Discriminating flash crowds from DDoS attacks using efficient thresholding algorithm

Distributed Denial-of-Service attacks have been a challenge to cyberspace, as the attackers send a large number of attack packets similar to the normal traffic, to throttle legitimate flows. These attacks intentionally disrupt the services offered by the systems resulting in heavy cost. A flash crow...

Full description

Saved in:
Bibliographic Details
Published in:Journal of parallel and distributed computing Vol. 152; pp. 79 - 87
Main Authors: David, Jisa, Thomas, Ciza
Format: Journal Article
Language:English
Published: Elsevier Inc 01.06.2021
Subjects:
DDoS attack
Network security
Tsallis entropy
Network security
DDoS attack
Tsallis entropy
ISSN:0743-7315, 1096-0848
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Distributed Denial-of-Service attacks have been a challenge to cyberspace, as the attackers send a large number of attack packets similar to the normal traffic, to throttle legitimate flows. These attacks intentionally disrupt the services offered by the systems resulting in heavy cost. A flash crowd or flash event is an unexpected surge in the number of visitors to a particular website resulting in a sudden increase in server load. Flash crowds, which are legitimate flows, are difficult to be discriminated from Distributed Denial-of-Service attacks that are illicit flows. Effective and accurate detection of Distributed Denial of Service attacks still remains a challenge due to the difficulty in its detection and the false alerts generated in the case of flash crowds. There is a trade off between detection rate and false positive rate. This work deals with an efficient and early detection of distributed denial of service attacks and discriminates flash crowd by considering two network traffic parameters such as packet size and destination IP address. Using these traffic features two attributes are computed and its generalized entropies are calculated. The threshold is computed using the mean value of network attributes to detect the attacks. Threshold updater can automatically adjust the threshold values according to the changes in the channel conditions. The data sets used to evaluate the performance of the proposed approach are the MIT Lincoln Laboratory DARPA data set and a data set generated in a University network. Experimental results show this research approach achieves higher detection rate and lower false positives in a much reduced processing time as compared to the existing methods. •Flash crowds which are legitimate flows are difficult to be discriminated from DDoS attacks that are illicit flows.•Generalized entropies are computed to detect DDoS attack.•Threshold updater can automatically adjust the threshold values according to the changes in the channel conditions.•Generated datasets for evaluation of algorithm.
ISSN:0743-7315
1096-0848
DOI:10.1016/j.jpdc.2021.02.019