ReviewDetection of DDoS attacks and flash events using information theory metrics-An empirical investigation

- Investigates the preeminence of GE and GID metrics in detecting DDoS attacks.
- Proposes the use of GE and GID metrics to discriminate HR-DDoS attacks from FEs.
- The GID metric is shown to compare favorably with popular information distance measures.
- Proposed methodology is generalized, and hence can detect future attacks and FE events.

A Distributed Denial of Service (DDoS) attack is an austere menace to extensively used Internet-based services. The in-time detection of DDoS attacks poses a tough challenge to network security. Revealing a low-rate DDoS (LR-DDoS) attack is comparatively more difficult in modern high speed networks, since it can easily conceal itself due to its similarity with legitimate traffic, and so eluding current anomaly based detection methods. This paper investigates the aptness and impetus of the information theory-based generalized entropy (GE) and generalized information distance (GID) metrics in detecting different types of DDoS attacks. The results of GE and GID metrics are compared with Shannon entropy and other popular information divergence measures. In addition, the feasibility of using these metrics in discriminating a high-rate DDoS (HR-DDoS) attack from a similar looking legitimate flash event (FE) is also verified. We used real and synthetically generated datasets to elucidate the efficiency and effectiveness of the proposed detection scheme in detecting different types of DDoS attacks and FEs. The results clearly show that the GE and GID metrics perform well in comparison with other metrics and have reduced false positive rate (FPR).

Preeminence of Generalized Entropy (GE) and Generalized Information Distance (GID) detection metrics as compared to extensively used Shannon Entropy, KL Divergence, and other popular detection metrics in detecting DDoS attacks and Flash Events, Sunny Behal, Krishan Kumar, Journal of Computer Communications.132