Joint Entropy Analysis Model for DDoS Attack Detection

Distributed Denial of service (DDoS) attack has become one of the most serious threats to the Internet. DDoS attack can be considered a system anomaly or misuse from which abnormal behaviour is imposed on network traffic. Network traffic characterization with behaviour modelling could be a good indication of attack detection witch can be performed via abnormal behaviour identification. Moreover, it is hard to distinguish the difference of an unusual high volume of traffic which is caused by the attack or occurs when a huge number of users occasionally access the target machine at the same time. While previous work has demonstrated the benefits of entropy-based anomaly detection, there has been little effort to understand the detection power of using joint entropy analysis of multiple traffic distributions. We observe that the time series of IP-flow number and aggregate traffic size are strongly statistically dependant. The occurrence of attack affects this dependence and causes a rupture in time series of joint entropy values. Experiment results show that this method could lead to more accurate and effective DDoS detection.