Detection of DDoS attacks and flash events using information theory metrics-An empirical investigation

A Distributed Denial of Service (DDoS) attack is an austere menace to extensively used Internet-based services. The in-time detection of DDoS attacks poses a tough challenge to network security. Revealing a low-rate DDoS (LR-DDoS) attack is comparatively more difficult in modern high speed networks, since it can easily conceal itself due to its similarity with legitimate traffic, and so eluding current anomaly based detection methods. This paper investigates the aptness and impetus of the information theory-based generalized entropy (GE) and generalized information distance (GID) metrics in detecting different types of DDoS attacks. The results of GE and GID metrics are compared with Shannon entropy and other popular information divergence measures. In addition, the feasibility of using these metrics in discriminating a high-rate DDoS (HR-DDoS) attack from a similar looking legitimate flash event (FE) is also verified. We used real and synthetically generated datasets to elucidate the efficiency and effectiveness of the proposed detection scheme in detecting different types of DDoS attacks and FEs. The results clearly show that the GE and GID metrics perform well in comparison with other metrics and have reduced false positive rate (FPR). (C) 2017 Elsevier B.V. All rights reserved.