Effective metric for detecting distributed denial-of-service attacks based on information divergence

In information theory, the relative entropy (or information divergence or information distance) quantifies the difference between information flows with various probability distributions. In this study, the authors first resolve the asymmetric property of Renyi divergence and Kullback-Leibler divergence and convert the divergence measures into proper metrics. Then the authors propose an effective metric to detect distributed denial-of-service attacks effectively using the Renyi divergence to measure the difference between legitimate flows and attack flows in a network. With the proposed metric, the authors can obtain the optimal detection sensitivity and the optimal information distance between attack flows and legitimate flows by adjusting the orderacutes value of the Renyi divergence. The experimental results show that the proposed metric can clearly enlarge the adjudication distance, therefore it not only can detect attacks early but also can reduce the false positive rate sharply compared with the use of the traditional Kullback-Leibler divergence and distance approaches.

[1]  Wanlei Zhou,et al.  Information theory based detection against network behavior mimicking DDoS attacks , 2008, IEEE Communications Letters.

[2]  Rachid Harba,et al.  Fast and exact synthesis for 1-D fractional Brownian motion and fractional Gaussian noises , 2002, IEEE Signal Processing Letters.

[3]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[4]  A. Rényi On Measures of Entropy and Information , 1961 .

[5]  Shunji Abe,et al.  IP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks , 2008, IEICE Trans. Inf. Syst..

[6]  Jean-François Bercher,et al.  On some entropy functionals derived from Rényi information divergence , 2008, Inf. Sci..

[7]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[8]  Derong Liu,et al.  Synthesis of fractional gaussian noise using linear approximation for generating self-similar network traffic , 2000, CCRV.

[9]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[10]  R.C. Joshi,et al.  A Distributed Approach using Entropy to Detect DDoS Attacks in ISP Domain , 2007, 2007 International Conference on Signal Processing, Communications and Networking.

[11]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[12]  Walter Willinger,et al.  Traffic modeling for high-speed networks: theory versus practice , 1995 .

[13]  Karol Zyczkowski,et al.  Rényi Extrapolation of Shannon Entropy , 2003, Open Syst. Inf. Dyn..

[14]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[15]  H. Krim,et al.  Renyi entropy based divergence measures for ICA , 2004, IEEE Workshop on Statistical Signal Processing, 2003.

[16]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[17]  Rachid Harba,et al.  nth-order fractional Brownian motion and fractional Gaussian noises , 2001, IEEE Trans. Signal Process..

[18]  Olivier J. J. Michel,et al.  Measuring time-Frequency information content using the Rényi entropies , 2001, IEEE Trans. Inf. Theory.