Pattern Recognition Letters 51 (2015) 1–7

Contents lists available at ScienceDirect

Pattern Recognition Letters

journal homepage: www.elsevier.com/locate/patrec

An empirical evaluation of information metrics for low-rate

and high-rate DDoS attack detection!
Monowar H. Bhuyana,∗, D.K. Bhattacharyyab, J.K. Kalitac
a
Dept. of Computer Science & Engg., Kaziranga University, Jorhat 785006, Assam, India
b
Dept. of Computer Science & Engg., Tezpur University, Tezpur 784028, Assam, India
c
Dept. of Computer Science, University of Colorado, Colorado Springs, CO 80918, USA

a r t i c l e i n f o a b s t r a c t

Article history: Distributed Denial of Service (DDoS) attacks represent a major threat to uninterrupted and efficient In-
Received 23 January 2014 ternet service. In this paper, we empirically evaluate several major information metrics, namely, Hartley
Available online 12 August 2014
entropy, Shannon entropy, Renyi’s entropy, generalized entropy, Kullback–Leibler divergence and general-
ized information distance measure in their ability to detect both low-rate and high-rate DDoS attacks. These
Keywords:
metrics can be used to describe characteristics of network traffic data and an appropriate metric facilitates
DDoS attack
Information metric building an effective model to detect both low-rate and high-rate DDoS attacks. We use MIT Lincoln Labo-
Threat ratory, CAIDA and TUIDS DDoS datasets to illustrate the efficiency and effectiveness of each metric for DDoS
Network traffic detection.
Entropy
© 2014 Elsevier B.V. All rights reserved.

1. Introduction
Distributed Denial of Service (DDoS) attacks that use a set of
compromised hosts have become a major security threat to Internet
services. Attackers are continually improving their ability to launch
future DDoS attacks by infecting unsuspecting hosts. These attacks
normally consume a huge number of resources of a server, making it
impossible to access the server by legitimate users; they also consume
network bandwidth by compromising network traffic. DDoS attacks
are distributed cooperative large scale attacks and can spread by both
wired and wireless networks. Hence, both industry and academia are
interested in defending their networks from DDoS attacks, ensuring
uninterrupted access by legitimate users. It is difficult to distinguish
attack traffic from legitimate traffic since they are similar based on
traffic behavior alone. There are two types of traffic that can normally
compromise a host or a network with DDoS attacks [21]. They are:
(a) high-rate DDoS attack traffic, which is exceptional and similar to
a flash crowd (b) low-rate DDoS attack traffic, which is similar to le-
gitimate traffic. Since both have characteristics of legitimate traffic, it
is difficult to detect a DDoS attack and mitigate within a short time
interval.
!
This paper has been recommended for acceptance by Gunilla Borgefors.
∗
Corresponding author. Tel.: +91 94353 88234; fax: +91 376 2351318.
E-mail address: monowar.tezu@gmail.com (M.H. Bhuyan).
Most recent work aims to detect DDoS attacks that are launched by
botnets [11,23,6]. A botnet is a large networks of compromised hosts,
i.e., bots or slave machines, controlled by one entity, i.e., the master.
The master can send malformed packets through a synchronized host,
i.e., the slave, to the target host. However, detection of botnets is
hard and an effective solution needs to monitor all machines that can
possibly become active bots in a botnet.
DDoS flooding attacks can be launched in two forms: Direct
attacks and Reflector attacks [3]. In direct DDoS attacks, the
attacker directly sends a massive number of packets to the vic-
tim host or server through multiple compromised hosts or ma-
chines. Direct attack is further classified into two: Network layer
DDoS attacks and Application layer DDoS attacks. Some common
network layer DDoS attacks are: TCP flood, UDP flood, ICMP flood
and SYN flood, and examples of application layer DDoS attacks are:
HTTP flood, HTTPS flood and FTP flood. In reflector-based DDoS at-
tacks, the attacker sends requests to a reflector host to forward a
massive amount of attack traffic by spoofing IPs of victim host(s).
As a result, the reflector hosts send their replies to the victim
host, flooding network traffic. Some well-known reflector attacks
are: ICMP ECHO reply flood, SYN ACK RST flood, DNS flood and
smurf flood. Figs. 1 and 2 show direct and reflector DDoS attacks,
respectively.
Information theory-based metrics are popular in the detection
of distributed DoS attacks. In information theory, entropy is a
measure of uncertainty associated with a random variable. In-
formation distance computes the difference between different
probability distributions. Shannon’s entropy and Kullback–Leibler

http://dx.doi.org/10.1016/j.patrec.2014.07.019
0167-8655/© 2014 Elsevier B.V. All rights reserved.
2 M.H. Bhuyan et al. / Pattern Recognition Letters 51 (2015) 1–7
Fig. 1. Architecture of direct DDoS attack.
Fig. 2. Architecture of reflector DDoS attack.
divergence methods are assumed to be the most effective methods
in detecting abnormal traffic based on IP address or packet size dis-
tribution statistics [24,25,22].
Detection of both high-rate and low-rate DDoS attacks at the same
time is difficult due to the following: (i) high speed networks, (ii)
number of relevant attributes for both attack types in packet and
flow level may not be same, (iii) low-rate DDoS attack traffic is sim-
ilar to legitimate traffic, and (iv) deployment of detection system.
Therefore, the detection of such attacks at an early stage with high
detection accuracy is the utmost requirement. Information theory-
based metrics have gained interest due to their ability to differentiate
legitimate traffic from attack traffic with low computational com-
plexity, which is important in case of DDoS attack detection. In this
paper, we contribute in two ways: First, we discuss the most common
information metrics that are used to detect DDoS attacks with pros
and cons. Second, we analyze and evaluate each information metric
from an attacker’s viewpoint in the context of detecting both high-
rate and low-rate DDoS attacks. We use a victim-end architecture
for analyzing information metrics in detecting both types of DDoS
attacks.
The rest of the paper is organized as follows. Section 2 provides
related work and a generic comparison of existing techniques. Theo-
retical foundation on information metrics for the detection of DDoS
attacks is presented in Section 3. Section 4 describes experimental
results and a discussion on the use of information metrics for de-
tecting DDoS attacks. Finally, we present the concluding remarks in
Section 5.
2. Related work
Methods for defending against DDoS attacks can be classified
into four categories based on the point where defense is mounted
[3]: source-end, victim-end, intermediate network and distributed.
Detecting and stopping a DDoS attack at the source are the goals in
the source-end defense mechanism. This mechanism detects mali-
cious packets and prevents the possibility of flooding but not on the
victim side. It is best to filter or rate-limit malicious traffic with min-
imum damage within the legitimate traffic before it hits a potential
victim. Moreover, a source-end based defense mechanism acquires
intelligence from a small amount of traffic and consumes low amount
of resources, i.e., processing power and buffer. The main difficulties
of this mechanism are: (i) It cannot observe suspicious traffic at the
victim-end because it has no interaction with the victim node, (ii)
Sources are widely distributed and a single source behaves almost as
in normal traffic, and (iii) Identification of deployment points are at
the source-end. Hence, it could generate false alarms at a high rate.
D-WARD [13] is a source-end DDoS defense system.
In the victim-end defense mechanism, detection and response are
generally performed in the routers of victim networks, i.e., networks
providing critical Internet services. These mechanisms can closely
observe the victim network traffic, model its behavior and detect
anomalies. Detecting DDoS attacks in victim routers is relatively easy
because of the high rate of resource consumption. It is also the most
practically applicable type of defense mechanism that can classify at-
tack traffic from legitimate traffic. But the main problems with this
mechanism are: (i) During DDoS attacks, victim resources, e.g., net-
work bandwidth, often get overwhelmed and cannot stop the flow
beyond victim routers, and (ii) It can detect the attack only after it
reaches the victim and detecting an attack when legitimate clients
have already been denied may not useful. An example of victim-end
defense system is D-SAT [18].
The intermediate network defense scheme balances the trade-offs
between detection accuracy and attack bandwidth consumption, the
main issues in source-end and victim-end detection mechanisms. It
can be deployed in any network router connected to an ISP. Such
a scheme is generally collaborative in nature and the routers share
their observations with other routers. Detection of attack sources
is easy in this approach due to collaborative operation. Routers can
form an overlay mesh to share their observations [25]. The main
difficulty with this mechanism is the location of deployment. The
unavailability of this mechanism in only a few routers may cause
failure to the detection effort and the full practical implementa-
tion of this mechanism is almost impossible because it will require
reconfiguring all the routers on the Internet. Transport-aware IP
router defense system [20] is an example of intermediate-end defense
system.
Most recently introduced DDoS defense systems are distributed
in nature. Such systems are effective in keeping secure an organi-
zation’s network due to cooperation among a large number of de-
fense systems. Such a system is deployed in a distributed manner
and seems to provide the best solution to discriminate DDoS threats
from legitimate traffic. However, it requires support from multi-
ple ISPs and administrative domains, which is usually difficult to
obtain.
Information theory associates an uncertainty measure with ran-
dom variables. Information metric is a measure of the differ-
ence between two probability distributions. Several information
theory-based metrics [7,8,3,19] have been proposed to overcome
the problems faced by DDoS detection methods. Chonka et al. [7]
present chaotic-based model that uses theory of network self-
similarity to differentiate between DDoS traffic and legitimate traffic.
They claim that their neural network system can filter anoma-
lous traffic accurately. FireCol [8] is a collaborative early detection
system that detects flooding attacks at a large distance from the
target host and a small distance from the attack source host at
the Internet Service Provider (ISP) level. It relies on a distributed
deployment architecture composed of multiple ISP that forms an
 M.H. Bhuyan et al. / Pattern Recognition Letters 51 (2015) 1–7 3

overlay network. The authors demonstrate that FireCol can detect
flooding attacks with high accuracy and robustness. Tao and Yu
[19] present a feature independent DDoS flooding attack de-
tection scheme and tried to detect attacks at an early stage.
Simulation results show the effectiveness of the scheme. Re-
cently, Ma and Chen [12] use the variation of Lyapunov expo-
nent to detect DDoS attack traffic with low false positive rate.
It estimates the entropy of source IPs, destination IPs in ev-
ery unit time and detect attacks based on a exponent separation
rate.
Table 2
Symbols used.
Term Definition
x dataset
n number of data objects in x
T total time interval taken for an experiment
t sampled time interval
H entropy
P, Q probability distribution
α order of generalized entropy and distance
D generalized information divergence

2.1. Discussion
!n
a discrete probability distribution, P = p1 , p2 , p3 , . . . pn , i.e., i=1 pi =
Even though there are several information theory-based DDoS at- 1, pi ≥ 0. Then the Renyi’s entropy of order α is defined as
tack detection methods, they lack in early detection and high accu- " n $
1 #
racy. To address these deficiencies, it would be beneficial to construct Hα (x) = log2 pαi (1)
victim-end based defense mechanisms that can detect DDoS attacks 1−α
i=1
with a low false positive rate, within a short time interval. A compar-
where α ≥ 0, α ̸= 1, pi ≥ 0. If the values of the pi ’s are the same,
ison of DDoS defense mechanisms situated at different deployment
the maximum entropy value is achieved, which is known as Hartley
locations is given in Table 1. In the table, we observe that a victim-end
entropy [17].
system is better because:
H0 (x) = log2 n (2)
• It can closely observe the victim system or host to analyze the
network traffic in near real-time. when α → 1, Hα converges to Shannon entropy [17].
• It is easy to deploy, and n
#
• It is cheaper to detect DDoS attacks than other mechanisms. H1 (x) = − pi log2 pi (3)
i=1
3. Information metrics for DDoS detection If α = 2, it is known as collision entropy or Renyi’s quadratic entropy
[16].
An information metric measure may be used to overcome the lim- n
#
itations of existing DDoS detection methods. The three major attrac- H2 (x) = −log2 p2i (4)
tions of this measures are: (a) It helps in differentiating legitimate i=1
traffic from attack traffic using minimum number of attributes, (b)
Finally, when α → ∞, H∞ (x) reaches the minimum information en-
Cost of computation is low, and (c) It can be used at various scales, in
tropy value. Hence, we say that the generalization of information
terms of number of instances taken per time window. These features
entropy is a non-increasing function of order α , i.e.,
are important when detecting DDoS attacks in high speed networks.
In this paper, we evaluate several information metrics for detecting Hα1 (x) ≥ Hα2 (x), for α1 < α2 , α > 0.
both low-rate and high-rate DDoS attacks. We make the following Based on this analysis of information entropy metrics, we consider
assumptions. various probability distributions for legitimate network traffic and
• Routers have full control on in-and-out traffic flow. attack traffic when detecting low-rate and high-rate DDoS attacks.
• We collect packet and flow level traffic at the victim-end after We compute the differences between legitimate and attack traffic in
various types of flooding attacks are launched. both low-rate and high-rate traffic situations.
• During processing, we sample network traffic at 5 min inter- Information distance is a measure of the divergence between two
vals and also further sample into 10 s time intervals. probability distributions. Let us consider two discrete probability dis-
• All attack traffic obeys Poisson distribution and normal traffic tributions P and Q, where P = p1 , p2 , p3 , . . . , pn , Q = q1 , q2 , q3 , . . . , qn
!n !n
obeys Gaussian distribution. and i=1 pi = i=1 qi = 1, i = 1, 2, 3, . . . , n. The information diver-
gence between distributions of P and Q of order α can be defined
The symbols used to describe the information metrics for de- as follows.
tecting both low-rate and high-rate DDoS attacks are given in " n $
1 #
α 1−α
Table 2. Dα (P ||Q ) = log pi qi , α>0 (5)
In information theory, larger values of entropy are expected when
α−1 2 i=1
the information variable is more random. In contrast, the entropy Since α is an arbitrary positive integer, we can get the following
value is expected to be small when the amount of uncertainty in equations.
the information variable is small [10]. To quantify the randomness " n $
#
of a system, Renyi [16] introduced an entropy metric of order α as a D0 (P ||Q ) = −log2 qi , α=0 (6)
mathematical generalization of Shannon entropy [17]. Let us consider i=1

Table 1
Feasibility of DDoS defense at deployment locations.

Deployment Characteristics Rate limiting/Filtering Defense vulnerability/Robustness Deployment difficulty

Source-end Very difficult Easy Low Highly difficult

Victim-end Easy Difficult High Very easy
Intermediate network Difficult Difficult Medium Difficult
Distributed Difficult High High Difficult
4 M.H. Bhuyan et al. / Pattern Recognition Letters 51 (2015) 1–7
Fig. 3. TUIDS testbed network architecture with DMZ.
n
! " # hosts are divided into several VLANs, each VLAN belonging to an L3
pi
D1 (P ||Q ) = − pi log2 , α→1
qi
i=1
$ n % get is placed inside the internal network. It generates both low-rate
! p2
i
D2 (P ||Q ) = log2 , α=2
qi
i=1
Eq. (7) is known as Kullback–Leibler divergence [4], which is the
information distance commonly used for detecting DDoS attacks. We
also compute the differences between legitimate traffic and attack
traffic to detect both low-rate and high-rate DDoS attacks using dif-
ferent order of information distance.
3.1. Complexity analysis
The approach takes O(Tn) time to detect DDoS attacks for each
individual order of information metrics, where T is the time interval
and n is the number of instances within a sample. Thus, the approach
works linearly with respect to time interval, T and the size of the
dataset within the time interval, i.e., n for each individual order of
information metric.
4. Experimental results
Performance evaluation is important for any DDoS attack defense
system. Performance evaluation is highly dependent on (i) the ap-
proach, (ii) deployment point and (iii) whether it is possible to dy-
namically update attack traffic information [1,2]. When designing a
DDoS attack defense method, these issues should be taken into con-
sideration.
In our experiments, three different datasets, viz., MIT Lincoln Lab-
oratory [14], CAIDA DDoS 2007 [5] and TUIDS DDoS1 datasets [9]
are used to detect both low-rate and high-rate DDoS attacks. The
MIT Lincoln Laboratory tcpdump data is real-time pure normal data;
it does not contain any attack traffic. we use TUIDS DDoS datasets
in both cases, i.e., low-rate and high-rate. The TUIDS DDoS dataset
was prepared using the TUIDS testbed architecture with a demil-
itarized zone (DMZ), as shown in Fig. 3. The testbed is composed
of 5 different networks inside the Tezpur University campus. The
1
http://agnigarh.tezu.ernet.in/!dkb/resources.html.
(7) switch or an L2 switch inside the network. The attackers are placed
in both wired and wireless networks with reflectors, but the tar-
and the high-rate DDoS traffic by following the strategy available
(8)
at [15].
The CAIDA dataset contains 5 minutes (i.e., 300 s) of anonymized
traffic obtained during a DDoS attack on August 4, 2007. These traffic
traces store only attack traffic to the victim and response from the
victim; non-attack traffic has been removed as much as possible. Ac-
cording to Moore et al. [15], it is a high-rate attack if there are more
than 10,000 packets per second over the network, with 1000 attack
packets per second covering 60% of the attack traffic. As a result, this
is low-rate attack traffic. The details of traffic features are shown in
Fig. 4.
We consider real-time low-rate and high-rate DDoS attack sce-
narios for both datasets during our experiments. However, low-rate
attack does not consume all the computing resources on the server
or all bandwidth of the network connecting the server to the In-
ternet. So, a real low-rate DDoS attack scenario not only contains
attack traffic but also contains attack free traffic. During our exper-
iment, we mix low-rate attack traffic and legitimate traffic to pre-
pare the real low-rate DDoS attack scenarios in the TUIDS DDoS
dataset.
4.1. Results
We initially sample the network traffic every 10 seconds for
5 minutes for analysis. We apply the generalized entropy measure
of order α using Eq. (1), where α is varied from 0 to 15 for our
experiment. We also evaluate the generalized information distance
of order α using Eq. (5), where α is varied from 1 to 14 for de-
tecting both low-rate and high-rate DDoS attacks. All features in
network traffic may not play a role in the detection of malicious
traffic. Therefore, we consider only three features: source IP, des-
tination IP, and protocol, for our experiments. For a victim-end
based detection system, source IP is important, especially to find
the source hosts even though they are spoofed. For a victim-end de-
tection system, destination IP is also important, especially to iden-
tify the traffic flowing to a particular target. The parameter proto-
col is added to identify protocols that a attacker may use to send
 M.H. Bhuyan et al. / Pattern Recognition Letters 51 (2015) 1–7 5

Fig. 4. Traffic features and details of CAIDA DDoS dataset.

Fig. 6. Spacing between normal and high-rate DDoS traffic when using generalized
malicious traffic. Hence, we have chosen these three parameters for entropy measure in the CAIDA dataset.
our experimentation.
We apply classical probability distributions to compute probabil-
ity from the dataset. Source IP is one of the parameters for which
we compute the probability. Initially, we search for unique source
IP addresses within the time window, i.e., 10 s. For each unique IP
address, we compute individual probability values between 0 to 1.
Then, we compute entropy for each probability value and sum all
entropy values within a time window for total entropy. The method
does not require conversion of symbolic data to numeric data when
we compute probability. The generalized entropy values of order α
and spacing between normal traffic and attack traffic for the CAIDA
dataset are shown in Fig. 5. By ‘spacing’ we indicate the effectiveness
of the measure used to distinguish attack traffic from legitimate traf-
fic. More the spacing, more is the difference between these two types
of traffic. In the figure, we see that spacing between normal and low-
rate attack traffic is lower than the spacing in high-rate attack traffic.
This is because low-rate attack traffic is similar to legitimate
traffic. The spacing between legitimate traffic and high-rate attack
traffic, when using the generalized entropy (GE) metric of order α
for the CAIDA DDoS dataset, is shown in Fig. 6. The spacing between
normal traffic and low-rate attack traffic of generalized entropy met- Fig. 7. Spacing between normal and low-rate DDoS traffic when using generalized
ric of order α for the CAIDA DDoS dataset is given in Fig. 7. entropy measure in the CAIDA dataset
The determination of parameters for a detection method is
important. In our experiment, we choose the order α = 0 to 15
Table 3
Spacing details in generalized entropy and information distance

Datasets Generalized metric Minimum Maximum

Entropy metric (high-rate) 0.03249 9.39344

CAIDA Entropy metric (low-rate) 0.00649 1.87868
Information distance (high-rate) 0.34452 3.89564
Information distance (low-rate) 0.15631 1.22566

Entropy metric (high-rate) 0.02029 5.15610

TUIDS Entropy metric (low-rate) 0.01101 1.11428
Information distance (high-rate) 0.36277 3.83256
Information distance (low-rate) 0.01233 1.45456

for generalized entropy metric and α = 1 to 14 for generalized

Fig. 5. Spacing between normal and attack traffic when using generalized entropy
measure in the CAIDA dataset.
information distance. The spacing between legitimate traffic and
attack traffic depends on the traffic rate passes through the detec-
tion system per seconds. We see higher accuracy with increased
spacing. The spacing for both generalized entropy metric and gen-
eralized information distance is given in Table 3. In Table 3, we
report the minimum and maximum spacing values between the le-
gitimate and attack traffic obtained by using Eq. (1) and Eq. (5),
which are also reflected in Figs. 6–13. It illustrates the order for
6 M.H. Bhuyan et al. / Pattern Recognition Letters 51 (2015) 1–7

Fig. 8. Spacing between normal and high-rate DDoS traffic when using generalized Fig. 10. Spacing between normal and high-rate DDoS traffic when using information
entropy measure in the TUIDS dataset. distance measure in the CAIDA dataset.

which the generalized entropy or generalized information distance

works well. In other words, the spacing values show the effective-
ness of these metrics. More the spacing values shown between the
legitimate and attack traffic, more effective is the metric.
Figs. 8 and 9 provide experimental results when using the general-
ized entropy metric for detecting both low-rate and high-rate attack
in the TUIDS DDoS dataset. We observe that the spacing between
normal and attack traffic is the least for low-rate DDoS attack.
Finally, we evaluate the information distance (ID) measures of
order α in detecting both low-rate and high-rate DDoS attacks. We
must have the same number of source IP addresses within a sam-
pling interval when finding the spacing between normal and attack
traffic. The spacing between normal and attack traffic when using the
information divergence metric for detecting both high-rate and low-
rate DDoS attacks in the CAIDA dataset is shown in Figs. 10 and 11,
respectively. Figs. 12 and 13 show experimental results for detecting
both high-rate and low-rate DDoS attacks in the TUIDS datasets when
using information divergence measure of order α .

4.2. Discussion Fig. 11. Spacing between normal and low-rate DDoS traffic when using information
distance measure in the CAIDA dataset.
To detect low-rate and high-rate DDoS attack traffic, it is impor-
tant to use a minimum number of traffic features. Several detection
mechanisms use either distribution of IP addresses or packet sizes.

Fig. 9. Spacing between normal and low-rate DDoS traffic when using generalized Fig. 12. Spacing between normal and high-rate DDoS traffic when using information
entropy measure in the TUIDS dataset. distance measure in the TUIDS dataset.
 M.H. Bhuyan et al. / Pattern Recognition Letters 51 (2015) 1–7
Fig. 13. Spacing between normal and low-rate DDoS traffic when using information
distance measure in the TUIDS dataset.
In this paper, we evaluate information metric measures to detect both
low-rate and high-rate DDoS attacks in real-life DDoS datasets. The
following are some observations.
• Information entropy provides better result when we increase
the order of generalized entropy in detecting both low-rate
and high-rate DDoS attacks.
• Information distance measure also provides better result than
Kullback–Leibler divergence when we increase the order of
information divergence measure in detecting both low-rate
and high-rate DDoS attacks.
• An information metric produces better result in terms of com-
plexity because it uses a minimum number of parameters dur-
ing detection.
• For both generalized entropy and information divergence, the
value of α can be adjusted easily for better spacing between
normal and attack traffic.
5. Conclusion
This work presents an empirical study of several information met-
rics when handling a serious network security problem, i.e., detection
of both low-rate and high-rate DDoS attacks. We have experimented
with four important information entropy measures: Hartley entropy,
Shannon entropy, Renyin++s entropy and Renyin++s generalized en-
tropy in the context of detecting DDoS attacks of various types. We
also include several information divergence measures of order α , in-
cluding Kullback–Leibler divergence for evaluation of both low-rate
and high-rate DDoS attack detection. We demonstrate the use of in-
formation metric measures in evaluating both low-rate and high-rate
DDoS attacks with experimental results. Our observation is that the
use of an appropriate information metric helps to magnify the spacing
between legitimate and attack traffic for both low-rate and high-rate
DDoS attack detection in real world network traffic. The low com-
puting overhead is another significant advantage of such a metric in
detecting DDoS attack in near real-time. A future goal is to address
the early detection of both low-rate and high-rate DDoS attack using
a multi-variate entropy-based approach.
7
Acknowledgments
This work is supported by Department of Information Technology
and Council of Scientific & Industrial Research (CSIR), Government of
India. The authors are thankful to the funding agencies.
References
[1] D. Bhattacharyya, J. Kalita, Network Anomaly Detection: A Machine Learning Per-
spective, CRC Press, 2013.
[2] M.H. Bhuyan, D.K. Bhattacharyya, J.K. Kalita, Network anomaly detection: meth-
ods, systems and tools, IEEE Commun. Surv. Tutorials 16 (2014) 303–336,
doi:10.1109/SURV.2013.052213.00046.
[3] M.H. Bhuyan, H.J. Kashyap, D.K. Bhattacharyya, J.K. Kalita, Detecting distributed
denial of service attacks: methods, tools and future directions, Comput. J. 57
(2014) 537–556, doi:10.1093/comjnl/bxt031.
[4] M. Broniatowski, Estimation of the Kullback–Leibler divergence, Princeton Univ.
Press., 2003 Chapter Mathematical Methods of Statistics.
[5] CAIDA, 2011. The Cooperative Analysis for Internet Data Analysis.
<http://www.caida.org>
[6] C.M. Chen, H.C.L. Lin, Detecting botnet by anomalous traffic, J. Inf. Security Appl.
(2014), doi:10.1016/j.jisa.2014.05.002.
[7] A. Chonka, J. Singh, W. Zhou, Chaos theory based detection against net-
work mimicking DDoS attacks, IEEE Commun. Lett. 13 (2009) 717–719,
doi:10.1109/LCOMM.2009.090615.
[8] J. Francois, I. Aib, R. Boutaba, FireCol: a collaborative protection network for the
detection of flooding DDoS attacks, IEEE/ACM Trans. Networking 20 (2012) 1828–
1841, doi:10.1109/TNET.2012.2194508.
[9] P. Gogoi, M.H. Bhuyan, D.K. Bhattacharyya, J.K. Kalita, Packet and flow based
network intrusion dataset, Proceedings of the 5th International Conference on
Contemporary Computing, Springer-Verlag, Noida India, 2012, pp. 322–334.
[10] Y. Gu, A. McCallum, D. Towsley, Detecting anomalies in network traffic using
maximum entropy estimation, in: Proc. of the 5th ACM SIGCOMM Conference on
Internet Measurement, USENIX Association, Berkeley, CA, USA, 2005, pp. 32–32.
[11] M.S. Kang, S.B. Lee, V.D. Gligor, The crossfire attack, Proceedings of the IEEE Sym-
posium on Security and Privacy, IEEE Computer Society, Washington, DC, USA,
2013, pp. 127–141.
[12] X. Ma, Y. Chen, DDoS detection method based on chaos analysis of network traffic
entropy, IEEE Commun. Lett. 18 (2014) 114–117.
[13] J. Mirkovic, P. Reiher, D-WARD: a source-end defense against flooding denial-of-
service attacks, IEEE Transactions on Dependable and Secure Computing 2 (2005)
216–232.
[14] MIT Lincoln Laboratory Datasets, MIT LLSDDOS0.2.2, Massachusetts Institute of
Technology, Cambridge, MA. <http://www.ll.mit.edu/mission/communications/
cyber/CSTcorpora/ideval/data/2000data.html> , 2000.
[15] D. Moore, C. Shannon, D.J. Brown, G.M. Voelker, S. Savage, Inferring inter-
net denial-of-service activity, ACM Trans. Comput. Syst. 24 (2006) 115–139,
doi:10.1145/1132026.1132027.
[16] A. Rényi, On measures of entropy and information, in: Proc. of the 4th Berkeley
Symposium on Mathematics, Statistics and Probability, 1960, pp. 547–561.
[17] C.E. Shannon, A mathematical theory of communication, Bell Syst. Techn. J. 27
(1948) 397–423.
[18] S.w. Shin, K.y. Kim, J.s. Jang, D-SAT: Detecting SYN Flooding Attack by Two-Stage
Statistical Approach, in: IEEE/IPSJ 12th International Symposium on Applications
and the Internet, IEEE Computer Society, Los Alamitos, CA, USA, 2005 pp. 430–436.
[19] Y. Tao, S. Yu, DDoS attack detection at local area networks using information
theoretical metrics, in: 12th IEEE International Conference on Trust, Security
and Privacy in Computing and Communications (TrustCom), 2013, pp. 233–240,
http://dx.doi.org/10.1109/TrustCom.32.
[20] H. Wang, K.G. Shin, Transport-aware IP routers: a built-in protection mechanism
to counter DDoS attacks, IEEE Trans. Parallel Distrib. Syst. 14 (2003) 873–884.
[21] W. Wei, F. Chen, Y. Xia, G. Jin, A rank correlation based detection against
distributed reflection DoS attacks, IEEE Commun. Lett. 17 (2013) 173–175,
doi:10.1109/LCOMM.2012.121912.122257.
[22] Y. Xiang, K. Li, W. Zhou, Low-rate DDoS attacks detection and traceback by us-
ing new information metrics, IEEE Trans. Inf. Forensics Secur. 6 (2011) 426–437,
doi:10.1109/TIFS.2011.2107320.
[23] S. Yu, S. Guo, I. Stojmenovic, Fool me if you can: mimicking attacks and anti-attacks
in cyberspace. IEEE Transactions on Computers Early Access, 2013.
[24] S. Yu, W. Zhou, Entropy-based collaborative detection of DDOS attacks on com-
munity networks, Proceedings of the IEEE International Conference on Pervasive
Computing and Communications, IEEE Computer Society. (2008) 566–571.
[25] S. Yu, W. Zhou, R. Doss, W. Jia, Traceback of DDoS attacks using entropy variations,
IEEE Trans. Parallel Distrib. Syst. 22 (2011) 412–425, doi:10.1109/TPDS.2010.97.