Distributed denial-of-service attack detection scheme-based joint-entropy

Distributed denial-of-service (DDoS) attacks present an increasing threat to the global inter-networking infrastructure. While entropy schemes are highly robust to diverse network conditions, they remain vulnerable to distribute attacks that are similar to legitimate traffic. With the knowledge that the objective of a DDoS attack is to saturate as soon as possible the resources of the target, this would engender an unexpected disproportion between the number of received packets and the number of connections. However, in the case of flash crowds, an increase in the number of packets is always accompanied by an increase in the number of connections. In this work, we used joint-entropy that quantifies the degree of disproportion to detect traffic anomalies. We investigate a class of intelligent attacks, which, unlike high-rate attacks, are difficult for entropy schemes to detect. The experimental results indicate that our joint-entropy scheme can detect this type of attacks accurately. Compared with an entropy-based scheme, the improvement is 40% for the distributed attacks. Copyright (c) 2011 John Wiley & Sons, Ltd.