling and simulation of attacks on an OpenFlow network , 2014, 2014 23rd International Conference on Computer Communication and Networks (ICCCN).

[4]  Luigi V. Mancini,et al.  Large-Scale Traffic Anomaly Detection: Analysis of Real Netflow Datasets , 2012, ICETE.

[5]  Jugal K. Kalita,et al.  An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection , 2015, Pattern Recognit. Lett..

[6]  Krishan Kumar,et al.  A comprehensive approach to discriminate DDoS attacks from flash events , 2016, J. Inf. Secur. Appl..

[7]  Sunny Behal,et al.  Trends in Validation of DDoS Research , 2016 .

[8]  Yogesh Palanichamy,et al.  Behavior-based detection of application layer distributed denial of service attacks during flash events , 2016 .

[9]  Zhiyang Li,et al.  Detecting DDoS attacks against data center with correlation analysis , 2015, Comput. Commun..

[10]  Sonia Fahmy,et al.  Accurately Measuring Denial of Service in Simulation and Testbed Experiments , 2009, IEEE Transactions on Dependable and Secure Computing.

[11]  A. Rényi On the Foundations of Information Theory , 1965 .

[12]  Yonghong Chen,et al.  DDoS Detection Method Based on Chaos Analysis of Network Traffic Entropy , 2014, IEEE Communications Letters.

[13]  Wanlei Zhou,et al.  Entropy-Based Collaborative Detection of DDOS Attacks on Community Networks , 2008, 2008 Sixth Annual IEEE International Conference on Pervasive Computing and Communications (PerCom).

[14]  Wanlei Zhou,et al.  Discriminating DDoS Flows from Flash Crowds Using Information Distance , 2009, 2009 Third International Conference on Network and System Security.

[15]  David Mosberger,et al.  httperf—a tool for measuring web server performance , 1998, PERV.

[16]  Shui Yu,et al.  DDoS Attack Detection at Local Area Networks Using Information Theoretical Metrics , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[17]  Hong Li,et al.  Application layer DDoS attack detection using cluster with label based on sparse vector decomposition and rhythm matching , 2015, Secur. Commun. Networks.

[18]  Charles F. Hockett,et al.  A mathematical theory of communication , 1948, MOCO.

[19]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[20]  Phurivit Sangkatsanee,et al.  Practical real-time intrusion detection using machine learning approaches , 2011, Comput. Commun..

[21]  Jugal K. Kalita,et al.  E-LDAT: a lightweight system for DDoS flooding attack detection and IP traceback using extended entropy metric , 2016, Secur. Commun. Networks.

[22]  Jean-Yves Marion,et al.  LARGE-SCALE MALWARE EXPERIMENTS: WHY, HOW, AND SO WHAT? , 2010 .

[23]  Édgar Roldán,et al.  Estimating the Kullback–Leibler Divergence , 2014 .

[24]  George M. Mohay,et al.  A framework for generating realistic traffic for Distributed Denial-of-Service attacks and Flash Events , 2014, Comput. Secur..

[25]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[26]  George M. Mohay,et al.  Ensemble-based DDoS detection and mitigation model , 2012, SIN '12.

[27]  Songjie Wei,et al.  Benchmarks for DDOS Defense Evaluation , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[28]  Antonio Pescapè,et al.  D-ITG: Distributed Internet Traffic Generator , 2013, Prax. Inf.verarb. Kommun..

[29]  Sunny Behal,et al.  Characterization and Comparison of DDoS Attack Tools and Traffic Generators: A Review , 2017, Int. J. Netw. Secur..

[30]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[31]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[32]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[33]  Amrit Lal Sangal,et al.  Characterizing flash events and distributed denial-of-service attacks: an empirical investigation , 2016, Secur. Commun. Networks.