Early DoS/DDoS Detection Method using Short-term Statistics

• Published in: 2010 International Conference on Complex, Intelligent and Software Intensive Systems pp. 168 - 173
• Main Authors: Oshima, Shunsuke, Nakashima, Takuo, Sueyoshi, Toshinori
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.02.2010
• Subjects: A test of significance; Competitive intelligence; Computer crime; DoS/DDoS attacks; Entropy; IDS; Intelligent systems; Intrusion detection; Short-term entropy; Software systems; Statistical Method; Statistics; Systems engineering and theory; Testing; Web server
• ISBN: 1424459176; 9781424459179
• DOI: 10.1109/CISIS.2010.53

Early detection methods are required to prevent the DoS / DDoS attacks. The detection methods using the entropy have been classified into the long-term entropy based on the observation of more than 10,000 packets and the short-term entropy that of less than 10,000 packets. The long-term entropy have less fluctuation leading to easy detection of anomaly accesses using the threshold, while having the defects in detection at the early attacking stage and of difficulty to trace the short term attacks. In this paper, we propose and evaluate the DoS/DDoS detection method based on the short-term entropy focusing on the early detection. Firstly, the pre-experiment extracted the effective window width; 50 for DDoS and 500 for slow DoS attacks. Secondly, we showed that classifying the type of attacks can be made possible using the distribution of the average and standard deviation of the entropy. In addition, we generated the pseudo attacking packets under a normal condition to calculate the entropy and carry out a test of significance. When the number of attacking packets is equal to the number of arriving packets, the high detection results with False-negative = 5% was extracted, and the effectiveness of the proposed method was shown.