Application of entropy formulas in detection of denial-of-service attacks

The paper compares five entropy formulas (Shannon, Tsallis, Renyi, Bhatia-Singh, and Ubriaco) and their application in the detection of distributed denial-of-service (DDoS) attacks. The Shannon formula has been used extensively for this purpose for more than a decade. The use of the Tsallis and Renyi formulas in this context has also been proposed. Bhatia-Singh entropy is a novel information metric with promising results in initial applications in this area. Ubriaco proposed an entropy function based on the fractional calculus. In this paper, flow size distribution was used as the input for detection. The type of DDoS attack is SYN flood, and simulation was used to obtain the input dataset. The results show that the Renyi and Bhatia-Singh detectors perform better than the rest. Renyi and Tsallis performed similarly with respect to the true positive rate, but Renyi had a much lower false positive rate. The Bhatia-Singh detector had the best true positive rate but a higher false positive rate than Renyi. The Ubriaco detector performed similar to the Shannon detector. With respect to detection delay, Tsallis, Ubriaco, and Shannon produced similar results, with a slight advantage associated with the Ubriaco detector, while Renyi and Bhatia-Singh had a larger detection delay than the former three.