Early DoS/DDoS Detection Method using Short-term Statistics
Early detection methods are required to prevent the DoS / DDoS attacks. The detection methods using the entropy have been classified into the long-term entropy based on the observation of more than 10,000 packets and the short-term entropy that of less than 10,000 packets. The long-term entropy have...
Saved in:
Published in | 2010 International Conference on Complex, Intelligent and Software Intensive Systems pp. 168 - 173 |
---|---|
Main Authors | , , |
Format | Conference Proceeding |
Language | English |
Published |
IEEE
01.02.2010
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | Early detection methods are required to prevent the DoS / DDoS attacks. The detection methods using the entropy have been classified into the long-term entropy based on the observation of more than 10,000 packets and the short-term entropy that of less than 10,000 packets. The long-term entropy have less fluctuation leading to easy detection of anomaly accesses using the threshold, while having the defects in detection at the early attacking stage and of difficulty to trace the short term attacks. In this paper, we propose and evaluate the DoS/DDoS detection method based on the short-term entropy focusing on the early detection. Firstly, the pre-experiment extracted the effective window width; 50 for DDoS and 500 for slow DoS attacks. Secondly, we showed that classifying the type of attacks can be made possible using the distribution of the average and standard deviation of the entropy. In addition, we generated the pseudo attacking packets under a normal condition to calculate the entropy and carry out a test of significance. When the number of attacking packets is equal to the number of arriving packets, the high detection results with False-negative = 5% was extracted, and the effectiveness of the proposed method was shown. |
---|---|
ISBN: | 1424459176 9781424459179 |
DOI: | 10.1109/CISIS.2010.53 |