Research On The Detection Method For DDoS Attack Based On Entropy Changing Rate

Distributed Denial of Service(DDoS)attacks pose a serious threat to network availability at present.Among the existing detection methods of DDoS attack,the method based on statistics has high time complexity.Entropy-based method requires accurate threshold.Machine learning-based method requires a lot of training overhead.These make it difficult to detect DDoS attacks in real-time or quasi-real-time in largescale high-speed networks.In order to address the issues mentioned above,a DDoS detection method based on Network Entropy Changing Rate is proposed in this paper.Network Entropy Changing Rate refers to the changing rate of Shannon entropy relative to the number of packets in transmission in the network.This paper first gives the definition of the Network Entropy Changing Rate,then establishes the measurement and calculation method of the network Entropy Changing Rate,and then proves its properties formally.Finally,a DDoS attack detection method based on Network Entropy Changing Rate is designed and verified experimentally.The main work of this paper is as follows:(1)A new network load change measurement index,Network Entropy Changing Rate,is proposed,and the measurement and calculation method of Network Entropy Changing Rate is given.The degree of abstraction of Entropy Changing Rate to the expression of network traffic characteristics is moderate,which can reflect the abnormality of network traffic characteristics relatively efficiently.(2)A DDoS attack detection method based on Network Entropy Changing Rate is proposed.This method first calculates the entropy change rate of the current period of the network,and then dynamically updates the threshold value through the sliding window to judge whether an exception occurs.If an anomaly occurs,the DDoS attack detection method based on relative entropy is used to calculate the relative entropy of the current traffic distribution and the normal network entropy distribution.Finally,the relative entropy obtained is used for further confirmation.The combination of the two methods not only makes up for the deficiency of high false alarm rate in DDoS detection due to the high abstraction degree of network entropy,but also solves the shortcoming of poor real-time performance in the DDoS attack detection method based on relative entropy.The detection method of DDoS attack proposed in this paper can make response to some new types of DDoS attack.(3)According to the above algorithms,a DDoS attack detection system is designed and implemented.The system consists of DDoS detection tool and data visualization system.The system can relatively effectively detect DDoS attacks in large-scale highspeed networks.Experimental data shows that the proposed DDoS attack detection algorithm achieves a good balance between accuracy and real-time.