Sunny BEHAL, Krishan KUMAR, Monika SACHDEVA

A generalized detection system to detect distributed denial of service attacks and flash events for information theory metrics

Distributed denial of service (DDoS) attacks pose a severe threat to extensively used web-based services andapplications. Many detection approaches have been proposed in the literature, but ensuring the security and availabilityof data, resources, and services to end users remains an ongoing research challenge. Nowadays, the traffic volume oflegitimate users has also increased manifold. A flash event (FE) is a high-rate legitimate traffic situation wherein millionsof legitimate users start accessing a particular network resource, such as a web server, simultaneously. The detection ofDDoS attacks becomes more challenging when DDoS attacks are launched during behaviorally similar FEs. This researchpaper proposes a generalized detection system for metrics, based on information theory, capable of detecting differenttypes of DDoS attacks and FEs. We used publically available MIT Lincoln, CAIDA, and FIFA datasets along witha synthetically generated DDoSTB dataset to validate the proposed detection algorithm in terms of various detectionsystem evaluation metrics such as false positive rate, false negative rate, classification rate, and detection accuracy. Sucha generalized detection system would be useful to researchers for validating and comparing various information theorymetrics based solutions.

PDF

___

[1] Bhandari A, Sangal AL, Kumar K. Characterizing flash events and distributed denial-of-service attacks: an empirical investigation. J Sec Comm Net 2016; 9: 2222-2239.
[2] Xiang Y, Li K, Zhou W. Low-rate DDoS attacks detection and traceback by using new information metrics. J Info Fore Sec 2011; 6: 426-437.
[3] Bhuyan MH, Bhattacharyya DK, Kalita JK. An empirical evaluation of information metrics for low-rate and highrate DDoS attack detection. J Pat Rec Letters 2015; 51:1-7.
[4] Jun JH, Lee D, Ahn CW, Kim SH. DDoS attack detection using flow entropy and packet sampling on huge networks. In: ICN Networks Conference; 2014. pp. 185-190.
[5] Ma X, Chen Y. DDoS detection method based on chaos analysis of network traffic entropy. J Comm Let 2014; 18: 114-117.
[6] Nychis G, Sekar V, Andersen DG, Kim H, Zhang H. An empirical evaluation of entropy-based traffic anomaly detection. In: SIGCOMM Internet measurement conference; 20–22 October 2008; New York, NY, USA: ACM. pp. 151-156.
[7] Basicevic I, Ocovaj S, Popovic M. Use of Tsallis entropy in detection of SYN flood DoS attacks. J Sec Comm Net 2015; 8: 3634-3640.
[8] Tellenbach B, Burkhart M, Schatzmann D, Gugelmann D, Sornette D. Accurate network anomaly classification with generalized entropy metrics. J Comp Net 2015; 55: 3485-3502.
[9] Sarvanan RD, Shanmuganathan S, Palanichamy Y. Behavior-based detection of application layer distributed denial of service attacks during flash events. Turk J Elec Eng & Comp Sci 2016; 24: 510-523.
[10] Yu S, Thapngam T, Liu J, Wei S, Zhou W. Discriminating DDoS flows from flash crowds using information distance. In: Network and System Security Conference; 19–21 October 2009; Gold Coast, QLD, Australia: IEEE. pp. 351-356.
[11] Yu S, Zhou W, Doss R. Information theory based detection against network behavior mimicking DDoS attacks. J Comm Let 2008; 12: 318-321.
[12] Bhatia S, Schmidt D, Mohay G. Ensemble-based DDoS detection and mitigation model. In: ACM Security of Information and Networks Conference; 25–27 October 2012; Jaipur, India: ACM. pp. 79-86.
[13] Sachdeva M, Kumar K, Singh G. A comprehensive approach to discriminate DDoS attacks from flash events. J Info Sec App 2016; 26: 8-22.
[14] Mirkovic J, Arikan E, Wei S, Fahmy S, Thomas R, Reiher P. Benchmarks for DDoS defense evaluation. In: MILCOM Military Communications Conference, 23–25 October 2006; Washington, DC, USA: IEEE. pp. 1-10.
[15] Renyi A. On the foundations of information theory. J Revue d’Inst Stat 1965; 1-14.
[16] Plastino A, Plastino A. Stellar polytropes and Tsallis’ entropy. J Phy Let 1993; 174: 384-386.
[17] Berezinski P, Jasiul B, Szpyrka M. An entropy-based network anomaly detection method. J Ent 2015; 17: 2367-2408.
[18] Behal S, Kumar K. Measuring impact of DDoS attacks on web services - a realtime experimentation. IJ Comp Sci Info Security 2016; 14: 323-330.
[19] Cha S. Comprehensive survey on distance/similarity measures between probability density functions. IJ Math Mod Meth in App Sci 2007; 4: 300-307.
[20] Lin J. Divergence measures based on Shannon Entropy. J Trans Info Theo 1991; 37: 145-151.
[21] Ghorbani, Ali A. Network attacks. In: Ghorbani, Ali A, Lu W, Tavallaee M, editors. Network Intrusion Detection and Prevention - Concepts and Techniques. Berlin, Germany: Springer, 2010. pp. 1-25.
[22] Behal S, Kumar K. Detection of DDoS attacks and FEs using novel information theory metrics. J Comp Net 2017; 116: 96-110.