Professional Documents
Culture Documents
a r t i c l e i n f o a b s t r a c t
Article history: Distributed Denial of Service (DDoS) attacks represent a major threat to uninterrupted and efficient In-
Received 23 January 2014 ternet service. In this paper, we empirically evaluate several major information metrics, namely, Hartley
Available online 12 August 2014
entropy, Shannon entropy, Renyi’s entropy, generalized entropy, Kullback–Leibler divergence and general-
ized information distance measure in their ability to detect both low-rate and high-rate DDoS attacks. These
Keywords:
metrics can be used to describe characteristics of network traffic data and an appropriate metric facilitates
DDoS attack
Information metric building an effective model to detect both low-rate and high-rate DDoS attacks. We use MIT Lincoln Labo-
Threat ratory, CAIDA and TUIDS DDoS datasets to illustrate the efficiency and effectiveness of each metric for DDoS
Network traffic detection.
Entropy
© 2014 Elsevier B.V. All rights reserved.
1. Introduction Most recent work aims to detect DDoS attacks that are launched by
botnets [11,23,6]. A botnet is a large networks of compromised hosts,
Distributed Denial of Service (DDoS) attacks that use a set of i.e., bots or slave machines, controlled by one entity, i.e., the master.
compromised hosts have become a major security threat to Internet The master can send malformed packets through a synchronized host,
services. Attackers are continually improving their ability to launch i.e., the slave, to the target host. However, detection of botnets is
future DDoS attacks by infecting unsuspecting hosts. These attacks hard and an effective solution needs to monitor all machines that can
normally consume a huge number of resources of a server, making it possibly become active bots in a botnet.
impossible to access the server by legitimate users; they also consume DDoS flooding attacks can be launched in two forms: Direct
network bandwidth by compromising network traffic. DDoS attacks attacks and Reflector attacks [3]. In direct DDoS attacks, the
are distributed cooperative large scale attacks and can spread by both attacker directly sends a massive number of packets to the vic-
wired and wireless networks. Hence, both industry and academia are tim host or server through multiple compromised hosts or ma-
interested in defending their networks from DDoS attacks, ensuring chines. Direct attack is further classified into two: Network layer
uninterrupted access by legitimate users. It is difficult to distinguish DDoS attacks and Application layer DDoS attacks. Some common
attack traffic from legitimate traffic since they are similar based on network layer DDoS attacks are: TCP flood, UDP flood, ICMP flood
traffic behavior alone. There are two types of traffic that can normally and SYN flood, and examples of application layer DDoS attacks are:
compromise a host or a network with DDoS attacks [21]. They are: HTTP flood, HTTPS flood and FTP flood. In reflector-based DDoS at-
(a) high-rate DDoS attack traffic, which is exceptional and similar to tacks, the attacker sends requests to a reflector host to forward a
a flash crowd (b) low-rate DDoS attack traffic, which is similar to le- massive amount of attack traffic by spoofing IPs of victim host(s).
gitimate traffic. Since both have characteristics of legitimate traffic, it As a result, the reflector hosts send their replies to the victim
is difficult to detect a DDoS attack and mitigate within a short time host, flooding network traffic. Some well-known reflector attacks
interval. are: ICMP ECHO reply flood, SYN ACK RST flood, DNS flood and
smurf flood. Figs. 1 and 2 show direct and reflector DDoS attacks,
respectively.
Information theory-based metrics are popular in the detection
!
This paper has been recommended for acceptance by Gunilla Borgefors. of distributed DoS attacks. In information theory, entropy is a
∗
Corresponding author. Tel.: +91 94353 88234; fax: +91 376 2351318. measure of uncertainty associated with a random variable. In-
E-mail address: monowar.tezu@gmail.com (M.H. Bhuyan). formation distance computes the difference between different
probability distributions. Shannon’s entropy and Kullback–Leibler
http://dx.doi.org/10.1016/j.patrec.2014.07.019
0167-8655/© 2014 Elsevier B.V. All rights reserved.
2 M.H. Bhuyan et al. / Pattern Recognition Letters 51 (2015) 1–7
overlay network. The authors demonstrate that FireCol can detect Table 2
Symbols used.
flooding attacks with high accuracy and robustness. Tao and Yu
[19] present a feature independent DDoS flooding attack de- Term Definition
tection scheme and tried to detect attacks at an early stage.
x dataset
Simulation results show the effectiveness of the scheme. Re- n number of data objects in x
cently, Ma and Chen [12] use the variation of Lyapunov expo- T total time interval taken for an experiment
nent to detect DDoS attack traffic with low false positive rate. t sampled time interval
It estimates the entropy of source IPs, destination IPs in ev- H entropy
P, Q probability distribution
ery unit time and detect attacks based on a exponent separation
α order of generalized entropy and distance
rate. D generalized information divergence
2.1. Discussion
!n
a discrete probability distribution, P = p1 , p2 , p3 , . . . pn , i.e., i=1 pi =
Even though there are several information theory-based DDoS at- 1, pi ≥ 0. Then the Renyi’s entropy of order α is defined as
tack detection methods, they lack in early detection and high accu- " n $
1 #
racy. To address these deficiencies, it would be beneficial to construct Hα (x) = log2 pαi (1)
victim-end based defense mechanisms that can detect DDoS attacks 1−α
i=1
with a low false positive rate, within a short time interval. A compar-
where α ≥ 0, α ̸= 1, pi ≥ 0. If the values of the pi ’s are the same,
ison of DDoS defense mechanisms situated at different deployment
the maximum entropy value is achieved, which is known as Hartley
locations is given in Table 1. In the table, we observe that a victim-end
entropy [17].
system is better because:
H0 (x) = log2 n (2)
• It can closely observe the victim system or host to analyze the
network traffic in near real-time. when α → 1, Hα converges to Shannon entropy [17].
• It is easy to deploy, and n
#
• It is cheaper to detect DDoS attacks than other mechanisms. H1 (x) = − pi log2 pi (3)
i=1
3. Information metrics for DDoS detection If α = 2, it is known as collision entropy or Renyi’s quadratic entropy
[16].
An information metric measure may be used to overcome the lim- n
#
itations of existing DDoS detection methods. The three major attrac- H2 (x) = −log2 p2i (4)
tions of this measures are: (a) It helps in differentiating legitimate i=1
traffic from attack traffic using minimum number of attributes, (b)
Finally, when α → ∞, H∞ (x) reaches the minimum information en-
Cost of computation is low, and (c) It can be used at various scales, in
tropy value. Hence, we say that the generalization of information
terms of number of instances taken per time window. These features
entropy is a non-increasing function of order α , i.e.,
are important when detecting DDoS attacks in high speed networks.
In this paper, we evaluate several information metrics for detecting Hα1 (x) ≥ Hα2 (x), for α1 < α2 , α > 0.
both low-rate and high-rate DDoS attacks. We make the following Based on this analysis of information entropy metrics, we consider
assumptions. various probability distributions for legitimate network traffic and
• Routers have full control on in-and-out traffic flow. attack traffic when detecting low-rate and high-rate DDoS attacks.
• We collect packet and flow level traffic at the victim-end after We compute the differences between legitimate and attack traffic in
various types of flooding attacks are launched. both low-rate and high-rate traffic situations.
• During processing, we sample network traffic at 5 min inter- Information distance is a measure of the divergence between two
vals and also further sample into 10 s time intervals. probability distributions. Let us consider two discrete probability dis-
• All attack traffic obeys Poisson distribution and normal traffic tributions P and Q, where P = p1 , p2 , p3 , . . . , pn , Q = q1 , q2 , q3 , . . . , qn
!n !n
obeys Gaussian distribution. and i=1 pi = i=1 qi = 1, i = 1, 2, 3, . . . , n. The information diver-
gence between distributions of P and Q of order α can be defined
The symbols used to describe the information metrics for de- as follows.
tecting both low-rate and high-rate DDoS attacks are given in " n $
1 #
α 1−α
Table 2. Dα (P ||Q ) = log pi qi , α>0 (5)
In information theory, larger values of entropy are expected when
α−1 2 i=1
the information variable is more random. In contrast, the entropy Since α is an arbitrary positive integer, we can get the following
value is expected to be small when the amount of uncertainty in equations.
the information variable is small [10]. To quantify the randomness " n $
#
of a system, Renyi [16] introduced an entropy metric of order α as a D0 (P ||Q ) = −log2 qi , α=0 (6)
mathematical generalization of Shannon entropy [17]. Let us consider i=1
Table 1
Feasibility of DDoS defense at deployment locations.
n
! " # hosts are divided into several VLANs, each VLAN belonging to an L3
pi
D1 (P ||Q ) = − pi log2 , α→1 (7) switch or an L2 switch inside the network. The attackers are placed
qi
i=1 in both wired and wireless networks with reflectors, but the tar-
$ n % get is placed inside the internal network. It generates both low-rate
! p2 and the high-rate DDoS traffic by following the strategy available
i
D2 (P ||Q ) = log2 , α=2 (8)
qi at [15].
i=1
The CAIDA dataset contains 5 minutes (i.e., 300 s) of anonymized
Eq. (7) is known as Kullback–Leibler divergence [4], which is the traffic obtained during a DDoS attack on August 4, 2007. These traffic
information distance commonly used for detecting DDoS attacks. We traces store only attack traffic to the victim and response from the
also compute the differences between legitimate traffic and attack victim; non-attack traffic has been removed as much as possible. Ac-
traffic to detect both low-rate and high-rate DDoS attacks using dif- cording to Moore et al. [15], it is a high-rate attack if there are more
ferent order of information distance. than 10,000 packets per second over the network, with 1000 attack
packets per second covering 60% of the attack traffic. As a result, this
3.1. Complexity analysis is low-rate attack traffic. The details of traffic features are shown in
Fig. 4.
The approach takes O(Tn) time to detect DDoS attacks for each We consider real-time low-rate and high-rate DDoS attack sce-
individual order of information metrics, where T is the time interval narios for both datasets during our experiments. However, low-rate
and n is the number of instances within a sample. Thus, the approach attack does not consume all the computing resources on the server
works linearly with respect to time interval, T and the size of the or all bandwidth of the network connecting the server to the In-
dataset within the time interval, i.e., n for each individual order of ternet. So, a real low-rate DDoS attack scenario not only contains
information metric. attack traffic but also contains attack free traffic. During our exper-
iment, we mix low-rate attack traffic and legitimate traffic to pre-
4. Experimental results pare the real low-rate DDoS attack scenarios in the TUIDS DDoS
dataset.
Performance evaluation is important for any DDoS attack defense
system. Performance evaluation is highly dependent on (i) the ap-
4.1. Results
proach, (ii) deployment point and (iii) whether it is possible to dy-
namically update attack traffic information [1,2]. When designing a
We initially sample the network traffic every 10 seconds for
DDoS attack defense method, these issues should be taken into con-
5 minutes for analysis. We apply the generalized entropy measure
sideration.
of order α using Eq. (1), where α is varied from 0 to 15 for our
In our experiments, three different datasets, viz., MIT Lincoln Lab-
experiment. We also evaluate the generalized information distance
oratory [14], CAIDA DDoS 2007 [5] and TUIDS DDoS1 datasets [9]
of order α using Eq. (5), where α is varied from 1 to 14 for de-
are used to detect both low-rate and high-rate DDoS attacks. The
tecting both low-rate and high-rate DDoS attacks. All features in
MIT Lincoln Laboratory tcpdump data is real-time pure normal data;
network traffic may not play a role in the detection of malicious
it does not contain any attack traffic. we use TUIDS DDoS datasets
traffic. Therefore, we consider only three features: source IP, des-
in both cases, i.e., low-rate and high-rate. The TUIDS DDoS dataset
tination IP, and protocol, for our experiments. For a victim-end
was prepared using the TUIDS testbed architecture with a demil-
based detection system, source IP is important, especially to find
itarized zone (DMZ), as shown in Fig. 3. The testbed is composed
the source hosts even though they are spoofed. For a victim-end de-
of 5 different networks inside the Tezpur University campus. The
tection system, destination IP is also important, especially to iden-
tify the traffic flowing to a particular target. The parameter proto-
1
http://agnigarh.tezu.ernet.in/!dkb/resources.html. col is added to identify protocols that a attacker may use to send
M.H. Bhuyan et al. / Pattern Recognition Letters 51 (2015) 1–7 5
Fig. 6. Spacing between normal and high-rate DDoS traffic when using generalized
malicious traffic. Hence, we have chosen these three parameters for entropy measure in the CAIDA dataset.
our experimentation.
We apply classical probability distributions to compute probabil-
ity from the dataset. Source IP is one of the parameters for which
we compute the probability. Initially, we search for unique source
IP addresses within the time window, i.e., 10 s. For each unique IP
address, we compute individual probability values between 0 to 1.
Then, we compute entropy for each probability value and sum all
entropy values within a time window for total entropy. The method
does not require conversion of symbolic data to numeric data when
we compute probability. The generalized entropy values of order α
and spacing between normal traffic and attack traffic for the CAIDA
dataset are shown in Fig. 5. By ‘spacing’ we indicate the effectiveness
of the measure used to distinguish attack traffic from legitimate traf-
fic. More the spacing, more is the difference between these two types
of traffic. In the figure, we see that spacing between normal and low-
rate attack traffic is lower than the spacing in high-rate attack traffic.
This is because low-rate attack traffic is similar to legitimate
traffic. The spacing between legitimate traffic and high-rate attack
traffic, when using the generalized entropy (GE) metric of order α
for the CAIDA DDoS dataset, is shown in Fig. 6. The spacing between
normal traffic and low-rate attack traffic of generalized entropy met- Fig. 7. Spacing between normal and low-rate DDoS traffic when using generalized
ric of order α for the CAIDA DDoS dataset is given in Fig. 7. entropy measure in the CAIDA dataset
The determination of parameters for a detection method is
important. In our experiment, we choose the order α = 0 to 15
Table 3
Spacing details in generalized entropy and information distance
Fig. 8. Spacing between normal and high-rate DDoS traffic when using generalized Fig. 10. Spacing between normal and high-rate DDoS traffic when using information
entropy measure in the TUIDS dataset. distance measure in the CAIDA dataset.
4.2. Discussion Fig. 11. Spacing between normal and low-rate DDoS traffic when using information
distance measure in the CAIDA dataset.
To detect low-rate and high-rate DDoS attack traffic, it is impor-
tant to use a minimum number of traffic features. Several detection
mechanisms use either distribution of IP addresses or packet sizes.
Fig. 9. Spacing between normal and low-rate DDoS traffic when using generalized Fig. 12. Spacing between normal and high-rate DDoS traffic when using information
entropy measure in the TUIDS dataset. distance measure in the TUIDS dataset.
M.H. Bhuyan et al. / Pattern Recognition Letters 51 (2015) 1–7 7
Acknowledgments
References