Complex Sciences. First International Conference, Complex 2009, Shanghai, China, February 23-25, 2009, Revised Papers, Part 2

Research Article

Entropy Based Detection of DDoS Attacks in Packet Switching Network Models

Download
392 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-02469-6_57,
        author={Anna Lawniczak and Hao Wu and Bruno Stefano},
        title={Entropy Based Detection of DDoS Attacks in Packet Switching Network Models},
        proceedings={Complex Sciences. First International Conference, Complex 2009, Shanghai, China, February 23-25, 2009, Revised Papers, Part 2},
        proceedings_a={COMPLEX PART 2},
        year={2012},
        month={5},
        keywords={distributed denial of service attack packet switching network entropy},
        doi={10.1007/978-3-642-02469-6_57}
    }
    
  • Anna Lawniczak
    Hao Wu
    Bruno Stefano
    Year: 2012
    Entropy Based Detection of DDoS Attacks in Packet Switching Network Models
    COMPLEX PART 2
    Springer
    DOI: 10.1007/978-3-642-02469-6_57
Anna Lawniczak1,*, Hao Wu1,*, Bruno Stefano2,*
  • 1: University of Guelph
  • 2: Nuptek Systems Ltd.
*Contact email: alawnicz@uoguelph.ca, wuh@uoguelph.ca, b.distefano@ieee.org

Abstract

Distributed denial-of-service (DDoS) attacks are network-wide attacks that cannot be detected or stopped easily. They affect “natural” spatio-temporal packet traffic patterns, i.e. “natural distributions” of packets passing through the routers. Thus, they affect “natural” information entropy profiles, a sort of “fingerprints”, of normal packet traffic. We study if by monitoring information entropy of packet traffic through selected routers one may detect DDoS attacks or anomalous packet traffic in packet switching network (PSN) models. Our simulations show that the considered DDoS attacks of “ping” type cause shifts in information entropy profiles of packet traffic monitored even at small sets of routers and that it is easier to detect these shifts if static routing is used instead of dynamic routing. Thus, network-wide monitoring of information entropy of packet traffic at properly selected routers may provide means for detecting DDoS attacks and other anomalous packet traffics.