E-LDAT: a lightweight system for DDoS ﬂooding attack detection …jkalita/papers/2016/BhuyanMonowarSCN... · 2016-09-13 · we develop the system model for DDoS attack detection

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks (2016)

Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.1530

RESEARCH ARTICLE

E-LDAT: a lightweight system for DDoS flooding attackdetection and IP traceback using extendedentropy metricMonowar H. Bhuyan1 *, D. K. Bhattacharyya2 and J. K. Kalita3

1 Department of Computer Science and Engineering, Kaziranga University, Koraikhowa, Jorhat, Assam 785006, India2 Department of Computer Science and Engineering, Tezpur University, Napaam, Tezpur, Assam 784028, India3 Department of Computer Science, University of Colorado at Colorado Springs, Colorado Springs, CO 80933-7150, USA

ABSTRACT

Distributed denial-of-service (DDoS) attacks cause havoc by exploiting threats to Internet services. In this paper, wepropose E-LDAT, a lightweight extended-entropy metric-based system for both DDoS flooding attack detection and IP(Internet Protocol) traceback. It aims to identify DDoS attacks effectively by measuring the metric difference betweenlegitimate traffic and attack traffic. IP traceback is performed using the metric values for an attack sample detected bythe detection scheme. The method uses a generalized entropy metric with packet intensity computation on the samplednetwork traffic with respect to time. The E-LDAT system has been evaluated using several real-world DDoS datasets andoutperforms competing methods when detecting four classes of DDoS flooding attacks, including constant rate, pulsingrate, increasing rate and subgroup attacks. The IP traceback model is also evaluated using NetFlow data in near real-timeand performs well in large-scale attack networks with zombies. Copyright © 2016 John Wiley & Sons, Ltd.

KEYWORDSDDoS attacks; entropy metric; network traffic; IP traceback; zombies

*CorrespondenceMonowar H. Bhuyan, Department of Computer Science and Engineering, Kaziranga University, Koraikhowa, Jorhat-785006, Assam,India.E-mail: [email protected]

1. INTRODUCTION

With an exponential increase in the number of attackson the Internet’s infrastructure, detecting anomalies innetwork traffic has become important in our quest todetect (intelligent) attacks so that enterprise networksremain secure. Detected denial-of-service (DDoS) attackshave become major security threats to providers of Inter-net services. These attacks normally consume a hugeamount of server resources, making it impossible forlegitimate users to avail themselves of necessary ser-vices. These attacks also consume network bandwidthby compromising network traffic. These attacks gener-ate a large amount of traffic, within a short amount oftime focused on a victim, with the help of compromisedhosts, by attempting to use the resources of the victimizedhost.

Because DDoS attacks are distributed, these coopera-tive large-scale attacks can spread through both wired and

wireless networks in parallel [1,2]. Hence, both industryand academia study how to defend against DDoS attacksand protect the access of legitimate users to resources. Thedetection of DDoS attacks is not an easy task because ofthe use of spoofed source addresses and the concealment ofattack sources. It is also difficult to distinguish attack traf-fic from normal traffic considering traffic rates alone. Aninformation theory-based method to detect network behav-ior mimicking DDoS attack has been introduced in [3].This method can effectively discriminate mimicked flood-ing attacks from legitimate access traffic. Several researchefforts on DDoS detection [4–6], mitigation [7–9], and fil-tering [10,11] have been conducted in isolation. However,current approaches to both detection and IP traceback areunable to produce real-time output. There are two types ofDDoS attacks based on the traffic rate: (a) high-rate DDoSattacks, when the traffic is very different from normal traf-fic, and (b) low-rate DDoS attacks, in which the traffic issimilar to normal traffic [12–14]. Low-rate DDoS attack is

Copyright © 2016 John Wiley & Sons, Ltd.

DDoS flooding attack detection and IP traceback M. H. Bhuyan, D. K. Bhattacharyya and J. K. Kalita

more difficult to detect and mitigate within a reasonabletime interval. Based on the locality of deployment, DDoSdefense schemes can be divided into three classes [15]:victim-end, source-end, and intermediate router defensemechanisms. In the victim-end defense mechanism, detec-tion and response are generally performed in the routersof victim networks, that is, networks providing criticalInternet services. These mechanisms can closely observethe victim network traffic, model its behavior, and detectanomalies. Detecting DDoS attacks in victim routers isrelatively easy because of the high rate of resource con-sumption. It is also the most practically applicable typeof defense mechanism that can classify attack traffic fromlegitimate traffic. The main problems with these mecha-nisms are the following: (i) During DDoS attacks, victimresources, for example, network bandwidth, often get over-whelmed and cannot stop the flow beyond victim routers;and (ii) it can detect the attack only after it reaches the vic-tim. Detecting an attack when many legitimate clients havealready been denied is still useful because it can protectat least some residual functionality which might preventa fraction of potential future customers being denied.Detection is also important for identifying botnets andneutralizing them.

Detecting and stopping a DDoS attack at the source isthe goal of source-end defense mechanism. These systemsdetect malicious packets early and reduce the possibilityof flooding occurring at the victim-end. It is ideal to fil-ter or rate limit malicious traffic near the source becauseit causes minimum damage to legitimate traffic to a hostdown the line. Moreover, source-end defense mechanismsusually have to handle a small amount of traffic and con-sume a low amount of resources (i.e., processing powerand buffer). The main difficulties of such mechanisms areas follows: (i) They cannot observe suspicious traffic at thevictim-end because they have no interaction with the vic-tim node; (ii) Sources are widely distributed, and a singlesource behaves almost similarly as in normal traffic; and(iii) It is also difficult to identify a deployment point at thesource-end.

The intermediate network defense scheme performsa balancing act between detection accuracy and attackbandwidth consumption, the main issues in source-end,and victim-end detection mechanisms. It can be poten-tially deployed in any network router connected to anInternet service provider. Such a scheme is generallycollaborative in nature, and the routers share their obser-vations with other routers. Detection of attack sourcesis easy in this approach because of this collaborativeoperation. Routers can form an overlay mesh to sharetheir observations [16]. The main difficulty with inter-mediate mechanisms are the following: (i) Determiningwhere they should be deployed; (ii) The unavailabil-ity of this mechanism in only a few routers may causefailure to the overall detection; and (iii) Full practicalimplementation of this mechanism is extremely diffi-cult because it would require reconfiguring all routerson the Internet.

Usually, the operator of an Internet service has fullcontrol over only its own servers that may be victim-ized. These, victim-end mechanisms are most practical. Toaddress the deficiencies in such victim-end defense mecha-nisms, we concentrate on how potential victims can detectand perform IP traceback when DDoS attacks are launchedagainst them and do so in a short time with low-falsepositive rates.

Network or host-based attack detection methods areof two types: signature based and anomaly based. Asignature-based method builds profiles using character-istics of historical attack and normal traffic, and thenmatches the incoming traffic with the pre-existing pro-files to report any alarm. In contrast, an anomaly-basedmethod models normal behavior and compares incomingtraffic for the presence of any deviation [17,18]. Severalinformation theory-based approaches have been proposedto overcome the problems of both signature and anomaly-based detection methods [1,19]. Information theory allowsus to associate an uncertainty measure with a random vari-able. Entropy is normally used as such a measure becauseits value depends on the amount of diversity or chaos inthe material or data being measured. The joint entropy ofa pair of independent random variables equals the sum ofindividual entropies. Shannon’s entropy [20] and KullbackLeibler divergence methods are both effective in detectingabnormal traffic based on IP address distribution statisticsor packet size distribution statistics [21]. For any DDoSdefense system, the main goals to achieve are as follows:(a) early stage detection and (b) high accuracy, and (c)low false-alarm rate. In general, researchers have had diffi-culty in achieving these goals within stipulated short-timeperiods.

In this paper, we propose E-LDAT, a lightweight DDoSflooding attack detection and IP traceback scheme whichcomputes generalized entropy with packet intensity in traf-fic that is sampled frequently, at short-time intervals. Thereis no packet marking strategy in the E-LDAT system, thusremoving the shortcomings associated with packet mark-ing techniques. We attempt to detect four classes of DDoSflooding attacks [21], viz., constant rate, pulsing rate,increasing rate, and subgroup attacks based on attack ratedynamics (Figure 1). Both packet traffic and flow level-network traffic are used to analyze our scheme. For DDoSdetection, we collect packet level traffic, and at the sametime, we collect NetFlow traffic for near real-time analy-sis. During attack-free periods on our testbed, we observeeach sample of traffic and compute the difference betweensample pairs using the extended entropy metric (EEM).Once we detect a potential DDoS attack, we start an IPtraceback scheme on the NetFlow data using the sampleswhere we found the putative DDoS attack. The approachidentifies the IP distribution value with the highest prob-ability, estimated using a discrete probability distribution.Finally, it sends a request to drop the packets at router levelif the packets do not belong to the address range for itsinterfaces.

Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.

DOI: 10.1002/sec

M. H. Bhuyan, D. K. Bhattacharyya and J. K. Kalita DDoS flooding attack detection and IP traceback

Figure 1. Classes of distributed denial-of-service flooding attacks based on attack rate dynamics: (a) constant rate, (b) pulsing rate,(c) increasing rate, and (d) subgroup attack.

The main contributions of this paper are as follows.

! We analyze and highlight the advantages of alternateentropy metrics in comparison with basic entropymeasures.

! We propose E-LDAT, a lightweight EEM based DDoSattack detection scheme that outperforms detectiontechniques using traditional entropy metrics.

! We also propose a lightweight IP traceback schemebased on the EEM that can trace true locations of anattacker’s machine (i.e., the zombie machines).

The rest of the paper is organized as follows. Section 2presents related work, and Section 3 states the problem.Section 4 describes the proposed scheme along with howwe develop the system model for DDoS attack detectionand IP traceback. Section 5 presents performance evalu-ation of our E-LDAT system. Finally, Section 6 providesconcluding remarks.

2. RELATED WORK

We first present some basic information about DDoSattacks, and then a few DDoS attack detection and IPtraceback schemes. This section discusses these schemeswithout considering their potential for deployability in realnetworks.

2.1. Distributed denial-of-service attacks

As stated in [22], a DDoS attack can be defined as anattack that uses a large number of computers to launch a

coordinated DoS attack against a single-victim machineor multiple-victim machines. Using client/server technol-ogy, the perpetrator is able to multiply the effectiveness ofthe DoS attack significantly by harnessing the resourcesof multiple unwitting accomplice computers, which serveas attack platforms. A DDoS attack is distinguished fromother attacks by its ability to deploy its weapons in a“distributed" way over the Internet and to aggregate theseforces to create lethal traffic. Rather than breaking thevictim’s defense system for fun or to show prowess, aDDoS attack usually aims to cause damage on a vic-tim either for personal or political reasons, material gain,or for popularity. A taxonomy of DDoS attacks can befound in [2,21].

Distributed denial-of-service attacks mainly take advan-tage of the architecture of the Internet, and this is whatmakes them powerful. While designing the Internet, theprime concern was to provide for functionality, not secu-rity. As a result, over the years, many security issueshave been raised, and these are exploited by attackers[2]. A DDoS attack is composed of several elementsincluding (a) a direct DDoS attack, where the attackersends control traffic directly to the zombies to attackthe victim host, and (b) an indirect DDoS attack, wherethe attacker sends control traffic indirectly to the zom-bies to compromise the target host. Reflectors are non-compromised systems that exclusively send replies toa request.

There are four basic steps normally taken to launch aDDoS attack. These are selection of agents, compromise,communication, and attack.

Security Comm. Networks (2016) © 2016 John Wiley & Sons, Ltd.DOI: 10.1002/sec


(1) Selection of agents. The attacker chooses the agentsthat will perform the attack. Based on the natureof vulnerabilities present, machines can be compro-mised to work as agents. Attackers victimize thesemachines, which have abundant resources, so that apowerful attack stream can be generated. In earlyyears, attackers attempted to acquire control of thesemachines manually. However, with the developmentof advanced tools to detect security vulnerabilities, ithas become easier to identify these machines auto-matically and instantly.

(2) Compromise. The attacker exploits security holesand vulnerabilities of the agent machines and plantsthe attack code. Not only that, the attacker also takesnecessary steps to protect the planted code from iden-tification and deactivation. Unless a sophisticateddefense mechanism is used, it is usually difficultfor the users and owners of the agent systems torealize that they have become a part of a DDoSattack system. Another important feature of such anagent system is that the agent programs are very costefficient both in terms of memory and bandwidth.Hence, they affect the performance of the systemminimally.

(3) Communication. The attacker communicates withany number of handlers to identify which agents areup and running, when to schedule attacks or whento upgrade agents. Such communication among theattackers and handlers can be via protocols suchas Transmission Control Protocol, Internet Con-trol Message Protocol, or User Datagram Protocol.Based on configuration of the attack network, agentscan communicate with a single handler or multiplehandlers.

(4) Attack. The attacker initiates the attack. The victim,the duration of the attack as well as special featuresof the attack such as the type, length, time-to-live, IPand port numbers can be adjusted. If there are sub-stantial variations in the properties of attack packets,it is beneficial to the attacker, because it complicatesdetection.

2.2. Distributed denial-of-service attackdetection and IP traceback schemes

Because of the increasing sophistication of attack pat-terns, the detection and IP traceback of DDoS attackshave become more difficult. Metrics from information the-ory are being increasingly used as statistical measuresfor network anomaly detection. Feinstein and Dan [23]present methods to identify DDoS attacks using entropycomputation and frequency-sorted distribution of relevantpacket attributes. They treat DDoS attacks as anomaliesand illustrate the usefulness of entropy computation onreal-network traffic traces obtained from a variety of net-work scenarios. Yuan and Kevin [24] present a DDoSflooding attack detection scheme by monitoring macro-

scopic network-wide effects. They work with a variety ofattack modes including constant rate, increasing rate, puls-ing rate, and subgroup attacks. Lee and Xiang [25] describeseveral information theoretic measures for anomalydetection. These are the following: entropy, conditionalentropy, information gain, and information cost. Theytest the effectiveness of these measures by using severaldatasets.

Ensembles of classifiers have also been used for DDoSattack detection. The use of an ensemble reduces the biasof existing individual classifiers. An ensemble of classifiershas been used by Kumar and Selvakumar [26] for this pur-pose, where a resilient back propagation neural network ischosen as the base classifier. The authors focus on improv-ing the performance of the base classifier. The proposedclassification algorithm, RBPBoost, combines the outputof the ensemble of classifiers and the Neyman Pearsoncost minimization strategy [27] for final classification deci-sion. Nguyen and Choi [28] develop a method for proactivedetection of DDoS attacks by classifying the network sta-tus at a point in time. They break a DDoS attack into phasesand select features based on an analysis of real-DDoSattacks. Finally, they apply the k-nearest neighbor methodto classify the network status in each phase of DDoS attackdetection.

Xiang et al. [1] propose the use of two information met-rics for low-rate DDoS attack detection, viz., a generalizedentropy metric and an information distance metric. Theyare used for detection of low-rate DDoS attacks and IPtraceback. The scheme is tested on real-life DDoS datasetsand shows that the metrics work effectively. An IP trace-back scheme based on variations in entropy for DDoSattack is proposed in [16]. The authors observe and storeshort-term information about variations in flow entropyat the routers. Once the detection algorithm has detecteda DDoS attack, it initiates the pushback tracing proce-dure to find the actual location of attacks. Xiang et al.[29] present a practical IP traceback system called flexi-ble deterministic packet marking (FDPM) that provides adefense system with the ability to find the real sources ofattacking packets that traverse through the network. FDPMuses a flexible mark length to make it compatible to dif-ferent network environments by adaptively changing itsmarking rate according to the load of the participatingrouter. When FDPM was evaluated using a small amountof real-time data, it was able to find the attack sourceseffectively.

A method presented by Shiaeles et al. [6] detects DDoSattacks based on a fuzzy estimator using mean packet inter-arrival times. It detects the suspected host and traces theIP address to drop packets within 3-s detection windows.Yang and Yang [30] present a hybrid IP traceback schemewith efficient packet logging, aiming to achieve zero falsepositive and false negative rates in attack-path reconstruc-tion. In addition, they use a packet’s marking field tosense attack traffic on its upstream routers. Recently, Weiet al. [31] have proposed a rank correlation-based detectionalgorithm for detecting distributed reflection DoS attacks.


DOI: 10.1002/sec


The preliminary simulations show that rank correlation-based detection can differentiate reflection flows fromlegitimate ones effectively.

2.3. Discussion

Even though several DDoS attack detection and IP trace-back schemes have been introduced recently, there aremany issues that need to be addressed. The followingare our observations on DDoS attack detection and IPtraceback.

! It is important to understand the features of DDoSattacks, but it is more crucial to find effective featuresto detect an attack.

! Most published existing schemes are research systemsthat focus on detecting DDoS attacks with high-detection accuracy or low-false alarms, but often,these methods fail to perform in real time or near realtime.

! Some schemes are composed of several modules [23]that are supposed to work together. However, becauseof their inability to coordinate quickly and efficiently,the total cost of detection becomes high.

! Although several information theoretic measures areavailable [25], building an adaptive model to detectDDoS attacks by dynamically adjusting differentparameters has been difficult.

3. PROBLEM STATEMENT

We define the problem of DDoS detection as follows. Thegoal is to detect DDoS flooding attacks using a minimalsubset of relevant packet features by computing informa-tion distance difference between attack traffic and legiti-mate traffic in real-traffic instances within a relative sampleperiod. It identifies a sample si to be anomalous if (a) si 2 Sand |E(si) – E(sj)| " ı1, where E is the information dis-tance metric, si and sj are samples within sampling periodS, and ı1 is the threshold for local entropy variation and(b) |E(si0 ) – E(sj0 )| # ı2, where si0 and sj0 are the relativesamples to be compared, and ı2 is the threshold for globalentropy variation.

4. E-LDAT: SYSTEM MODELING FORDDOS ATTACK DETECTION ANDIP TRACEBACK

In this section, we attempt to model a system for detectingDDoS flooding attacks and IP traceback using the EEM. Itworks on the following assumptions.

! Routers have full control over traffic packets that gointo and come out from the router interface.

! We collect packet and flow level traffic at the victim-end when flooding attacks are launched.

! We sample the network traffic into 5-min intervals,and during processing, we sub-sample them again into10-s time intervals.

The architecture of the E-LDAT system is given inFigure 2. This system is composed of mainly two parts,viz., DDoS attack detection and IP traceback. We definethe EEM used in the detection process as follows.

Definition 1. Extended entropy is defined as the sum ofall entropies of parts of a system within a time interval.

In the detection scheme, we initially sample the net-work traffic into t intervals within a total time period T .For each time interval, we compute the discrete probabil-ity distribution, packet intensity, and individual entropiesfor each sample as discussed next. We compute both thelocal entropy metric difference between legitimate trafficand anomalous traffic, and the global entropy metric dif-ference between legitimate traffic and anomalous traffic. Ifthe global metric difference is found greater than the localvariation threshold ı1 and less than the global variationthreshold ı2, we mark the sample as attack, otherwise nor-mal. All attack samples are used for IP traceback. We makean attacker IP list and send a request to the router to dropwhen forwarding the packets to the next level of routers.

4.1. Notations used and symbols

The notations and symbols used in this paper are given inTable I.

4.2. Distributed denial-of-service attackdetection scheme

In information theory, Shannon entropy or simply entropyis a measure of uncertainty in the value of a random vari-able, and it forms the basis for distance and divergencemeasurements between probability densities. Larger valuesof entropy are expected when the information variable ismore random. In contrast, the entropy value is expected tobe small when the amount of uncertainty in the informa-tion variable is small [19]. To quantify the randomness ofa system, Renyi [32] introduced an entropy metric of order˛ as a mathematical generalization of Shannon entropy.Let us consider a discrete probability distribution, P =p1, p2, p3, : : : pn, that is,

Pni=1 pi = 1, pi " 0. Then, the

Renyi’s entropy of order ˛ is defined as

H˛(x) =1

1 – ˛log2

nXi=1

p˛i

!(1)

where ˛ " 0, ˛ ¤ 1, pi " 0. If the values of pi’s arethe same, the maximum entropy value, known as Hartleyentropy [33], is achieved.

H0(x) = log2n (2)



Figure 2. Architecture of the E-LDAT system.

Table I. Used notations and symbols.

Symbol andnotation Meaning

X Network traffic dataP Total probabilityT Time interval for processingti ith time interval within TH Entropy metric˛ Entropy metric of order ˛xi ith instance within Xfi ith packet intensity! Number of packetsı1 Threshold for location variationı2 Threshold for global variationˇ Threshold for IP traceback schemeS Sample trafficsa Attack sample trafficsi, sj, si0 , sj0 Relative samples trafficA List of IPs for attack sourcez A zombieE Information distance metricEEM Extended entropy metricEl Difference of local extended entropy metric

values between two samples, si and sj

Eg Difference of global extended entropy met-ric values between two samples, si0 andsj0

N Total number of packets within full timeinterval T

n Represents the sub-time interval t within T

When ˛ ! 1, H˛ converges to Shannon entropy.

H1(x) = –nX

i=1

pilog2pi (3)

If ˛ = 2, it is known as collision entropy or Renyi’squadratic entropy.

H2(x) = –log2

nXi=1

p2i (4)

Finally, when ˛ ! 1, H1(x) reaches the minimuminformation entropy value. Hence, we say that the general-ization of information entropy is a non-increasing functionof order ˛, that is, H˛1 (x) ! H˛2 (x), for ˛1 < ˛2, ˛ > 0.The probability and packet intensity computation are

p(xi) =xiPni=1 xi

(5)

and

fi =!iPNj=1 !j

(6)

where j = 1, 2, 3, : : :N, where N is the total number ofpackets within the full time interval T , ! is the numberof packets and n is the total number of smaller intervals


DOI: 10.1002/sec


t within T . Renyi’s information entropy metric of order ˛can be rewritten as

EEM˛(x) =ti ! fi

N(1 – ˛)log2

nXi=1

p˛i

!(7)

where ti is the time and fi is the packet intensity for theith sample. We refer to this metric as the EEM. Based onthis analysis of information entropy metric, we considerdifferent probability distributions for legitimate networktraffic and attack traffic when detecting DDoS attacks. Aflowchart for the proposed attack detection scheme is givenin Figure 3.

To support the proposed scheme, we introduce somedefinitions and lemmas in the succeeding text.

Definition 2. DDoS flooding attack traffic – Given atraffic sample S collected during a time interval T, a DDoSflooding attack traffic sample is a traffic sub-sample, A ={a1, a2, a3 : : : aS} such that the difference in EEM valuesbetween anomalous traffic instance ai and normal trafficinstance is at least the minimum allowable threshold ı1.

Figure 3. Flowchart of the proposed distributed denial-of-service attack detection scheme.

Definition 3. Extended entropy metric – The EEM issimply the entropy value of order ˛, used to rank each traf-fic sample within a time interval T. The EEM metric valueof an attack traffic instance is higher than the EEM metricvalue of a normal traffic instance within a time interval T.

Definition 4. Locally anomalous traffic – A DDoS flood-ing attack traffic sample is defined as locally anomalous ifEEM(si – sj) " ı1 within time interval T, where si and sjare anomalous and normal traffic, respectively, and ı1 is auser defined threshold.

Definition 5. Globally anomalous traffic – A DDoSflooding attack traffic sample is defined as globally anoma-

lous if EEM!

si0 – sj0"# ı2 across two consecutive time

interval ti and ti+1 within a total time interval T, and ı2 isa user defined threshold.

Lemma 1. The maximum variation in DDoS floodingattack traffic sample A = {a1, a2, a3 : : : aS} in termsof EEM metric value is always less than the maximumvariation for normal traffic.

Proof 1. Let Sai and Saj be two samples of DDoS floodingattack traffic, and sni and snj be two samples of normal traf-fic. Based on Yu et al. [16] and according to Definitions 2and 3, the EEM metric value of attack traffic is higher thannormal traffic, that is, EEMat $ EEMnt, where EEMat =EEM(sai) – EEM(saj) and EEMnt = EEM(sni) – EEM(snj).However, flooding attack traffic is generated by using aprogram; in other words, it is program controlled. So, thevariation among the traffic is ultimately limited within abound. On the other hand, normal traffic variation has nosuch bound or control, and hence can be extended to a greatextent. So, the maximum variation of attack traffic in termsof EEM metric value is always less than the maximumvariation for normal traffic.

Lemma 2. For a DDoS flooding attack traffic sample A ={a1, a2, a3 : : : aS}, the EEM metric value is always largerthan the Shannon entropy value.

Proof 2. The proof of the aforementioned lemma is trivialfrom the representations of Shannon entropy and extendedentropy given in Equations (3) and (7), respectively. It isevident from the multiplying factor used in Equation (7).

4.2.1. The distributed denial-of-service attackdetection algorithm.

The proposed information entropy metric-based DDoSflooding attack detection scheme attempts to detect fourcategories of DDoS attacks as shown in Figure 1. In infor-mation theory, the value of Shannon entropy in a Gaussiandistribution is higher than that of a Poisson distribution[1]. The Renyi’s generalized entropy value is lower thanthe Shannon entropy value when ˛ > 1. In contrast, theRenyi’s generalized entropy value is higher than Shannon



entropy when 0 ! ˛ ! 1. But in case of the EEM, theEEM metric value is greater than the Shannon entropymetric value [33]. Hence, we can achieve better detec-tion accuracy and lower false positive rate in the detectionof all classes of DDoS flooding attacks. The steps of theproposed scheme are given in Algorithm 1.

Algorithm 1 E-LDAT - DDoS flooding attack detectionow to instaoInput: Network traffic X w.r.t. time window T and thresh-

olds ı1, ı2Output: Alarm information (attack or normal)

1: Initialization: probability p(xi), packet intensity fi, andsample period T = 0, where i = 1, 2, 3, " " " n, T ={t1, t2, t3, " " " , tN} and N is the number of sub-intervalswithin the full time interval.

2: Sample the network traffic X received from upstreamrouter R using sampling period T

3: Compute probability distribution pi and packet inten-sity fi using Equations (5) and (6), respectively, basedon traffic features (i.e., sIP, dIP, packet size, etc.) foreach sample within T sampling period of ith sample.

4: Compute EEM H˛(x) using Equation (7) for eachsample within sampling period T

si =yX

k=0

EEM˛(sik) (8)

sj =zX

l=0

EEM˛(sjl) (9)

Eil = |EEM˛(si) – EEM˛(sj)| (10)

Eig = |EEM˛(s0i) – EEM˛(s0j)| (11)

5: Check against local variation threshold to determine ifEil # ı1 and global variation threshold to determine ifEig ! ı2. If both hold true, then generate alarm; oth-erwise router forwards the packet to the downstreamrouters.

6: Go to step 2.

The proposed scheme needs a minimum number ofparameter computations when detecting DDoS floodingattacks and performing IP traceback. The collaborativedetection threshold can be estimated based on the spacingbetween legitimate traffic and anomalous traffic within thesampling period T for all classes of attacks.

4.3. Distributed denial-of-service IPtraceback scheme

The IP traceback scheme is used to identify the sourceof an IP packet without depending on the address in thepacket. The source IP address is normally spoofed. We pro-pose an IP traceback and filtering scheme using the EEM to

Figure 4. Internal traffic, external traffic, and router used for IPtraceback.

effectively defend against Internet threats. Hop-by-hop IPaddress tracing is a difficult task, and it takes longer time tofollow all possible paths. In order to analyze the IP trace-back algorithm, we classify network traffic into two types:in-traffic (Ii) and out-traffic (Oi). Ii represents the internaltraffic generated from a LANi. Oi represents the sum oflocal network traffic, which is normally forwarded to thenext upstream router (see Figure 4 for details). Algorithm2 shows the steps of our proposed IP traceback scheme.

Algorithm 2 E-LDAT - DDoS IP traceback

Input: Samples detected as attacks sa, threshold ˇOutput: Attacker IP address list, IPa

1: Initialization: probability P(X), packet intensity f ,attack samples sa, and threshold ˇ

2: Let R and A be the router and the set of IP addresses,respectively.

3: Compute probability distribution pi and packet inten-sity fi using Equation (2) and (3) respectively, based ontraffic features (i.e., sIP, dIP, packet size, etc.) for eachsample within T sampling period of ith sample.

4: Compute extended entropy metric EEM˛(x) usingEquation (1) for each distribution and sort them indescending order within a sample.

5: for i 1 to pd do6: if EEM˛(xi) # ˇ then7: Add to the set A8: end if9: end for

10: Submit a traceback request from set A to the router Rand stop forwarding all traffic from those IP(s).

We have developed the algorithm assuming victim-enddetection framework. Once DDoS attack is detected, it ini-tiates the IP traceback scheme immediately to find theoriginal source of the attack. In an attack sample, the pro-posed traceback algorithm computes the EEM for eachprobability distribution within time interval ti. It checks thedifference between all metric values for all distributions; ifit is greater than the threshold, it considers the linked IPaddress as one attack source and adds it to the attacker IPaddress list A. Otherwise, it goes to the next attack sample.Finally, it sends a request to the router R to stop forwardingpackets to the downstream routers from the specific LANi.

Using our IP traceback algorithm, it is easy to tracebackand to find the possible attack paths. As a result, our detec-tion and IP traceback schemes require minimal cost. Thetraceback scheme also achieves higher accuracy because


DOI: 10.1002/sec


Figure 5. TUIDS testbed network architecture.

the traceback scheme uses a binary heap to store its entropymetric values to achieve low-computational cost.

To evaluate the traceback algorithm, we consider theworst case binary attack tree with d branches, a height ofh, and a total of z detected zombies. We assume that thezombies are distributed evenly in the network. As stated inMoore et al. [34], there are a maximum of 31 hops possiblebetween any two ends on the Internet. So, we consider 31hops for our experiment. The total IP traceback time canbe defined as follows:

TT = z !sX

i=1

(31 – hi) ! dhi + delay (12)

where z is the number of zombies and delay is the timetaken to move between two attack samples.

4.4. Complexity analysis

The detection scheme takes O(Tn) time during detection,where T is the time interval and n is the number ofinstances within a sample. On the other hand, the IP trace-back scheme takes O(Tlogn) time to find the attack source.So, the total time taken is O(Tn) + O(Tlogn) = O(Tn).

The time complexity for the detection scheme is linearw.r.t. the size of the dataset and the number of features.The time complexity of the IP traceback scheme is loga-rithmic. Thus, our scheme is effective in detecting and IPtraceback of DDoS flooding attacks with a low number offalse alarms and a low-time complexity.

5. PERFORMANCE EVALUATION

In our experiments, three different datasets, viz., MITLincoln Laboratory [35], CAIDA DDoS 2007 [36], andTUIDS DDoS! [37] datasets, are used to detect fourclasses of DDoS flooding attacks as discussed earlier.The TUIDS DDoS datasets was prepared using our owntestbed. The architecture of the TUIDS testbed with ademilitarized zone is shown in Figure 5. The testbed iscomposed of five different networks inside the Tezpur Uni-versity campus. The hosts are divided into several VLANs,each VLAN belonging to an L3 switch or an L2 switchinside the network. The attackers are placed in both wiredand wireless networks with reflectors, but the target isplaced inside the internal network.

5.1. Datasets

The MIT Lincoln Laboratory tcpdump data are used asreal-time normal network traffic. The data do not con-tain any attacks (see Figure 6 for a normal traffic scenariofrom MIT Lincoln Laboratory). The CAIDA DDoS 2007dataset has real-time DDoS attack data with four classes ofattack scenarios, viz., constant rate, increasing rate, puls-ing rate, and subgroup attack (see Figures 7, 8, 9, and 10for classes of DDoS attack scenarios). The CAIDA datasetcontains 5 min (i.e., 300 s) of anonymized traffic froma DDoS attack on August 4, 2007. This trace includesonly attack traffic to the victim and responses from the

! http://agnigarh.tezu.ernet.in/~dkb/resource.html.



Figure 6. Normal (attack free) traffic scenario from MIT Lincoln Laboratory data. X -axis ticks denote intervals (s), and Y -axis denotespackets/tick (unit).

Figure 7. Distributed denial-of-service attack scenarios from CAIDA: constant rate attack. X -axis ticks denote intervals (s), and Y -axisdenotes packets/tick (unit).

victim; nonattack traffic has been removed as much aspossible. Finally, the TUIDS DDoS dataset also containsseveral classes of attack scenarios like CAIDA. We usesix different attacks for generation and analysis of nearreal-time DDoS attack detection and IP traceback on our

testbed. The list of attacks and generation tools are givenin Table II. To generate the TUIDS DDoS dataset, we usedtwo scenarios, viz., agent-handler network and IRC botnet.In the agent-handler network, the attacker communicateswith any number of handlers for exploiting the software


DOI: 10.1002/sec


Figure 8. Distributed denial-of-service attack scenarios from CAIDA: pulsing rate attack. X -axis ticks denote intervals (s), and Y -axisdenotes packets/tick (unit).

Figure 9. Distributed denial-of-service attack scenarios from CAIDA: increasing rate attack. X -axis ticks denote intervals (s), and Y -axisdenotes packets/tick (unit).

agents available on a zombie host and forward the mali-cious traffic to the victim host. We use Trinity v3, DDoSping 2.0, Trinoo, and TFN2K attack generation tools tolaunch four different variants of attacks on our testbed.In IRC botnet, we installed an IRC server on the testbed,where the attackers login to the IRC server and can have

the list of agents, through them forward the malicious traf-fic to the victim host only. We use the LOIC! tool to launchthese categories of attacks. To prepare the TUIDS DDoS

! http://sourceforge.net/projects/loic/.



Figure 10. Distributed denial-of-service attack scenarios from CAIDA: subgroup attack. X -axis ticks denote intervals (s), and Y -axisdenotes packets/tick (unit).

Table II. List of real-life attacks and associated generationtools.

Attack name Generation tool

1. syn-flood LOIC2. rst-flood Trinity v33. udp-flood LOIC4. ping-flood DDoS ping v2.05. fraggle udp-flood Trinoo6. smurf icmp-flood TFN2K

dataset at both packet and flow levels, we use GULP!

for packet capturing, NFDUMP‘ and NFSENk for flowcapturing when a real-life DDoS attacks launched on thetestbed. The capturing period started at 8:00AM on Mon-day October, 2012, and continuously ran for exactly 7 days,ending at 8:00AM on Sunday October, 2012. However, likethe CAIDA dataset, we considered 300 s of traffic whenthe attack traffic was launched on the testbed. The packetand flow details collected for a specific 300 s out of 7 daysare given in Table III.

5.2. Experimental results

We initially sample the network traffic in 10-s windowsfor each dataset. We identify static IP packets and com-pute the discrete probability distribution for each sample.

! http://staff.washington.edu/corey/gulp/.‘ http://nfdump.sourceforge.net/.k http://nfsen.sourceforge.net/.

Table III. Packet and flow details of TUIDS distributeddenial-of-service dataset.

NumberTraffic of packets/ Attacker’s Protocoldetails NetFlow sources variants

Packet 36291275 6 3NetFlow 15127930 6 3

The distribution of destination IP addresses seen in threescenarios: (a) attack traffic, (b) normal traffic, and (c)mixed traffic (containing both normal and attack traffic) areshown in Figures 11, 12, and 13, respectively.

We compute entropy using the EEM for each proba-bility distribution and average them for each sample. Totest the E-LDAT system, we compute the EEM of dif-ferent orders by changing the value of ˛ and comparewith Shannon entropy values within a sampled period forboth legitimate traffic and anomalous traffic. Figure 14presents the value of Shannon entropy and the EEM fordifferent values of order ˛, where ˛ = 0 to 15, andthe spacing between legitimate traffic and attack traffic. Itdemonstrates that the E-LDAT system outperforms the useof Shannon entropy, in detecting DDoS flooding attacksbecause it obtains significant spacing between legitimatetraffic and attack traffic. It also shows that EEM valuesincrease almost linearly with the order ˛ gradually w.r.t.the traffic rate. To test our scheme globally, we test foreach attack class discussed earlier, and the results are givenin Figures 15, 16, 17, and 18 for the CAIDA dataset, andFigures 19 and 20 for the TUIDS datasets. The E-LDAT


DOI: 10.1002/sec


Figure 11. Probability distribution of IP addresses in normaltraffic.

Figure 12. Probability distribution of IP addresses in attacktraffic.

system outperforms others in detecting DDoS floodingattacks, including reported DDoS attacks.

We further compute the detection rate and false positiverate based on samples within a time interval. The resultsof using our EEM in comparison with the use of Shan-non entropy [1] and Kullback–Leibler [1] divergence aregiven in Figure 21. Our detection scheme can effectivelydetect DDoS attacks with low-false alarm rate and alsoperform well in comparison with competing algorithms[1,3,16,28,31,38].

In the IP traceback scheme, we consider each attacksample obtained from the detection scheme and findentropy values of unique IP addresses using the thresholdˇ. We store each entropy value obtained from a sample ina binary heap. Each path in the heap represents an attacksource and counts the number of hops using nodes on apath. We test our scheme using two different datasets (i.e.,CAIDA and TUIDS DDoS dataset) in terms of numberof hops away from the victim host and false positive rate.Figures 22 and 23 show the experimental results for both

Figure 13. Probability distribution of IP addresses in mixedtraffic (contains both normal and attack traffic).

Figure 14. Extended entropy metric (EEM) values for normaland attack traffic with spacing in between.

datasets. We found better results using the TUIDS dataset.We estimate the cost of our scheme in terms of time taken.Experimental results are given in Figure 24, where we seethat our scheme is better in terms of time needed and hasa smaller hop count when it traces the attacker’s sourcecompared with Yu et al. [16] and Gulisano et al. [39].

5.2.1. Analysis of split window size.The size of the monitoring window is decided based on

the time taken for analysis of traffic. Throughout our exper-iments, we set the optimal split window size as t = 10 s,that is, the sub-sample window size is 10 s. We have exper-imented exhaustively by varying the window size: t = 2, 5,10, 12, 15 s, and we have observed that the best possibleresult is obtained for t = 10 s. The total time T = 300 s foreach sample traffic during analysis. Because of the hugeamount of traffic, we consider this minimum split windowsize for analysis and can detect DDoS attacks effectivelyand quickly.



Figure 15. CAIDA dataset: spacing between legitimate and anomalous traffic in constant rate traffic.

Figure 16. CAIDA dataset: spacing between legitimate and anomalous traffic in pulsing rate traffic.

5.2.2. Selection of attributes.Our method is dependent on only three attributes, viz.,

the source IP address, the destination IP address, and theprotocol to identify all possible types of DDoS floodingattacks. We cannot only identify the all types of flood-ing attacks but also can identify the protocol type thatcorresponds to the attack.

5.2.3. Threshold (ı1, ı2) analysis.In order to estimate the threshold values, we evaluate

the best possible range of values for each threshold heuris-tically. In our experiments, we used three values for eachof ı1 and ı2, where ı1 is the threshold for local variationsand ı2 is the threshold for global variations. We obtain bet-ter results when ı1 = 0.0280 and ı2 5 15.6818 in case of


DOI: 10.1002/sec


Figure 17. CAIDA dataset: spacing between legitimate and anomalous traffic in increasing rate traffic.

Figure 18. CAIDA dataset: spacing between legitimate and anomalous traffic in subgroup attack traffic.

the CAIDA DDoS dataset. But in case of the TUIDS DDoSdataset, ı1 = 0.01935 and ı2 5 11.2538 produce thebest results. To decide the possible range of values for ı1and ı2, we used sample specific knowledge to evaluate theeffectiveness of the values incrementally. In the IP trace-back scheme, we use a single parameter ˇ as the thresholdfor finding malicious IP addresses within an attack sample.

5.2.4. Information entropy analysis.We have computed information entropies of order ˛ =

0, 1, 2, : : : 15 during our experiments. However, we obtainthe highest EEM value for ˛ = 2 and the lowest for˛ = 1, corresponding to Shannon entropy, so the dif-ference between normal and attack traffic is higher thanthe difference in terms of Shannon entropy. Also, the



Figure 19. TUIDS dataset: spacing between legitimate and anomalous traffic in packet level traffic.

Figure 20. TUIDS dataset: spacing between legitimate and anomalous traffic in flow level traffic.

global difference of EEM values between two consecu-tive sub-samples is higher than the difference in Shannonentropy.

5.2.5. Peak analysis.In peak analysis, we consider the highest difference

between EEM values for different attacks including (a)

constant rate, (b) pulsing rate, (c) increasing rate, and(d) subgroup attack for both CAIDA and TUIDS DDoSdatasets. We obtain the following peak values in case ofthe CAIDA dataset: (a) constant rate, peak value = 6.26,(b) pulsing rate, peak value = 5.74, (c) increasing rate,peak value = 12.72, and (d) subgroup attacks, peak value= 90.01 (Figures 15, 16, 17 and 18). For the TUIDS


DOI: 10.1002/sec


Figure 21. ROC of extended entropy metric in comparison withShannon entropy and Kullback–Leibler divergence.

Figure 22. IP traceback using CAIDA dataset for variousextended entropy metric (EEM) values.

dataset, we obtain the following peak values: (a) packetlevel, peak value = 12.48 and (b) flow level, peak value= 12.51 (Figures 19 and 20).

5.3. Comparison with other relevant work

The E-LDAT system differs from the other similar schemesin the following ways.

(1) Like Xiang et al. [1], we also use the generalizedentropy metric to estimate the spacing between legit-imate and attack traffic. However, in addition, weintroduce the EEM for effective estimation of thespacing between legitimate and attack traffic. In fact,we found more spacing than Xiang et al. schemebetween legitimate and attack traffic. The E-LDATsystem achieves spacing 2.64 when ˛ = 10, which ismore than Xiang et al. spacing of 0.51 when ˛ = 10.Moreover, our IP traceback scheme also performs

Figure 23. IP traceback using TUIDS dataset for variousextended entropy metric (EEM) values.

Figure 24. IP traceback time for DDoS attacks when considerstwo and three branch-attack trees.

better than Xiang et al. scheme in terms of tracebacktime. We have considered the maximum number ofhops between two end points on the Internet, which is31; but Xiang et al. took only six hops when findingzombies locations.

(2) Like Yu et al. [16], we also use variation in entropyvalues to distinguish legitimate traffic from attacktraffic. The use of entropy has been found veryeffective in discovering these variations. Further, ourscheme has been found to traceback the attackersource IP address within 10 s, which is lower than thetime taken by Yu et al. scheme. Yu et al. took 20 stime for traceback in large-scale networks.

(3) Unlike Wei et al. [31], we use the EEM to estimatethe spacing between legitimate and attack traffic. Ourscheme can detect DDoS attacks of various classesusing a small number of parameters at lower compu-tational cost than Wei et al. scheme. In addition, theperformance of our scheme has also been established



in terms of accuracy and timely IP traceback within10 s. We achieve false positive rate 0.10, which issimilar to the Wei et al. scheme, but the E-LDAT sys-tem obtains 99.77% accuracy when detecting DDoSflooding attacks.

(4) Like Ma and Chen [40], we also consider variationsin entropy values between legitimate and attack traf-fic, but we introduce the EEM in place of Lyapunovexponents when estimating the spacing betweenlegitimate and attack traffic. Our scheme can detectDDoS attacks with higher accuracy, viz., 99.77%than 98.56% in Ma and Chen’s scheme.

(5) Unlike Gulisano et al. [39], we estimate the spacingbetween legitimate and attack traffic. The E-LDATsystem can detect DDoS attacks within 10 s, butSTONE [39] can detect attacks within 18 s. Ourscheme is also less costlier than STONE.

(6) Like Sachdeva et al. [41], we estimate the EEM forboth legitimate and attack traffic and find the spacingbetween them to detect DDoS attacks as well as IPtraceback. However, we obtain better accuracy, thatis, 99.77% than 94% in the Sachdeva et al. scheme.

(7) Unlike Saied et al. [42], we compute the spacingbetween legitimate traffic and attack traffic usingthe EEM to detect DDoS attacks and IP traceback.However, the ANN-based scheme [42] achieves 98%accuracy, while we obtain 99.77% accuracy in threedifferent datasets, so our scheme performs better thanANN-based scheme.

5.4. Discussion

To detect DDoS flooding attacks, it is useful to do so witha small number of IP traffic features. Normally, a detectionscheme may use an approach based on either IP addressor IP packet size distribution. An IP address-based methoduses IP addresses and computes the information entropymetric by computing the probability of each unique IPappearing in the traffic within a certain time interval. A big-ger entropy value represents more randomness among theIP addresses. Based on the distribution of the IP addresses,it estimates the change of information entropy metric dif-ference between legitimate traffic and anomalous traffic.Anomalousness can be identified based on the amountof change. We analyze our scheme using several real-life DDoS attack datasets. Our scheme has the followingadditional features compared with previously publishedmethods [1,16,28,31,38,39,41,42].

! The detection scheme can detect anomalous trafficduring DDoS flooding attacks with low false-alarmrates and time complexity.

! The detection scheme uses a small number of IPtraffic features for attack detection and IP traceback.

! The IP traceback scheme can trace the attack sourcewithin a short time with a small number of hops.

! The DDoS attack detection and IP traceback schemesuse a small number of parameters.

In this paper, we have introduced an EEM for detect-ing DDoS flooding attacks as well as IP traceback. TheE-LDAT system able to discriminate attack traffic fromlegitimate traffic based on the spacing between them.The IP traceback mechanism uses the EEM to performtraceback of IPs of zombies based on hop counts and spac-ing between them in different upstream routers on thetestbed.

6. CONCLUDING REMARKS

In this paper, we have proposed a lightweight information-entropy metric known as the EEM that can be used todetect DDoS attacks in several attack scenarios, as dis-cussed throughout the paper. Experimental results demon-strate that the proposed scheme works effectively andstably in detecting DDoS attacks. It increases the spac-ing between legitimate traffic and attack traffic, which isimportant for DDoS attack detection. It also reduces thefalse-alarm rate significantly in detecting DDoS attacks.In addition, we have also proposed an EEM-based IPtraceback scheme. It uses near real-time IP traffic traceson our testbed network, and experimental results showthat the IP traceback scheme can effectively trace allattacks back to the zombie local-area network. Thus, ourEEM-based DDoS attack detection and IP traceback sys-tem called E-LDAT perform well in comparison withtraditional schemes. Currently, we are working towardsdetection of recently introduced crossfire, coremelt, anddistributed amplification attacks.

REFERENCES

1. Xiang Y, Li K, Zhou W. Low-Rate DDoS attacksdetection and traceback by using new information met-rics. IEEE Transactions on Information Forensics andSecurity 2011; 6(2): 426–437.

2. Bhuyan MH, Kashyap H, Bhattacharyya DK, KalitaJK. Detecting distributed denial of service attacks:methods, tools and future directions. The ComputerJournal 2014; 57(4): 537–556.

3. Yu S, Zhou W, Doss R. Information theory baseddetection against network behavior mimicking DDoSattacks. IEEE Communications Letters 2008; 12 (4):319–321.

4. Wang H, Jin C, Shin KG. Defense against spoofed IPtraffic using hop-count filtering. IEEE/ACM Transac-tions on Networking 2007; 15(1): 40–53.

5. Lu K, Wu D, Fan J, Todorovic S, Nucci A. Robustand efficient detection of DDoS attacks for large-scaleinternet. Computer Networks 2007; 51: 5036–5056.

6. Shiaeles SN, Katos V, Karakos AS, PapadopoulosBK. Real time DDoS detection using fuzzy estimators.Computers & Security 2012; 31(6): 782–790.


DOI: 10.1002/sec


7. Chen Z, Chen Z, Delis A. An inline detection andprevention framework for distributed denial of serviceattacks. The Computer Journal 2007; 50(1): 7–40.

8. Yaar A, Perrig A, Song D. StackPi: new packetmarking and filtering mechanisms for DDoS and IPspoofing defense. IEEE Journal of Selected Area onCommunication 2006; 24(10): 1853–1863.

9. Yoon M. Using whitelisting to mitigate DDoS attackson critical internet sites. IEEE Communication Maga-zine 2010; 48(7): 110–115.

10. Duan Z, Yuan X, Chandrashekar J. Controlling IPspoofing through interdomain packet filters. IEEETransactions on Dependable and Secure Computing2008; 5(1): 22–36.

11. Zhang C, Cai Z, Chen W, Luo X, Yin J. Flow leveldetection and filtering of low-rate DDoS. ComputerNetworks 2012; 56(15): 3417–3431.

12. Shevtekar A, Anantharam K, Ansari N. Low rate TCPDenial-of-Service attack detection at edge routers.IEEE Communications Letters 2005; 9(4): 363–365.

13. Ain A, Bhuyan MH, Bhattacharyya DK, Kalita JK.Rank correlation for low-rate DDoS attack detection:an empirical evaluation. International Journal of Net-work Security 2016; 18(3): 474–480.

14. Bhuyan MH, Bhattacharyya DK, Kalita JK. An empir-ical evaluation of information metrics for low-rate andhigh-rate DDoS attack detection. Pattern RecognitionLetters 2015; 51: 1–7.

15. Beitollahi H, Deconinck G. Review: analyzing well-known countermeasures against distributed denial ofservice attacks. Computer Communication 2012; 35(11): 1312–1332.

16. Yu S, Zhou W, Doss R, Jia W. Traceback of DDoSattacks using entropy variations. IEEE Transactions onParallel Distributed Systems 2011; 22(3): 412–425.

17. Bhuyan MH, Bhattacharyya DK, Kalita JK. A multi-step outlier-based anomaly detection approach tonetwork-wide traffic. Information Sciences 2016; 348:243–271.

18. Bhuyan M, Bhattacharyya D, Kalita J. Networkanomaly detection: methods, systems and tools. IEEECommunication Surveys and Tutorials 2013; 16 (1):1–34.

19. Gu Y, McCallum A, Towsley D. Detecting anomaliesin network traffic using maximum entropy estima-tion. Proceedings of the 5th ACM SIGCOMM Confer-ence on Internet Measurement, USENIX Association,Berkeley, CA, USA, 2005; 32–32.

20. Martins AFT, Figueiredo MAT, Aguiar PMQ, SmithNA, Xing EP. Nonextensive entropic kernels. Pro-ceedings of the 25th International Conference onMachine Learning, ACM, New York, NY, USA, 2008;640–647.

21. Mirkovic J, Reiher P. A taxonomy of DDoS attack andDDoS defense mechanisms. ACM SIGCOMM Com-puter Communication Review 2004; 34(2): 39–53.

22. Stein LD, Stewart JN. The World Wide WebSecurityFAQ, version 3.1.2. Available from: http://www.w3.org/Security/Faq [Accessed on 14 September 2015],2002. Cold Spring Harbor, NY.

23. Feinstein L, Schnackenberg D, Balupari R, Kindred D.Statistical approaches to DDoS attack detection andresponse. Proceedings of the DARPA Information Sur-vivability Conference and Exposition, Washington,DC, USA, 2003; 303–314.

24. Yuan J, Mills K. Monitoring the macroscopic effectof DDoS flooding attacks. IEEE Transactions onDependable and Secure Computing 2005; 2 (4):324–335.

25. Lee W, Xiang D. Information-theoretic measures foranomaly detection. Proceedings of the IEEE Sympo-sium on Security and Privacy, IEEE Computer Society,Washington, DC, USA, 2001; 130–143.

26. Kumar PAR, Selvakumar S. Distributed denial of ser-vice attack detection using an ensemble of neuralclassifiers. Computer Communication 2011; 34 (11):1328–1341.

27. Scott C, Nowak R. A Neyman–Pearson approach tostatistical learning. IEEE Transaction on InformationTheory 2005; 51(11): 3806–3819.

28. Nguyen HV, Choi Y. Proactive detection of DDoSattacks utilizing k-NN classifier in an anti-DDoSframework. International Journal of Electrical,Computer, and Systems Engineering 2010; 4 (4):247–252.

29. Xiang Y, Zhou W, Guo M. Flexible deterministicpacket marking: an IP traceback system to find thereal source of attacks. IEEE Transactions on ParallelDistributed Systems 2009; 20(4): 567–580.

30. Yang MH, Yang MC. RIHT: a novel hybrid IPtraceback scheme. IEEE Transactions on InformationForensics and Security 2012; 7(2): 789–797.

31. Wei W, Chen F, Xia Y, Jin G. A rank correla-tion based detection against distributed reflection DoSattacks. IEEE Communications Letters 2013; 17 (1):173–175.

32. Rényi A. On measures of entropy and information.Proceedings of the 4th Berkeley Symposium on Math-ematics, Statistics and Probability, 1960; 547–561.

33. Shannon CE. A mathematical theory of commu-nication. Bell System Technical Journal 1948; 27:397–423.

34. Moore D, Shannon C, Brown DJ, Voelker GM, SavageS. Inferring internet denial-of-service activity. ACMTransactions on Information Systems 2006; 24 (2):115–139.



35. MIT Lincoln Laboratory Datasets. MIT LLS_DDOS_0.2.2, 2000. Available from: http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/data/2000data.html.

36. CAIDA. The cooperative analysis for Internet dataanalysis, 2011. Available from: http://www.caida.org.

37. Bhuyan MH, Bhattacharyya DK, Kalita JK. Towardsgenerating real-life datasets for network intrusiondetection. International Journal of Computer Scienceand Network Security 2015; 17(6): 675–693.

38. Chen Y, Ma X, Wu X. DDoS detection algorithmbased on preprocessing network traffic predictedmethod and chaos theory. IEEE Communications Let-ters 2013; 17(5): 1052–1054.

39. Gulisano V, Zori MC, Fu Z, Peris RJ, PapatriantafilouM, Nez MPM. STONE: a streaming DDoS defenseframework. Expert Systems with Applications 2015; 42(24): 9620–9633.

40. Ma X, Chen Y. DDoS detection method based onchaos analysis of network traffic entropy. IEEE Com-munications Letters 2014; 18(1): 114–117.

41. Sachdeva M, Kumar K, Singh G. A comprehensiveapproach to discriminate DDoS attacks from flashevents. Journal of Information Security and Applica-tions 2016; 26: 8–22.

42. Saied A, Overill RE, Radzik T. Detection of knownand unknown DDoS attacks using artificial neuralnetworks. Neurocomputing 2016; 172: 385–393.


DOI: 10.1002/sec

Documents

E-LDAT: a lightweight system for DDoS ﬂooding attack detection …jkalita/papers/2016/BhuyanMonowarSCN... · 2016-09-13 · we develop the system model for DDoS attack detection