E-LDAT: a lightweight system for DDoS flooding attack detection and IP traceback using extended entropy metric

Distributed denial-of-service DDoS attacks cause havoc by exploiting threats to Internet services. In this paper, we propose E-LDAT, a lightweight extended-entropy metric-based system for both DDoS flooding attack detection and IP Internet Protocol traceback. It aims to identify DDoS attacks effectively by measuring the metric difference between legitimate traffic and attack traffic. IP traceback is performed using the metric values for an attack sample detected by the detection scheme. The method uses a generalized entropy metric with packet intensity computation on the sampled network traffic with respect to time. The E-LDAT system has been evaluated using several real-world DDoS datasets and outperforms competing methods when detecting four classes of DDoS flooding attacks, including constant rate, pulsing rate, increasing rate and subgroup attacks. The IP traceback model is also evaluated using NetFlow data in near real-time and performs well in large-scale attack networks with zombies. Copyright © 2016 John Wiley & Sons, Ltd.

[1]  Weifeng Chen,et al.  Flow level detection and filtering of low-rate DDoS , 2012, Comput. Networks.

[2]  Jugal K. Kalita,et al.  Towards Generating Real-life Datasets for Network Intrusion Detection , 2015, Int. J. Netw. Secur..

[3]  Wanlei Zhou,et al.  Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics , 2011, IEEE Transactions on Information Forensics and Security.

[4]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[5]  S. Selvakumar,et al.  Distributed denial of service attack detection using an ensemble of neural classifier , 2011, Comput. Commun..

[6]  Wanlei Zhou,et al.  Information theory based detection against network behavior mimicking DDoS attacks , 2008, IEEE Communications Letters.

[7]  Xin Yuan,et al.  Controlling IP Spoofing through Interdomain Packet Filters , 2008, IEEE Transactions on Dependable and Secure Computing.

[8]  Yonghong Chen,et al.  DDoS Detection Method Based on Chaos Analysis of Network Traffic Entropy , 2014, IEEE Communications Letters.

[9]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[10]  Marina Papatriantafilou,et al.  STONE: A streaming DDoS defense framework , 2015, Expert Syst. Appl..

[11]  A. Rényi On Measures of Entropy and Information , 1961 .

[12]  Eric P. Xing,et al.  Nonextensive entropic kernels , 2008, ICML '08.

[13]  Jugal K. Kalita,et al.  An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection , 2015, Pattern Recognit. Lett..

[14]  Jugal K. Kalita,et al.  A multi-step outlier-based anomaly detection approach to network-wide traffic , 2016, Inf. Sci..

[15]  D. Goyal,et al.  A Rank Correlation Based Detection against Distributed Reflection DoS Attacks , 2014 .

[16]  Robert D. Nowak,et al.  A Neyman-Pearson approach to statistical learning , 2005, IEEE Transactions on Information Theory.

[17]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[18]  Vasilios Katos,et al.  Real time DDoS detection using fuzzy estimators , 2012, Comput. Secur..

[19]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[20]  Ekram Hossain Editorial: First Quarter 2014, IEEE Communications Surveys & Tutorials , 2014, IEEE Commun. Surv. Tutorials.

[21]  Minyi Guo,et al.  Flexible Deterministic Packet Marking: An IP Traceback System to Find the Real Source of Attacks , 2009, IEEE Transactions on Parallel and Distributed Systems.

[22]  Nirwan Ansari,et al.  Low rate TCP denial-of-service attack detection at edge routers , 2005, IEEE Communications Letters.

[23]  Alex Delis,et al.  An Inline Detection and Prevention Framework for Distributed Denial of Service Attacks , 2007, Comput. J..

[24]  Richard E. Overill,et al.  Detection of known and unknown DDoS attacks using Artificial Neural Networks , 2016, Neurocomputing.

[25]  Antonio Nucci,et al.  Robust and efficient detection of DDoS attacks for large-scale internet , 2007, Comput. Networks.

[26]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[27]  Yongsun Choi,et al.  Proactive Detection of DDoS Attacks Utilizing k-NN Classifier in an Anti-DDos Framework , 2010 .

[28]  Jian Yuan,et al.  Monitoring the macroscopic effect of DDoS flooding attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[29]  Kang G. Shin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[30]  Yonghong Chen,et al.  DDoS Detection Algorithm Based on Preprocessing Network Traffic Predicted Method and Chaos Theory , 2013, IEEE Communications Letters.

[31]  MyungKeun Yoon,et al.  Using whitelisting to mitigate DDoS attacks on critical Internet sites , 2010, IEEE Communications Magazine.

[32]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[33]  Jugal K. Kalita,et al.  Rank Correlation for Low-Rate DDoS Attack Detection: An Empirical Evaluation , 2016, Int. J. Netw. Secur..

[34]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[35]  Jugal K. Kalita,et al.  Detecting Distributed Denial of Service Attacks: Methods, Tools and Future Directions , 2014, Comput. J..

[36]  Wanlei Zhou,et al.  Traceback of DDoS Attacks Using Entropy Variations , 2011, IEEE Transactions on Parallel and Distributed Systems.

[37]  Geert Deconinck,et al.  Analyzing well-known countermeasures against distributed denial of service attacks , 2012, Comput. Commun..

[38]  Ming-Chien Yang,et al.  RIHT: A Novel Hybrid IP Traceback Scheme , 2012, IEEE Transactions on Information Forensics and Security.

[39]  Krishan Kumar,et al.  A comprehensive approach to discriminate DDoS attacks from flash events , 2016, J. Inf. Secur. Appl..

[40]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.