Research of network traffic entropy as a DDOS-attack indicator
- Details
- Category: Information technologies, systems analysis and administration
- Last Updated on 09 May 2014
- Published on 16 April 2013
- Hits: 3703
Authors:
Т.V. Babenko, Dr. Sci. (Tech.), Professor, State Higher Educational Institution “National Mining University”, Head of the Department of Information Security and Telecommunications, Head of Information Computer Complex, Dnipropetrovsk, Ukraine
Abstract:
Рurpose. In order to improve the efficiency of IDS (intrusion detection systems), ADS (anomaly detection system) and information security systems management we perform theoretical and experimental studies on the possibility of using the real-time calculated values of information entropy as a basic indicator of attacks of network services.
Methodology. Applied methods include collecting statistical information on IP network normal mode performance, modeling of processes that cause IP network abnormal states, collecting statistical information on the network performance under DDOS-attacks at network services, determining the rolling window optimal size, calculation of information entropy values and their comparison to the reference values for this IP network.
Findings. The values of information entropy calculated in real time with the use of the rolling window method are an effective indicator of anomalous IP network states and can be used for intrusion detection in information security systems management.
Originality. The algorithm for calculating the information entropy allowing significant speeding up the calculations in comparison with the classical algorithm by using a moving window method and performing them in real time has been proposed.
Practical value. The new method of the information entropy computing based on theoretical and experimental studies allows using this indicator to analyze network traffic in real time in IDS, MDS and ADS systems.
References:
1. Skarfone, K. and Mell, P. (20007), Guide to intrusion detection and prevention systems, National Institute of Standards and Technology, available at: csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf
2. Feinstein, L. and Schnackenberg, D. “Statistical Approaches to DDOS Attack Detection and Response”, Proc. of the DARPA Information Survivability Conference and Expostion (DISCEX'03), April 2003.
3. Seong Soo Kim, (2005), “Real-time Analysis of Aggregate Network Traffic for Anomaly Detection”, PhD dissertation, Computer Engineering, Yonsei University, available at: http:// cesg.tamu.edu/wp-content/uploads /2012/02/TAMU-ECE-2005-02.pdf
4. Олифер В.Г. Компьютерные сети. Принципы, технологии, протоколы /В.Г. Олифер, Н.А. Олифер – СПб.: Питер, 2010. – 943 с.
Olifer, V.G. and Olifer, N.A. (2010), Kompyuternye seti. Printsypy, tekhnologii, protokoly [Computer Networks. Principles, Technologies, Protocols], Piter, St.-Petersborg, Russia.
5. Gudkov, O. (2012), “Calculation Algorithm for Network Flow Parameters Entropy in Anomaly Detection. IT Security for the Next Generation”, International Round, Delft University of Technology, May 11–13, 2012.
2013_2_babenko | |
2014-05-06 510.59 KB 1138 |