SlideShare a Scribd company logo

Entropy and denial of service attacks

Download as PPTX, PDF
chris zlatis
chris zlatis

Denial of Service attacks – Definitions, related surveys Traceback of DDoS Attacks – Proposed method, advantages, future work Detection methods with Shannon and Renyi cross entropy – Previous works, proposed method, dataset and results The added value of entropy detection methods References

1 of 15
Master in Web Science Mathematics Department Aristotle University of Thessaloniki “Entropy and Denial of Service Attacks” Zlatis Chris
Contents • Denial of Service attacks – Definitions, related surveys • Traceback of DDoS Attacks – Proposed method, advantages, future work • Detection methods with Shannon and Renyi cross entropy – Previous works, proposed method, dataset and results • The added value of entropy detection methods • References
Definitions • Distributed Denial of Service Attacks (DDoS Attacks) are defined as [4] “attempts to make a computer resource unavailable to its intended users”. – The attacker gains control of a huge number of independently owned and geographically distributed computers, called “zombies”, almost always without any knowledge of their owners. • Ping flood is a type of DDoS attack directing a huge number of “ping” requests to the target victim. It exploits the “Internet Control Message Protocol” (ICMP). [4] – Huge number of ping ‘echo requests’ from a very large number of “zombies”  unable to conduct any network activity other than answering the ping ‘echo requests’  overloaded and standstill.
Recent surveys • It has been a major threat to the Internet since year 2000, and a recent survey on the largest 70 Internet operators in the world [4] demonstrated that: 1. DDoS attacks are increasing dramatically, and individual attacks are more strong and sophisticated 2. The network security community does not have effective and efficient traceback methods to locate attackers as it is easy for attackers to disguise themselves 3. The Mafiaboy attacks of February 2000 against Amazon, eBay caused millions of dollars damage  There is a need to detect DDoS attacks as early as possible so that proper countermeasures can be applied and damage can be minimized.
Traceback of DDoS attacks • IP traceback means the capability of identifying the actual source of any packet sent across the Internet  successful if they can identify the zombies from which the DDoS attack packets entered the Internet. There are two major methods for IP traceback: [6] 1. The probabilistic packet marking (PPM) and 2. The deterministic packet marking (DPM). • The PPM strategy can only operate in a local range of the Internet (ISP network)  we cannot traceback to the attack sources located out of the ISP network. The DPM strategy requires all the Internet routers to be updated for packet marking. • Both of these strategies require routers to inject marks into individual packets  vulnerable to hacking, referred to as “packet pollution”.
IP Traceback using entropy variations • IP traceback using information theoretical parameters [6]  there is no packet marking in the proposed strategy  avoid the inherited shortcomings of the packet marking mechanisms. • The packets that are passing through a router are categorized into flows [6], which are defined by the upstream router where a packet came from, and the destination address of the packet. – During non attack periods, routers are required to observe and record entropy variations of local flows. – Once a DDoS attack has been identified, the victim initiates a pushback process to identify the locations of zombies…
IP Traceback using entropy variations • The pushback process: [6] 1. The victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated, and then 2. submits requests to the related immediate upstream routers. 3. The upstream routers identify where the attack flows came from based on their local entropy variations that they have monitored. 4. Once the immediate upstream routers have identified the attack flows, 5. they will forward the requests to their immediate upstream routers, respectively, to identify the attacker sources further.  This procedure is repeated in a parallel and distributed fashion until it reaches the attack source(s).
Advantages of traceback mechanism The proposed traceback mechanism possesses the following advantages: [6] • It overcomes the inherited drawbacks of packet marking methods, such as limited scalability, huge demands on storage space, and vulnerability to packet pollutions. • It brings no modifications on current routing software  work independently as an additional module on routers for monitoring and recording flow information. • It will be effective for future packet flooding DDoS attacks because it is independent of traffic patterns.  It can archive real-time traceback to attackers. Once the short- term flow information is in place at routers, and the victim notices that it is under attack, it will start the traceback procedure.
Future work on Traceback methods Future work could be carried out in the following promising directions: [6] • 1. The metric for DDoS attack flows could be further explored. The proposed method deals with the packet flooding type of attacks perfectly.  The attacks with small number attack packet rates, e.g., if the attack strength is less than seven times of the strength of non attack flows, the current metric cannot discriminate it. Therefore, a metric of finer granularity is required to deal with such situations. • 2. Location estimation of attackers with partial information. When the attack strength is less than seven times of the normal flow packet rate, the proposed method cannot succeed at the moment.  The attack can be detected with the information that we have accumulated so far using traditional methods or recently developed tools.
Detection methods with Shannon and Renyl cross entropy An entropy-based method [1] is proposed to detect network attack: • The Shannon entropy is used to analyze the distribution characteristics of alert with five key attributes including source IP address, destination IP address, source threat, destination threat and datagram length that reflect the regularity of network status – When the monitored network runs in normal way, the entropy values are relatively smooth. Otherwise, the entropy value of one or more features would change. • Then, the Renyi cross entropy is employed to fuse the Shannon entropy vector and detect the anomalies. The Renyi cross entropy of these features is calculated to measure the network status and detect network attacks.
Previous works on entropy detection methods • Gina investigated the extent of false alerts problem in Snort using the 1999 DARPA IDS evaluation data. – They found that 69% of total generated alerts are considered to be false alerts. [1] These problems make it a frustrating task for security officers to detect network attack quickly and accurately. • Gu proposed an approach to detect anomalies in the network traffic using Maximum Entropy estimation. – The packet distribution of the benign traffic was estimated using Maximum Entropy framework and used as a baseline to detect the anomalies. • Qin used Renyi cross entropy to detect dynamic changes in network traffic of large enterprises. Three traffic features were proposed to capture dynamic changes of traffic. • A. Wagner and B Plattner applied entropy to detect worm and anomaly in fast IP networks. The entropy contents of IP addresses were used to indicate a massive network event.
Dataset and results • Methodology: [1] Use of Snort to monitor 32 C-class subnets in the campus network for two weeks, which include more than 3,000 end users. – Alerts in Mar. 2nd as the experimental data: 1,147,906 alerts in this day with 79 signatures, 32,409 source IP addresses, 12,642 destination IP addresses  two alerts sets collected from different time period in Mar. 2nd as training and test data. The statistical results of alerts suggest several interesting results: 1. More alerts were generated in daytime than that in night due to people’s living habit. There were two peaks of alerts: 12:00 to 14:00 and 21:00 to 23:30  the end users are campus students. 2. The destination IP addresses change abruptly from 0:00 to 4:00, 6:00 to 10:00, 12:00 to 16:00 and 18:00 to 22:00. By analyzing the alerts, they found many host scan attacks at these time periods.
The added value of Entropy methods • The Shannon entropy is used to analyze the alerts to measure the regularity of current network status. – They are relative smooth when no attack occurs; otherwise, one or some of the values would change abruptly. • The Renyi cross entropy is employed to detect network attack. – The Renyi cross entropy value is near 0 when the network runs in normal, otherwise the value will change abruptly when attack occurs. • However, although the Shannon entropies reflect the regularity of network status, it is difficult to detect attack directly by using five fixed thresholds [1], because the Shannon entropy value varies with the activities of end users even the network runs in normal way.
References [1] Zhiwen Wang, Qin Xia, “An Approach on Detecting Network Attack Based on Entropy”, Xi’an Jiaotong University, China [2] Hoa Dinh Nguyen, Sandeep Gutta, Qi Cheng, “An Active Distributed Approach for Cyber Attack Detection”, Oklahoma State University [3] Tsern-Huei Lee - Jyun-De He, “Entropy-Based Profiling of Network Traffic for Detection of Security Attack”, National Chiao Tung University, Taiwan [4] Anna T. Lawniczak, Bruno N. Di Stefano, Hao Wu, “Detection & Study of DDoS Attacks Via Entropy in Data Network Models”, CISDA, 2009 [5] Stephen Schwab, Brett Wilson, Roshan Thomas, “Methodologies and Metrics for the Testing and Analysis of Distributed Denial of Service Attacks and Defenses”, SPARTA Inc. [6] Shui Yu, Wanlei Zhou, Robin Doss, Weijia Jia, “Traceback of DDoS Attacks Using Entropy Variations”, IEEE, March 2011
Thank you.

Recommended

Optical Fiber connectors
Optical Fiber connectorsOptical Fiber connectors
Optical Fiber connectors
Ahmed Amer
 
Classful and classless addressing
Classful and classless addressingClassful and classless addressing
Classful and classless addressing
Sourav Jyoti Das
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
AirTight Networks
 
Acl
AclAcl
Acl
Raghu Kiran
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
Sam Bowne
 
Stop-and-Wait ARQ Protocol
Stop-and-Wait ARQ ProtocolStop-and-Wait ARQ Protocol
Stop-and-Wait ARQ Protocol
praneetayargattikar
 
opnet lab report
opnet lab reportopnet lab report
opnet lab reportSadia Shachi
 

Recommended

Optical Fiber connectors
Optical Fiber connectorsOptical Fiber connectors
Optical Fiber connectors
Ahmed Amer
 
Classful and classless addressing
Classful and classless addressingClassful and classless addressing
Classful and classless addressing
Sourav Jyoti Das
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation StrategiesWPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
WPA2 Hole196 Vulnerability: Exploits and Remediation Strategies
AirTight Networks
 
Acl
AclAcl
Acl
Raghu Kiran
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
Sam Bowne
 
Stop-and-Wait ARQ Protocol
Stop-and-Wait ARQ ProtocolStop-and-Wait ARQ Protocol
Stop-and-Wait ARQ Protocol
praneetayargattikar
 
opnet lab report
opnet lab reportopnet lab report
opnet lab reportSadia Shachi
 
Denail of Service
Denail of ServiceDenail of Service
Denail of ServiceRamasubbu .P
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dosleminhvuong
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
Roushan Jha
 
Sql injection
Sql injectionSql injection
Sql injection
Manjushree Mashal
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service AttacksPascal Flöschel
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregation
Magnus Jansson
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Forouzan-ch19-Network-Layer-Logical-Addressing.ppt
Forouzan-ch19-Network-Layer-Logical-Addressing.pptForouzan-ch19-Network-Layer-Logical-Addressing.ppt
Forouzan-ch19-Network-Layer-Logical-Addressing.ppt
Jayaprasanna4
 
network Addressing
network Addressingnetwork Addressing
network Addressing
Tauseef khan
 
MOSFET fabrication 12
MOSFET fabrication 12MOSFET fabrication 12
MOSFET fabrication 12
HIMANSHU DIWAKAR
 
IP Spoofing
IP SpoofingIP Spoofing
IP Spoofing
Akmal Hussain
 
Pentesting ntp-17-02-18
Pentesting ntp-17-02-18Pentesting ntp-17-02-18
Pentesting ntp-17-02-18
Vengatesh Nagarajan
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
primeteacher32
 
Ip addressing
Ip addressingIp addressing
Ip addressing
sid1322
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service Attack
Dhrumil Panchal
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
Igmp presentation
Igmp presentationIgmp presentation
Igmp presentation
SamreenAkhtar8
 
An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attack
Mohammad Reza Mousavinasr
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 

More Related Content

What's hot

Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
Roushan Jha
 
Sql injection
Sql injectionSql injection
Sql injection
Manjushree Mashal
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregation
Magnus Jansson
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 
Forouzan-ch19-Network-Layer-Logical-Addressing.ppt
Forouzan-ch19-Network-Layer-Logical-Addressing.pptForouzan-ch19-Network-Layer-Logical-Addressing.ppt
Forouzan-ch19-Network-Layer-Logical-Addressing.ppt
Jayaprasanna4
 
network Addressing
network Addressingnetwork Addressing
network Addressing
Tauseef khan
 
MOSFET fabrication 12
MOSFET fabrication 12MOSFET fabrication 12
MOSFET fabrication 12
HIMANSHU DIWAKAR
 
IP Spoofing
IP SpoofingIP Spoofing
IP Spoofing
Akmal Hussain
 
Pentesting ntp-17-02-18
Pentesting ntp-17-02-18Pentesting ntp-17-02-18
Pentesting ntp-17-02-18
Vengatesh Nagarajan
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
primeteacher32
 
Ip addressing
Ip addressingIp addressing
Ip addressing
sid1322
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service Attack
Dhrumil Panchal
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
Chao Chen
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
Igmp presentation
Igmp presentationIgmp presentation
Igmp presentation
SamreenAkhtar8
 
An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attack
Mohammad Reza Mousavinasr
 

What's hot (20)

Denail of Service
Denail of ServiceDenail of Service
Denail of Service
 
Module 9 Dos
Module 9 DosModule 9 Dos
Module 9 Dos
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 
Sql injection
Sql injectionSql injection
Sql injection
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
Secure your network - Segmentation and segregation
Secure your network - Segmentation and segregationSecure your network - Segmentation and segregation
Secure your network - Segmentation and segregation
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Forouzan-ch19-Network-Layer-Logical-Addressing.ppt
Forouzan-ch19-Network-Layer-Logical-Addressing.pptForouzan-ch19-Network-Layer-Logical-Addressing.ppt
Forouzan-ch19-Network-Layer-Logical-Addressing.ppt
 
network Addressing
network Addressingnetwork Addressing
network Addressing
 
MOSFET fabrication 12
MOSFET fabrication 12MOSFET fabrication 12
MOSFET fabrication 12
 
IP Spoofing
IP SpoofingIP Spoofing
IP Spoofing
 
Pentesting ntp-17-02-18
Pentesting ntp-17-02-18Pentesting ntp-17-02-18
Pentesting ntp-17-02-18
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
Ip addressing
Ip addressingIp addressing
Ip addressing
 
Denial of Service Attack
Denial of Service AttackDenial of Service Attack
Denial of Service Attack
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
 
Igmp presentation
Igmp presentationIgmp presentation
Igmp presentation
 
An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attack
 

Viewers also liked

DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
Stacy Watts
 
kevin's powerpoint chapt 6
kevin's powerpoint chapt 6kevin's powerpoint chapt 6
kevin's powerpoint chapt 6kkajairo
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackPonraj
 
Penetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomPenetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostom
Hardway Hou
 
Super Effective Denial of Service Attacks
Super Effective Denial of Service AttacksSuper Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
Jan Seidl
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
Ahmed Ghazey
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Ashok Kumar
 
IDS Survey on Entropy
IDS Survey on Entropy IDS Survey on Entropy
IDS Survey on Entropy
Raj Kamal
 
Denial Of Service Attack
Denial Of Service AttackDenial Of Service Attack
Denial Of Service Attack
Vishnuvardhan Reddy
 

Viewers also liked (10)

DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
SQL Injection Attacks cs586
SQL Injection Attacks cs586SQL Injection Attacks cs586
SQL Injection Attacks cs586
 
kevin's powerpoint chapt 6
kevin's powerpoint chapt 6kevin's powerpoint chapt 6
kevin's powerpoint chapt 6
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
 
Penetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostomPenetration testing the cloud - vlad gostom
Penetration testing the cloud - vlad gostom
 
Super Effective Denial of Service Attacks
Super Effective Denial of Service AttacksSuper Effective Denial of Service Attacks
Super Effective Denial of Service Attacks
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
IDS Survey on Entropy
IDS Survey on Entropy IDS Survey on Entropy
IDS Survey on Entropy
 
Denial Of Service Attack
Denial Of Service AttackDenial Of Service Attack
Denial Of Service Attack
 

Similar to Entropy and denial of service attacks

Black hole attack
Black hole attackBlack hole attack
Black hole attack
Richa Kumari
 
L017317681
L017317681L017317681
L017317681
IOSR Journals
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniques
iosrjce
 
G0421040042
G0421040042G0421040042
G0421040042
ijceronline
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
vtunotesbysree
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full report
deepakmarndi
 
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
IJNSA Journal
 
Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques
IJMER
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
An improved ip traceback mechanism for network
An improved ip traceback mechanism for networkAn improved ip traceback mechanism for network
An improved ip traceback mechanism for network
eSAT Publishing House
 
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
IRJET Journal
 
Introduction to cyber forensics
Introduction to cyber forensicsIntroduction to cyber forensics
Introduction to cyber forensics
Anpumathews
 
An effective architecture and algorithm for detecting worms with various scan...
An effective architecture and algorithm for detecting worms with various scan...An effective architecture and algorithm for detecting worms with various scan...
An effective architecture and algorithm for detecting worms with various scan...UltraUploader
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptx
talkaton
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
talkaton
 
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppteabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
raosg
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection tools
vishalgohel12195
 
Wormhole attack
Wormhole attackWormhole attack
Wormhole attack
Harsh Kishore Mishra
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
SuhailShaik16
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacks
Ch Anas Irshad
 

Similar to Entropy and denial of service attacks (20)

Black hole attack
Black hole attackBlack hole attack
Black hole attack
 
L017317681
L017317681L017317681
L017317681
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniques
 
G0421040042
G0421040042G0421040042
G0421040042
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
 
Ip traceback seminar full report
Ip traceback seminar full reportIp traceback seminar full report
Ip traceback seminar full report
 
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
 
Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques Review of Intrusion and Anomaly Detection Techniques
Review of Intrusion and Anomaly Detection Techniques
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
An improved ip traceback mechanism for network
An improved ip traceback mechanism for networkAn improved ip traceback mechanism for network
An improved ip traceback mechanism for network
 
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
 
Introduction to cyber forensics
Introduction to cyber forensicsIntroduction to cyber forensics
Introduction to cyber forensics
 
An effective architecture and algorithm for detecting worms with various scan...
An effective architecture and algorithm for detecting worms with various scan...An effective architecture and algorithm for detecting worms with various scan...
An effective architecture and algorithm for detecting worms with various scan...
 
Network Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptxNetwork Analysis Mini Project 2.pptx
Network Analysis Mini Project 2.pptx
 
Network Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdfNetwork Analysis Mini Project 2.pdf
Network Analysis Mini Project 2.pdf
 
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppteabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
eabcdefghiaasjsdfasdfasdfasdfasdfas1.ppt
 
Network sniffers & injection tools
Network sniffers & injection toolsNetwork sniffers & injection tools
Network sniffers & injection tools
 
Wormhole attack
Wormhole attackWormhole attack
Wormhole attack
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacks
 

More from chris zlatis

Project Management: Ανάπτυξη εφαρμογής για iPhone.
Project Management: Ανάπτυξη εφαρμογής για iPhone.Project Management: Ανάπτυξη εφαρμογής για iPhone.
Project Management: Ανάπτυξη εφαρμογής για iPhone.
chris zlatis
 
Elections 2008 | Web 2.0 & Social Media
Elections 2008 | Web 2.0 & Social Media Elections 2008 | Web 2.0 & Social Media
Elections 2008 | Web 2.0 & Social Media
chris zlatis
 
Mobile Advertising And Showroom
Mobile Advertising And ShowroomMobile Advertising And Showroom
Mobile Advertising And Showroom
chris zlatis
 
Dorabak.gr | Web 2.0 & E-Government
Dorabak.gr | Web 2.0 & E-GovernmentDorabak.gr | Web 2.0 & E-Government
Dorabak.gr | Web 2.0 & E-Government
chris zlatis
 
Wireless Mesh Networks
Wireless Mesh NetworksWireless Mesh Networks
Wireless Mesh Networks
chris zlatis
 
Zappos & Customer Care
Zappos & Customer CareZappos & Customer Care
Zappos & Customer Care
chris zlatis
 
Business & Social Media
Business & Social MediaBusiness & Social Media
Business & Social Media
chris zlatis
 
Innovator Consulting Services project for HRM
Innovator Consulting Services project for HRMInnovator Consulting Services project for HRM
Innovator Consulting Services project for HRM
chris zlatis
 
Dunkin Donuts - a new franchising concept
Dunkin Donuts - a new franchising conceptDunkin Donuts - a new franchising concept
Dunkin Donuts - a new franchising concept
chris zlatis
 
wi-fi technology
wi-fi technology wi-fi technology
wi-fi technology
chris zlatis
 
CAP Gemini IAF Project
CAP Gemini IAF Project CAP Gemini IAF Project
CAP Gemini IAF Project chris zlatis
 

More from chris zlatis (11)

Project Management: Ανάπτυξη εφαρμογής για iPhone.
Project Management: Ανάπτυξη εφαρμογής για iPhone.Project Management: Ανάπτυξη εφαρμογής για iPhone.
Project Management: Ανάπτυξη εφαρμογής για iPhone.
 
Elections 2008 | Web 2.0 & Social Media
Elections 2008 | Web 2.0 & Social Media Elections 2008 | Web 2.0 & Social Media
Elections 2008 | Web 2.0 & Social Media
 
Mobile Advertising And Showroom
Mobile Advertising And ShowroomMobile Advertising And Showroom
Mobile Advertising And Showroom
 
Dorabak.gr | Web 2.0 & E-Government
Dorabak.gr | Web 2.0 & E-GovernmentDorabak.gr | Web 2.0 & E-Government
Dorabak.gr | Web 2.0 & E-Government
 
Wireless Mesh Networks
Wireless Mesh NetworksWireless Mesh Networks
Wireless Mesh Networks
 
Zappos & Customer Care
Zappos & Customer CareZappos & Customer Care
Zappos & Customer Care
 
Business & Social Media
Business & Social MediaBusiness & Social Media
Business & Social Media
 
Innovator Consulting Services project for HRM
Innovator Consulting Services project for HRMInnovator Consulting Services project for HRM
Innovator Consulting Services project for HRM
 
Dunkin Donuts - a new franchising concept
Dunkin Donuts - a new franchising conceptDunkin Donuts - a new franchising concept
Dunkin Donuts - a new franchising concept
 
wi-fi technology
wi-fi technology wi-fi technology
wi-fi technology
 
CAP Gemini IAF Project
CAP Gemini IAF Project CAP Gemini IAF Project
CAP Gemini IAF Project
 

Recently uploaded

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 

Recently uploaded (20)

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 

Entropy and denial of service attacks

  • 1. Master in Web Science Mathematics Department Aristotle University of Thessaloniki “Entropy and Denial of Service Attacks” Zlatis Chris
  • 2. Contents • Denial of Service attacks – Definitions, related surveys • Traceback of DDoS Attacks – Proposed method, advantages, future work • Detection methods with Shannon and Renyi cross entropy – Previous works, proposed method, dataset and results • The added value of entropy detection methods • References
  • 3. Definitions • Distributed Denial of Service Attacks (DDoS Attacks) are defined as [4] “attempts to make a computer resource unavailable to its intended users”. – The attacker gains control of a huge number of independently owned and geographically distributed computers, called “zombies”, almost always without any knowledge of their owners. • Ping flood is a type of DDoS attack directing a huge number of “ping” requests to the target victim. It exploits the “Internet Control Message Protocol” (ICMP). [4] – Huge number of ping ‘echo requests’ from a very large number of “zombies”  unable to conduct any network activity other than answering the ping ‘echo requests’  overloaded and standstill.
  • 4. Recent surveys • It has been a major threat to the Internet since year 2000, and a recent survey on the largest 70 Internet operators in the world [4] demonstrated that: 1. DDoS attacks are increasing dramatically, and individual attacks are more strong and sophisticated 2. The network security community does not have effective and efficient traceback methods to locate attackers as it is easy for attackers to disguise themselves 3. The Mafiaboy attacks of February 2000 against Amazon, eBay caused millions of dollars damage  There is a need to detect DDoS attacks as early as possible so that proper countermeasures can be applied and damage can be minimized.
  • 5. Traceback of DDoS attacks • IP traceback means the capability of identifying the actual source of any packet sent across the Internet  successful if they can identify the zombies from which the DDoS attack packets entered the Internet. There are two major methods for IP traceback: [6] 1. The probabilistic packet marking (PPM) and 2. The deterministic packet marking (DPM). • The PPM strategy can only operate in a local range of the Internet (ISP network)  we cannot traceback to the attack sources located out of the ISP network. The DPM strategy requires all the Internet routers to be updated for packet marking. • Both of these strategies require routers to inject marks into individual packets  vulnerable to hacking, referred to as “packet pollution”.
  • 6. IP Traceback using entropy variations • IP traceback using information theoretical parameters [6]  there is no packet marking in the proposed strategy  avoid the inherited shortcomings of the packet marking mechanisms. • The packets that are passing through a router are categorized into flows [6], which are defined by the upstream router where a packet came from, and the destination address of the packet. – During non attack periods, routers are required to observe and record entropy variations of local flows. – Once a DDoS attack has been identified, the victim initiates a pushback process to identify the locations of zombies…
  • 7. IP Traceback using entropy variations • The pushback process: [6] 1. The victim first identifies which of its upstream routers are in the attack tree based on the flow entropy variations it has accumulated, and then 2. submits requests to the related immediate upstream routers. 3. The upstream routers identify where the attack flows came from based on their local entropy variations that they have monitored. 4. Once the immediate upstream routers have identified the attack flows, 5. they will forward the requests to their immediate upstream routers, respectively, to identify the attacker sources further.  This procedure is repeated in a parallel and distributed fashion until it reaches the attack source(s).
  • 8. Advantages of traceback mechanism The proposed traceback mechanism possesses the following advantages: [6] • It overcomes the inherited drawbacks of packet marking methods, such as limited scalability, huge demands on storage space, and vulnerability to packet pollutions. • It brings no modifications on current routing software  work independently as an additional module on routers for monitoring and recording flow information. • It will be effective for future packet flooding DDoS attacks because it is independent of traffic patterns.  It can archive real-time traceback to attackers. Once the short- term flow information is in place at routers, and the victim notices that it is under attack, it will start the traceback procedure.
  • 9. Future work on Traceback methods Future work could be carried out in the following promising directions: [6] • 1. The metric for DDoS attack flows could be further explored. The proposed method deals with the packet flooding type of attacks perfectly.  The attacks with small number attack packet rates, e.g., if the attack strength is less than seven times of the strength of non attack flows, the current metric cannot discriminate it. Therefore, a metric of finer granularity is required to deal with such situations. • 2. Location estimation of attackers with partial information. When the attack strength is less than seven times of the normal flow packet rate, the proposed method cannot succeed at the moment.  The attack can be detected with the information that we have accumulated so far using traditional methods or recently developed tools.
  • 10. Detection methods with Shannon and Renyl cross entropy An entropy-based method [1] is proposed to detect network attack: • The Shannon entropy is used to analyze the distribution characteristics of alert with five key attributes including source IP address, destination IP address, source threat, destination threat and datagram length that reflect the regularity of network status – When the monitored network runs in normal way, the entropy values are relatively smooth. Otherwise, the entropy value of one or more features would change. • Then, the Renyi cross entropy is employed to fuse the Shannon entropy vector and detect the anomalies. The Renyi cross entropy of these features is calculated to measure the network status and detect network attacks.
  • 11. Previous works on entropy detection methods • Gina investigated the extent of false alerts problem in Snort using the 1999 DARPA IDS evaluation data. – They found that 69% of total generated alerts are considered to be false alerts. [1] These problems make it a frustrating task for security officers to detect network attack quickly and accurately. • Gu proposed an approach to detect anomalies in the network traffic using Maximum Entropy estimation. – The packet distribution of the benign traffic was estimated using Maximum Entropy framework and used as a baseline to detect the anomalies. • Qin used Renyi cross entropy to detect dynamic changes in network traffic of large enterprises. Three traffic features were proposed to capture dynamic changes of traffic. • A. Wagner and B Plattner applied entropy to detect worm and anomaly in fast IP networks. The entropy contents of IP addresses were used to indicate a massive network event.
  • 12. Dataset and results • Methodology: [1] Use of Snort to monitor 32 C-class subnets in the campus network for two weeks, which include more than 3,000 end users. – Alerts in Mar. 2nd as the experimental data: 1,147,906 alerts in this day with 79 signatures, 32,409 source IP addresses, 12,642 destination IP addresses  two alerts sets collected from different time period in Mar. 2nd as training and test data. The statistical results of alerts suggest several interesting results: 1. More alerts were generated in daytime than that in night due to people’s living habit. There were two peaks of alerts: 12:00 to 14:00 and 21:00 to 23:30  the end users are campus students. 2. The destination IP addresses change abruptly from 0:00 to 4:00, 6:00 to 10:00, 12:00 to 16:00 and 18:00 to 22:00. By analyzing the alerts, they found many host scan attacks at these time periods.
  • 13. The added value of Entropy methods • The Shannon entropy is used to analyze the alerts to measure the regularity of current network status. – They are relative smooth when no attack occurs; otherwise, one or some of the values would change abruptly. • The Renyi cross entropy is employed to detect network attack. – The Renyi cross entropy value is near 0 when the network runs in normal, otherwise the value will change abruptly when attack occurs. • However, although the Shannon entropies reflect the regularity of network status, it is difficult to detect attack directly by using five fixed thresholds [1], because the Shannon entropy value varies with the activities of end users even the network runs in normal way.
  • 14. References [1] Zhiwen Wang, Qin Xia, “An Approach on Detecting Network Attack Based on Entropy”, Xi’an Jiaotong University, China [2] Hoa Dinh Nguyen, Sandeep Gutta, Qi Cheng, “An Active Distributed Approach for Cyber Attack Detection”, Oklahoma State University [3] Tsern-Huei Lee - Jyun-De He, “Entropy-Based Profiling of Network Traffic for Detection of Security Attack”, National Chiao Tung University, Taiwan [4] Anna T. Lawniczak, Bruno N. Di Stefano, Hao Wu, “Detection & Study of DDoS Attacks Via Entropy in Data Network Models”, CISDA, 2009 [5] Stephen Schwab, Brett Wilson, Roshan Thomas, “Methodologies and Metrics for the Testing and Analysis of Distributed Denial of Service Attacks and Defenses”, SPARTA Inc. [6] Shui Yu, Wanlei Zhou, Robin Doss, Weijia Jia, “Traceback of DDoS Attacks Using Entropy Variations”, IEEE, March 2011