Open Access  Subscription or Fee Access

A low-rate distributed denial of service (DDoS) at-tack has significant ability of concealing its traffic because it is very much like normal traffic. It has the capacity to elude the cur-rent anomaly-based detection schemes. An information metric can quantify the differences of network traffic with various probability distributions. In this paper, we innovatively propose using two new information metrics such as the generalized entropy metric and the information distance metric to detect low-rate DDoS attacks by measuring the difference between legitimate traffic and attack traffic. The proposed generalized entropy metric can detect attacks several hops earlier than the traditional Shannon metric. The proposed information distance metric outperforms the popular Kullback–Leibler divergence approach as it can clearly enlarge the adjudication distance and then obtain the optimal detection sensitivity. The experimental results show that the proposed information metrics can effectively detect low-rate DDoS attacks and clearly reduce the false positive rate. Furthermore, the proposed IP traceback algorithm can find all attacks as well as attackers from their own local area networks (LANs) and discard attack traffic.

Attack Detection, Information Metrics, IP Trace-Back, Low-Rate Distributed Denial of Service (DDoS) Attack.

A. Chonka et al., “Cloud security defence to protect cloud computing against HTTP-DoS and XML-DoS attacks,” J. Netw. Comput. Ap-plicat. Jun. 23, 2010 [Online]. Available: http://dx.doi.org/10.1016/j. jnca.2010.06.004

X. Jin et al., “ZSBT: A novel algorithm for tracing DoS attackers in MANETs,” EURASIP J. Wireless Commun. Netw., vol. 2006, no. 2, pp. 1–9, 2006.

A. Shevtekar, K. Anantharam, and N. Ansari, “Low rate TCP De-nial-of-Service attack detection at edge routers,” IEEE Commun. Lett., vol. 9, no. 4, pp. 363–365, Apr. 2005.

G. Carl et al., “Denial-of-service attack-detection techniques,” IEEE Internet Comput., vol. 10, no. 1, pp. 82–89, Jan./Feb. 2006.

P. Du and S. Abe, “IP packet size entropy-based scheme for detection of DoS/DDoS attacks,” IEICE Trans. Inf. Syst., vol. E91-D, no. 5, pp. 1274–1281, 2008.

S. Ledesma and D. Liu, “Synthesis of fractional Gaussian noise using linear approximation for generating self-similar network traffic,” Comput. Commun. Rev., vol. 30, no. 2, pp. 4–17, 2000.

E. Perrin et al., “ th-order fractional Brownian motion and fractional Gaussian noises,” IEEE Trans. Signal Process., vol. 49, no. 5, pp. 1049–1059, May 2001.

E. Perrin et al., “Fast and exact synthesis for 1-D fractional Brownian motion and fractional Gaussian noises,” IEEE Signal Process. Lett., vol. 9, no. 11, pp. 382–384, Nov. 2002.

Y. Bao and H. Krim, “Renyi entropy based divergence measures for ICA,” in Proc. IEEE Workshop on Statistical Signal Processing, 2003, pp. 565–568.

Y. Gu, A. McCallum, and D. Towsley, “Detecting anomalies in net-work traffic using maximum entropy estimation,” in Proc. ACM SIG-COMM Conf. Internet Measurement (IMC 2005), 2005, pp. 32–32.

R. Sekar et al., “Specification based anomaly detection: A new ap-proach for detecting network intrusions,” in Proc. ACM Conf. Com-puter and Communications Security (CCS 2002), 2002, pp. 265–274.

A. Patcha and J.-M. Park, “An overview of anomaly detection tech-niques: Existing solutions and latest technological trends,” Comput. Netw., vol. 51, no. 12, pp. 3448–3470, 2007.

C. E. Shannon, “A mathematical theory of communication,” Bell Syst. Tech. J., vol. 27, pp. 379–423 and 623–656, 1948.

K. Zyczkowski, “Rényi extrapolation of Shannon entropy,” Open Syst. Inf. Dynamics, vol. 10, no. 3, pp. 297–310, 2003.

K. J. Kumar, R. C. Joshi, and K. Singh, “A distributed approach using entropy to detect DDoS attacks in ISP domain,” in Proc. Int. Conf. Signal Processing, Communications and Networking (ICSCN 2007), 2007, pp. 331–337.

A. R. Barron, L. Gyorfi, and E. C. van der Meulen, “Distribution divergence,” IEEE Trans. Inf. Theory, vol. 38, no. 5, pp. 1437–1454, Sep. 1992.

M. Broniatowski, “Estimation of the Kullback–Leibler divergence,” in Mathematical Methods of Statistics. Princeton, NJ: Princeton Univ. Press, 2003.

Y. Chen, K. Hwang, and W.-S. Ku, “Collaborative detection of DDoS attacks over multiple network domains,” IEEE Trans. Parallel Distrib. Syst., vol. 18, no. 12, pp. 1649–1662, Dec. 2007.

J.-F. Bercher, “On some entropy functionals derived from Rényi infor-mation divergence,” Inf. Sci., vol. 178, no. 12, pp. 2489–2506, 2008.

Y. Xiang, W. Zhou, and M. Guo, “Flexible deterministic packet marking: An IP traceback system to find the real source of attacks,” IEEE Trans. Parallel Distrib. Syst., vol. 20, no. 4, pp. 567–580, Apr. 2009.

MIT Lincoln Laboratory Data Sets [Online]. Available: http:// www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/ 2000/LLS_DDOS_0.2.2.html

CAIDA, 2010 [Online]. Available: http://data.caida.org/datasets/secu-rity/ddos-20070804/

D. Moore et al., “Inferring Internet denial-of-service activity,” ACM Trans. Comput. Syst., vol. 24, no. 2, pp. 115–139, 2006.

T. K. T. Law, J. C. S. Lui, and D. K. Y. Yau, “You can run, but you can’t hide: An effective statistical methodology to trace back DDoS attackers,” IEEE Trans. Parallel Distrib. Syst., vol. 16, no. 9, pp. 799–813, Sep. 2005.

L. Feinstein et al., “Statistical approaches to DDoS attack detection and response,” in Proc. DARPA Information Survivability Conf. Exposition, 2003, pp. 303–314.

S. Yu and W. Zhou, “Entropy-Based collaborative detection of DDoS attacks on community networks,” in Proc. 6th IEEE Int. Conf. Per-vasive Computing and Communications (PerCom 2008), 2008, pp. 566–571.

W. Lee and D. Xiang, “Information-Theoretic measures for anomaly detection,” in Proc. IEEE Symp. Security and Privacy, 2001, pp. 130–143.

H. Sun, J. C. S. Lui, and D. K. Y. Yau, “Defending against low-rate TCP attacks: Dynamic detection and protection,” in Proc. IEEE Int. Conf. Network Protocols (ICNP 2004), 2004, pp. 196–205.

S. Zhang et al., “Detection of low-rate DDoS attack based on self-simi-larity,” in Proc. Int. Workshop on Education Technology and Computer Science, 2010, pp. 333–336.

S. Yu, W. Zhou, and R. Doss, “Information theory based detection against network behavior mimicking DDoS attacks,” IEEE Commun.