Distributed denial of service (DDoS) attacks pose a severe threat to extensively used web-based services and applications. Many detection approaches have been proposed in the literature, but ensuring the security and availability of data, resources, and services to end users remains an ongoing research challenge. Nowadays, the traffic volume of legitimate users has also increased manifold. A flash event (FE) is a high-rate legitimate traffic situation wherein millions of legitimate users start accessing a particular network resource, such as a web server, simultaneously. The detection of DDoS attacks becomes more challenging when DDoS attacks are launched during behaviorally similar FEs. This research paper proposes a generalized detection system for metrics, based on information theory, capable of detecting different types of DDoS attacks and FEs. We used publically available MIT Lincoln, CAIDA, and FIFA datasets along with a synthetically generated DDoSTB dataset to validate the proposed detection algorithm in terms of various detection system evaluation metrics such as false positive rate, false negative rate, classification rate, and detection accuracy. Such a generalized detection system would be useful to researchers for validating and comparing various information theory metrics based solutions.
DDoS attacks, network security, information theory, flash event, entropy, divergence
BEHAL, SUNNY; KUMAR, KRISHAN; and SACHDEVA, MONIKA
"A generalized detection system to detect distributed denial of service attacks and flash events for information theory metrics,"
Turkish Journal of Electrical Engineering and Computer Sciences: Vol. 26:
4, Article 7.
Available at: https://journals.tubitak.gov.tr/elektrik/vol26/iss4/7