Research On DoS Attack Detection Using Traffic Entropy

Denial of service (DoS) is a prevalent threat in today’s networks, because DoS attacksare easy to launch, while defending them is disproportionately difficult. How to effectivelydetect DoS attacks is still a major challenge. A variety of methods are used to identifyDoS attacks,the method based on entropy does not only provide more details about entirefeature distribution but also be better suited for detecting them than others.With the increasing development of network scale and network applications, DoSattack detection faces new challenges:(1) In large-scale network how to dectect DoSattacks within limited time and space.Such as the MAWI project, which contains real traffictraces collected over transPacific backbone links since2001to study the underlying trafficpatterns. The link at samplepoint-F was upgraded from100Mbps to150Mbps on2007,average thirty thousand IP addresses and thirty million packets appeared in15minutes. Thecost of recording each address and packet is very amazing.(2) Due to the similarities ofnetwork traffic and the bursts in long scales,the methods that modeling network traffic as atimeseries of volume counts are not efficient. What is omitted from this view of traffic isthe contents of packets. Packet contents contain considerable information that can be usefulin many applications such as change and anomaly detection of network traffic.The attractiveness of entropy metrics stems from their capability of condensing anentire feature distribution into a single number and at the same time retaining importantinformation about the overall state of the distribution,and it’s the primary source ofinformation of approaches scalable to high-speed and large scale networks. With theincreasing user and the development of Internet, there has been difficulty in calculatingentropy within limited time and space. This paper present a new method for estimating theentropy of network traffic(SSEH), and offer a new way to determine the number ofcounters in space-saving algorithm. This method first get heavy hitters of network trafficusing space-saving algorithm, then estimate the counts of rest elements by the distributioncharacteristic of heavy hitters, and calculate estimated entropy of network traffic at last.The SSEH method can only detect few heavy hitter IP addresses which occupied themain part of network traffic, and estimate the counts of other IP addresses with the Zipfdistribution. The more contributed enormously to the entire feature distribution, the moreprecision of the estimated counts.This method estimate the entropy of network traffic inhigh-speed and large scale networks with less time and space by reducing the time ofentropy computation and decreasing the storage of IP addresses. Experimental resultsshow that this method can guarantee very small estimation errors,and it’s significantlyeffective in high-speed and large scale networks. The estimated entropy is quite precision even if there have a few attacks and anomalies in network traffic.The low-rate DoS attacks may result in a very slow response to legitimate networktraffic, but since DoS attacks are purposely created by humans they must affect the natural“randomness” and “natural structure and order” of packet traffic under normal conditions.It’s more effective through analysising the burst characteristics of network traffic in spatialdistribution caused by DoS attacks. This paper proposes a DoS detection method using thespatial self-similar nature of network traffic(SSND). This method first gets primarystructure of network traffic, then detects DoS attacks by analyzing the burst betweenadjacent time. This method does not only provide more details about entire featuredistribution but also be better suited for detecting individual changes than traditionalapproaches based on entropy.SSND builds G structures that describing the distribution of network traffic and definesadd, subtract, and merge operations between them. The original R/S algorithm is extendedas (R/S)d algorithm to calulate Hurst index, which reflects the characteristic of similardistribution structures of network traffic in different scales using the G structures. SSNDconsists of extraction module and distance calculation module. The extraction moduleanalyzes off-line network traffic to get the primary G structure. The distance calculationmodule detects DoS attacks in real time through monitoring the distance of G structuresbetween adjacent time. The experimental results show that compared with theentropy-based method, SSND is more accurate and more effective for detecting DoSattacks.SSEH provides a potential tool to calculate entropy in high-speed and large scalenetworks, which makes entropy-based method can be more effectively applied in suchenvironment. Meanwhile, there is little work has been done at the level with respect to thecontents of packets, SSDD is a kind of helpful attempt in describing the spatial distributionof network traffic, and is more effective in the detection of DoS attacks.