Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

Sheng Zhang,QiFei Zhang,Xuezeng Pan,Xuhui Zhu

DOI: https://doi.org/10.1109/ETCS.2010.476

2010-01-01

Abstract:Distributed Denial-of-Service (DDos) attack is one of the high threats to the Internet. This paper proposes a measure based on Hurst coefficient to detect DDoS on Low-rate. The result of experiments shows that the measure can detect the DDoS intrusion hided in the normal data traffic in real time. © 2010 IEEE.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Jiewen Mao,Weijun Deng,Fuke Shen

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00045

2018-01-01

Abstract:Distributed Denial of Service (DDoS) attacks are still considered as severe threats to the Internet. Previous works have used information entropy to detect DDoS flooding attacks. However, these methods usually only used source address as the feature of packets, and ignored other features. Besides, the entropy with single variable also has restricts in abnormal detection. In this paper, we propose a new joint-entropy-based DDoS detection solution with multiple features of packets. We choose flow duration, packet length, source address and destination port as the key features to detect different types of DDoS flooding attacks. We carry out the experiments with simulated campus network based on Software-defined Networking (SDN) architecture. The results show that our proposed method can effectively detect attacks of both forged and non-forged source address, and outperforms the previous single-entropy methods in terms of accuracy and false positive rate.

CHEN Shiwen,WU Jiangxing,HUANG Wanwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.1302-0182

2013-01-01

Abstract:The traditional detection methods for DDoS attacks have low accuracy and high false alarms rate because those means are only based on one of such flow features as burst feature,dispersed source IP address,asymmetry flow and etc.This paper uses conditional random field to integrate many pattern match rules for DDoS attack detection.The feature vector includes one way connection density,source IP entropy,destination IP entropy,destination port entropy and protocol entropy.The simulation results show that the proposed method outperforms other well-known methods such as na ve Bayes and SVM.The detection accuracy rate reaches 99.82% and the false alarm rate is less than 0.6%.The method is robustness under strong interference traffic noise.

Shi-Wen Chen,Jiang-xing Wu,Xiao-long Ye,Tong Guo

DOI: https://doi.org/10.4304/jnw.8.4.858-865

2013-01-01

Abstract:In order to detect distributed denial of service (DDoS) attacks accurately and efficiently, a new detection model based on conditional random fields (CRF) was proposed. The CRF based model incorporates the signature-based and anomaly-based detection methods to a hybrid system. The selected features include source IP entropy, destination IP entropy, source port entropy, destination port entropy, protocol number and etc. The CRF based model combines these IP flow entropies and other fingerprints into a normalize entropy as the feature vectors to depict the states of the monitoring traffic. The training method of the detection model uses the L-BFGS algorithm. And the model only needs to inspect the IP header fields of each packet, which makes it possible for real-time implementation even on real time network traffic. The CRF based model may have the ability to detect new form of forthcoming attacks, because it is independent from any specific DDoS flooding attack tools. The experiment results show that the CRF based method has higher detection accuracy and sensitivity as well as lower false positive alarms. Experiment with KDD CUP1999, DARPA 2000 and generated attack datasets, the CRF based model outperforms other well-known detection methods such as Naive Bayes, KNN, SVM and etc. The accuracy goes beyond 95.0% and the false alarm rate is less than 5.0%. Meanwhile, the CRF based model is robust under massive background network traffic.

Wang Xintong,Liu Guqing,Yang Jungang,Ran Jinzhi

DOI: https://doi.org/10.2991/iiicec-15.2015.43

2015-01-01

Abstract:Put forward a DDoS (Distributed Deny of Service) attack detection algorithm based on IP entropy model. Through the establishment of destination IP Entropy model, setting flow and entropy threshold with membership function, checking conditions of DDoS attacks step by step. The experimental results show that the algorithm can accurately detect DDoS attacks, and it can accurately distinguish DDoS flow and unexpected traffic, which has improved the detection rate and detection efficiency.

Zhu Jian-Qi,Fu Feng,Yin Ke-xin,Liu Yan-Heng

DOI: https://doi.org/10.1016/j.compeleceng.2013.05.003

IF: 4.152

2013-01-01

Computers & Electrical Engineering

Abstract:Denial of Service (DoS) attack poses a severe threat to the Internet. Entropy-based methods have been successfully used to detect specific types of malicious traffic. This paper presents a novel dynamic entropy-based model for the detection of DoS attack. Based on the theory of alive communication, the dynamic entropy model is constructed by combining the information entropy as well as the feature of netflow conversation correlation. This is the first application of the theory of alive communication in the network anomalies detection. To evaluate the performance of the dynamic entropy model, we compare it with the traditional information entropy model. The experiment results demonstrate the presence of traffic’s dynamic entropy and show that the dynamic entropy keeps stable under normal traffic. By contrast, it fluctuates significantly when the network subjects to DoS attacks. Moreover, the detection rate of dynamic entropy-based model is higher and can detect unknown DoS attacks effectively.

Cong Fan,Nitheesh Murugan Kaliyamurthy,Shi Chen,He Jiang,Yiwen Zhou,Carlene Campbell

DOI: https://doi.org/10.3390/app12010370

2021-01-01

Applied Sciences

Abstract:Software Defined Networking (SDN) is one of the most commonly used network architectures in recent years. With the substantial increase in the number of Internet users, network security threats appear more frequently, which brings more concerns to SDN. Distributed denial of Service (DDoS) attacks are one of the most dangerous and frequent attacks in software defined networks. The traditional attack detection method using entropy has some defects such as slow attack detection and poor detection effect. In order to solve this problem, this paper proposed a method of fusion entropy, which detects attacks by measuring the randomness of network events. This method has the advantages of fast attack detection speed and obvious decrease in entropy value. The complementarity of information entropy and log energy entropy is effectively utilized. The experimental results show that the entropy value of the attack scenarios 91.25% lower than normal scenarios, which has greater advantages and significance compared with other attack detection methods.

Zhen Liu,Changzhen Hu,Chun Shan

DOI: https://doi.org/10.1016/j.cose.2021.102392

IF: 5.105

2021-01-01

Computers & Security

Abstract:The means to achieve DDoS (distributed denial of service) attacks are becoming increasingly automated and diverse. A problem that automated attack tools cannot address, at least for now, is the inevitable repetitive or periodic nature of traffic data, which are important features for the effective detection of DDoS attacks. Some researchers have proposed to detect DDoS attacks by analyzing the frequency domain information or information entropy of network communication signals or network packets. However, they still suffer from insufficient accuracy and slow response time when dealing with large-scale attack data and multiple-packet types of attacks. Therefore, we hope to develop a detection method that can detect large-scale and multiple types of DDoS. This paper proposes a new DDoS detection method based on fast Fourier transform (FFT) and information entropy. This method (FFT and entropy-based DDoS detection method [FEDDM]) focuses on the periodicity of DDoS network traffic. First, we consider each piece of network traffic data as a network behavior. Then, we prove that the network traffic data conforms to the Riemann flow structure. We define the concept of work of stream data and treat it as a feature. The effect of stream data on the communication capacity can be considered as the work performed by the stream data on the channel. In addition, to improve the efficiency and accuracy of detection, we use the FFT coefficients and information entropy of work as features to train the neural network (NN) to detect DDoS attacks. This method is lightweight, faster, and more generally applicable. The experiment proved the advantage of this method using the latest CICDDoS2019 dataset. In the simulation, the detection accuracy of NetBIOS, SNMP, syn, and WebDDoS is more than 99.99%, which proves our method. (c) 2021 Elsevier Ltd. All rights reserved.

Qing-tao WU,You-gen ZHANG,Zhi-qing SHAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.05.019

2006-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of computer networks. In this paper, a novel scheme for early detection of DDoS attacks is proposed, which is involved with probability distributions of normal behavior on computer networks and DDoS attacks detection model. The scheme employed statistical analysis of data from network connections to generate the probability distributions of normal network connections. Based on the probability distributions, DDoS attacks detection model is presented. The feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of our scheme in detecting DDoS attacks. Also, this scheme provides some direction significance for other network security detection research.

Muhai Li,Ming Li,Xiuying Jiang

DOI: https://doi.org/10.5555/1457999.1458004

2008-01-01

Abstract:With the proliferation of Internet applications and network-centric services, network and system security issues are more important than before. In the past few years, cyber attacks, including distributed denial-of-service (DDoS) attacks, have a significant increase on the Internet, resulting in degraded confidence and trusts in the use of Internet. However, the present DDoS attack detection techniques face a problem that they cannot distinguish flooding attacks from abrupt changes of legitimate activity. In this paper, we give a model for detecting DDoS attacks based on network traffic feature to solve the problem above. In order to apply the model conveniently, we design its implementation algorithm. By using actual data to evaluate the algorithm, the evaluation result shows that it can identify DDoS attacks.

Jungang Yang,Xintong Wang,Guqing Liu

DOI: https://doi.org/10.3969/j.issn.1001-3695.2016.04.041

2016-01-01

Abstract:In-depth research on the low true positive rate and high false positive rate of existing DDoS attack,this paper ana-lyzed the characteristics of network traffic and IP entropy when DDoS attack occured,established the membership function of traffic and IP entropy.It obtained the lower limit parameter and utilization limit parameters of membership function by the real network environment simulation,and proposed a DDoS attack detection algorithm based on the characteristics of network traffic and IP entropy.The method first judged whether the network traffic was abnormal,and then judged whether the entropy was abnormal,then judged whether a DDoS attack was happened.The simulation results show that the separate flow or IP entropy can’t well detect the DDoS attack.The algorithm comprehensively consider of network traffic and IP entropy characteristics, has accurately detected the DDoS attack and decrease false positive rate and improved true positive rate.

Yajie Jiang,Xiaoning Zhang,Quan Zhou,Zijing Cheng

DOI: https://doi.org/10.1007/978-3-319-66625-9_17

2017-01-01

Abstract:The issue on defensing against Distributed Denial of Service (DDoS) attacks in Software Defined Networks (SDN) has been highly concerned by academe and industry. The existing studies cannot eliminate the false positives by using the simple classification algorithms. In this paper, we analyze the essential difference between DDoS attacks and flash crowds which causes some similar consequences to DDoS. Accordingly we design a novel effective Entropy-based DDoS Defense Mechanism (EDDM) running on the SDN controller, which including a two-stage DDoS detection method. Compared with the existing works, the EDDM avoids the dropping of legitimate packets and minimizes the losses of legitimate users. Simulations demonstrate that the EDDM can distinguish the DDoS attacks from flash crowds, find the locations of bots, and block attack packets at source effectively.

Loïc D. Tsobdjou,Samuel Pierre,Alejandro Quintero,Loic D. Tsobdjou

DOI: https://doi.org/10.1109/tnsm.2022.3142254

2022-01-01

IEEE Transactions on Network and Service Management

Abstract:Distributed denial of service attacks are cyber-attacks that target the availability of servers. As a result, legitimate users no longer have access to the service. This can have a negative impact on an organization, such as lack of reputation and economic losses. Therefore, it is important to design defense mechanisms against these attacks. There are systems for detecting distributed denial of service attacks in the literature, which still have various shortcomings. Some of these systems detect the presence of attack traffic without identifying the attack packets or flows. Others use static thresholds and therefore cannot adapt to changes in legitimate traffic. In this paper, we propose an online system that aims to detect flooding attacks in a short timeframe and a client–server environment. The proposed detection system consists of five modules, namely features extraction and connections construction, suspicious activity detection, attack connections detection, alert generation and threshold update. The suspicious activity detection module calculates the normalized Shannon entropy by considering the source Internet Protocol address as a random variable. Suspicious activity is detected when the computed entropy is below a threshold. The threshold calculation is based on Chebyshev’s theorem. We propose a dynamic threshold algorithm to track changes in legitimate traffic. We evaluate the proposed system through simulations and using a publicly available dataset. Compared to other similar works, the proposed detection system has a better performance in terms of detection rate, false positive rate, precision and overall accuracy.

computer science, information systems

Omer Subasi,Joseph Manzano,Kevin Barker

DOI: https://doi.org/10.1109/CSR57506.2023.10224957

2023-12-04

Abstract:Denial-of-Service (DoS) attacks are one of the most common and consequential cyber attacks in computer networks. While existing research offers a plethora of detection methods, the issue of achieving both scalability and high detection accuracy remains open. In this work, we address this problem by developing a differential method based on generalized entropy progression. In this method, we continuously fit the line of best fit to the entropy progression and check if the derivative, that is, the slope of this line is less than the negative of the dynamically computed standard deviation of the derivatives. As a result, we omit the usage of the thresholds and the results with five real-world network traffic datasets confirm that our method outperforms threshold-based DoS attack detection by two orders of magnitude on average. Our method achieves false positive rates that are up to 7% where the arithmetic mean is 3% with Tsallis entropy and only 5% sampling of the total network flow. Moreover, since the main computation cost of our method is the entropy computation, which is linear in the volume of the unit-time network flow and it uses integer only operations and a small fraction of the total flow, it is therefore lightweight and scalable.

Cryptography and Security

Tongguang Ni,Xiaoqing Gu,Hongyuan Wang,Yu Li

DOI: https://doi.org/10.1155/2013/821315

2013-01-01

Journal of Control Science and Engineering

Abstract:Distributed denial of service (DDoS) attacks are one of the major threats to the current Internet, and application-layer DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. Consequently, neither intrusion detection systems (IDS) nor victim server can detect malicious packets. In this paper, a novel approach to detect application-layer DDoS attack is proposed based on entropy of HTTP GET requests per source IP address (HRPI). By approximating the adaptive autoregressive (AAR) model, the HRPI time series is transformed into a multidimensional vector series. Then, a trained support vector machine (SVM) classifier is applied to identify the attacks. The experiments with several databases are performed and results show that this approach can detect application-layer DDoS attacks effectively.

Ming Li,Jingao Liu,Dongyang Long

DOI: https://doi.org/10.1007/978-3-540-30501-9_114

2004-01-01

Abstract:Attentions are increasingly paid to reliable detection of intrusions as can be seen from [1, 2]. As a matter of fact, the challenge is to develop a system that detects close to 100 percent of attacks with minimal false positives. We are still far from achieving this goal [1, p. 28]. In this regard, our early work discusses a reliable approach regarding detection of signs of distributed denial-of-service (DDOS) attacks [3], where arrival time series of a protected site is specifically featured by autocorrelation function. As a supplementary to [3], this article specifically focuses on abstractly discussing probability principle involved in [3] such that the present probability principle of detection is flexible in practical applications. In addition to this, the selection of a threshold for a given detection probability is also given.

Marcos J. Santos‐Neto,Jacir L. Bordim,Eduardo A. P. Alchieri,Edison Ishikawa

DOI: https://doi.org/10.1002/cpe.8021

2024-01-25

Concurrency and Computation Practice and Experience

Abstract:Summary Software defined network (SDN) has emerged as a new paradigm in terms of network architecture, providing flexibility, agility, and programmability to network management. These benefits boosted the SDN adoption, bringing new challenges mainly related to security, in particular, those related to Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. The detection, prevention, and mitigation of these attacks are important since they can affect the entire network. Many current security measures use statistical techniques, as entropy, or machine learning (ML) algorithms to detect DoS and DDoS attacks. While the definition of a threshold to determine whether a traffic is an attack is not trivial in statistical techniques, ML solutions may provide better accuracy but require considerable computational resources and time to converge to a model able to detect these attacks. Trying to circumvent these limitations, current hybrid approaches either use the results from entropy as input in ML algorithms (Entropy→ ML) or use entropy as a filter and ML algorithms to identify attacks. This work goes one step ahead and combines these techniques in a three‐step approach (Entropy→ ML→ Entropy), called ML‐Entropy, which inherits the intelligence of ML algorithms to adjust the threshold used by entropy. The proposed solution was implemented and evaluated in two datasets, the well‐known synthetic DARPA dataset and a dataset composed by traffic collected from a real‐corporate environment. Experimental results show that, in general, ML‐Entropy presents an accuracy above 99%, similar to support vector machine (SVC) and random forest (RF) algorithms, being able to converge to a detection model up to 192,771× and 137,924× faster than RF and SVC, respectively.

computer science, theory & methods, software engineering

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection