Effective metric for detecting distributed denial-of-service attacks based on information divergence

K. Li; W. Zhou; S. Yu

Effective metric for detecting distributed denial-of-service attacks based on information divergence

Access Full Text

Effective metric for detecting distributed denial-of-service attacks based on information divergence

Author(s): K. Li ; W. Zhou ; S. Yu
DOI: 10.1049/iet-com.2008.0586

For access to this article, please select a purchase option:

Buy article PDF

Buy Knowledge Pack

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership

Recommend Title Publication to library

IET Communications — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Author(s): K. Li ¹ ; W. Zhou ¹ ; S. Yu ¹
- Affiliations: 1: School of Engineering and Information Technology, Deakin University, Melbourne, Australia
Source: Volume 3, Issue 12, December 2009, p. 1851 – 1860
DOI: 10.1049/iet-com.2008.0586 , Print ISSN 1751-8628, Online ISSN 1751-8636

Published

In information theory, the relative entropy (or information divergence or information distance) quantifies the difference between information flows with various probability distributions. In this study, the authors first resolve the asymmetric property of Rényi divergence and Kullback–Leibler divergence and convert the divergence measures into proper metrics. Then the authors propose an effective metric to detect distributed denial-of-service attacks effectively using the Rényi divergence to measure the difference between legitimate flows and attack flows in a network. With the proposed metric, the authors can obtain the optimal detection sensitivity and the optimal information distance between attack flows and legitimate flows by adjusting the order's value of the Rényi divergence. The experimental results show that the proposed metric can clearly enlarge the adjudication distance, therefore it not only can detect attacks early but also can reduce the false positive rate sharply compared with the use of the traditional Kullback–Leibler divergence and distance approaches.

References

1. 1)
  - Bao Y., Krim H.: ‘Renyi entropy based divergence measures for ICA’. IEEE Workshop on Statistical Signal Processing, 28 September–1 October 2003, pp. 565–568.
2. 2)
  - E. Perrin , R. Harba , C. Berzin-Joseph , I. Iribarren , A. Bonami . nth-order fractional Brownian motion and fractional Gaussian noises. IEEE Trans. Signal Process. , 1049 - 1059
3. 3)
  - Z. Karol . Rényi extrapolation of Shannon entropy. Open Sys. Inf. Dyn. , 297 - 310
4. 4)
  - Rényi, A.: `On measures of entropy and information', Proc. Fourth Berkeley Symp, Math. Stat. and Probability, 1961, 1, p. 547–561.
5. 5)
  - Gu, Y., McCallum, A., Towsley, D.: `Detecting anomalies in network traffic using maximum entropy estimation', Proc. ACM/SIGCOMM Internet Measurement Conf. – IMC 2005, October 2005.
6. 6)
  - M. Broniatowski . (2003) Estimation of the Kullback–Leibler divergence.
7. 7)
  - C. Yu , H. Kai , W.-S. Ku . Collaborative detection of DDoS attacks over multiple network domains. IEEE Trans Parallel Distrib. Syst. , 12 , 1649 - 1662
8. 8)
  - E. Perrin , R. Harba , R. Jennane , I. Iribarren . Fast and exact synthesis for 1-D Fractional Brownian motion and fractional Gaussian noises. IEEE Signal Process. Lett. , 382 - 384
9. 9)
  - A. Patcha , J.-M. Park . An overview of anomaly detection techniques: existing solutions and latest technological trends. Comput. Netw. , 391 - 409
10. 10)
  - G. Carl , G. Kesidis , R.R. Brooks , S. Rai . Denial-of-service attack-detection techniques. IEEE Internet Comput. , 1 , 82 - 89
11. 11)
  - Wenke, L., Dong, X.: `Information-theoretic measures for anomaly detection', Proc. IEEE Symp. Security and Privacy, S&P 2001, 2001.
12. 12)
  - C.E. Shannon . A mathematical theory of communication. Bell Syst. Tech. J. , 379 - 423 and 623–656
13. 13)
  - J.-F. Bercher . On some entropy functionals derived from Rényi information divergence. Inf. Sci. , 12 , 2489 - 2506
14. 14)
  - W. Willinger . (1995) Traffic modeling for high-speed networks: theory versus practice.
15. 15)
  - K. Kumar , R.C. Joshi , K. Singh . A distributed approach using entropy to detect DDoS attacks in ISP domain.
16. 16)
  - R.G. Baraniuk , P. Flandrin , A.J.E.M. Janssen , O.J.J. Michel . Measuring time-frequency information content using the Renyi entropies. IEEE Trans Inf. Theory , 4 , 1391 - 1409
17. 17)
  - S. Yu , W. Zhou , R. Doss . Information theory based detection against network behavior mimicking DDoS attacks. IEEE Commun. Lett. , 4 , 319 - 321
18. 18)
  - Sekar, R., Gupta, A., Frullo, J., Shanbhag, T., Zhou, S., Tiwari, A., Yang, H.: `Specification based anomaly detection: a new approach for detecting network intrusions', Proc. ACM CCS, 2002.
19. 19)
  - J. McHugh . Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Inf. Syst. Secur. (TISSEC) , 4 , 262 - 294
20. 20)
  - http://www.ll.mit.edu/mission/communications/ist/corpora/ideval/data/2000/LLS_DDOS_2.0.2.html.
21. 21)
  - P. Du , S. Abe . IP packet size entropy-based scheme for detection of DoS/DDoS attacks. IEICE Trans. Inf. Syst. , 5 , 1274 - 1281
22. 22)
  - S. Ledesma , D. Liu . Synthesis of fractional Gaussian noise using linear approximation for generating self-similar network traffic. Comput. Commun. Rev. , 3448 - 3470

Login

Not registered yet?

Share

Tools

Login to add to favourites

Key

Effective metric for detecting distributed denial-of-service attacks based on information divergence

Effective metric for detecting distributed denial-of-service attacks based on information divergence

Buy article PDF

Buy Knowledge Pack

Thank you

References

Related content