IP packet size entropy-based scheme for detection of DoS/DDoS attacks

Denial of service (DoS) attacks have become one of the most serious threats to the Internet. Enabling detection of attacks in network traffic is an important and challenging task. However, most existing volume-based schemes can not detect short-term attacks that have a minor effect on traffic volume. On the other hand, feature-based schemes are not suitable for real-time detection because of their complicated calculations. In this paper, we develop an IP packet size entropy (IPSE)-based DoS/DDoS detection scheme in which the entropy is markedly changed when traffic is affected by an attack. Through our analysis, we find that the IPSE-based scheme is capable of detecting not only long-term attacks but also short-term attacks that are beyond the volume-based schemes' ability to detect. Moreover, we test our proposal using two typical Internet traffic data sets from DARPA and SINET, and the test results show that the IPSE-based detection scheme can provide detection of DoS/DDoS attacks not only in a local area network (DARPA) and but also in academic backbone network (SINET).