Abstract
The detection of distributed denial of service (DDoS) attacks is one of the hardest problems confronted by the network security researchers. Flash event (FE), which is caused by a large number of legitimate requests, has similar characteristics to those of DDoS attacks. Moreover DDoS attacks and FEs require altogether different handling procedures. So discriminating DDoS attacks from FEs is very important. But the research involving DDoS detection has not laid enough emphasis on including FEs scenarios in the experiments. In this paper, we are using traffic cluster entropy as detection metric not only to detect DDoS attacks but also to distinguish DDoS attacks from FEs. We have validated our approach on cyber-defense technology experimental research laboratory (DETER) testbed. Different emulation scenarios are created on DETER using mix of legitimate, flash, and different types of attacks at varying strengths. It is found that, when flash event is triggered, source address entropy increases but the corresponding traffic cluster entropy does not increase. However, when DDoS attack is launched, traffic cluster entropy also increases along with source address entropy. An analysis of live traces on DETER testbed clearly manifests supremacy of our approach.
Highlights
Denial of service (DoS) attacks attempt to make Internet resources as well as services unavailable to its intended users
We have proposed a mechanism to distinguish between flash event (FE) and distributed denial of service (DDoS) attacks using traffic cluster entropy
The flash crowd and DDoS attack are two important events which are experienced by the web services on the Internet
Summary
Denial of service (DoS) attacks attempt to make Internet resources as well as services unavailable to its intended users. The problem of DDoS detection is further worsened due to a very similar situation on the Internet called flash event (FE) in which a large number of legitimate clients simultaneously access a web server This can overload web server, which may be unable to deal with any requests. This is a particular problem for stock trading sites, online ticketing sites, sports betting sites, news portals, and government emergency information sites The impact of both DDoS attacks and FEs is either complete disruption of services or large latencies due to overloading of scarce resources. (v) analysis of DETER testbed traces for discriminating DDoS attacks from FEs and manifesting supremacy of traffic cluster entropy approach as compared to volume based approaches.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
