Entropy-based input-output traffic mode detection scheme for DoS/DDoS attacks

Denial-of-service attacks (DoS) and distributed denial-of-service attacks (DDoS) attempt to temporarily disrupt users or computer resources to cause service unavailability to legitimate users in the internetworking system. The most common type of DoS attack occurs when adversaries flood a large amount of bogus data to interfere or disrupt the service on the server. By using a volume-based scheme to detect such attacks, this technique would not be able to inspect short-term denial-of-service attacks, as well as cannot distinguish between heavy load from legitimate users and huge number of bogus messages from attackers. As a result, this paper provides a detection mechanism based on a technique of entropy-based input-output traffic mode detection scheme. The experimental results demonstrate that our approach is able to detect several kinds of denial-of-service attacks, even small spike of such attacks.

[1]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[2]  Yasuo Musashi,et al.  Entropy based analysis of DNS query traffic in the campus network , 2007 .

[3]  Dirk Fox Computer Emergency Response Team (CERT) , 2002, Datenschutz und Datensicherheit.

[4]  Shunji Abe,et al.  Detecting DoS attacks using packet size distribution , 2007, 2007 2nd Bio-Inspired Models of Network, Information and Computing Systems.

[5]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[6]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[7]  Khaled Salah,et al.  An Entropy-Based Countermeasure against Intelligent DoS Attacks Targeting Firewalls , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.