Research of network traffic entropy as a DDOS-attack indicator

User Rating:  / 0
PoorBest 

Authors:

Т.V. Babenko, Dr. Sci. (Tech.), Professor, State Higher Educational Institution “National Mining University”, Head of the Department of Information Security and Telecommunications, Head of Information Computer Complex, Dnipropetrovsk, Ukraine

Abstract:

Рurpose. In order to improve the efficiency of IDS (intrusion detection systems), ADS (anomaly detection system) and information security systems management we perform theoretical and experimental studies on the possibility of using the real-time calculated values of information entropy as a basic indicator of attacks of network services.

Methodology. Applied methods include collecting statistical information on IP network normal mode performance, modeling of processes that cause IP network abnormal states, collecting statistical information on the network performance under DDOS-attacks at network services, determining the rolling window optimal size, calculation of information entropy values and their comparison to the reference values for this IP network.

Findings. The values of information entropy calculated in real time with the use of the rolling window method are an effective indicator of anomalous IP network states and can be used for intrusion detection in information security systems management.

Originality. The algorithm for calculating the information entropy allowing significant speeding up the calculations in comparison with the classical algorithm by using a moving window method and performing them in real time has been proposed.

Practical value. The new method of the information entropy computing based on theoretical and experimental studies allows using this indicator to analyze network traffic in real time in IDS, MDS and ADS systems.

 

References:

1. Skarfone, K. and Mell, P. (20007), Guide to intrusion detection and prevention systems, National Institute of Standards and Technology, available at: csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

2. Feinstein, L. and Schnackenberg, D. “Statistical Approaches to DDOS Attack Detection and Response”, Proc. of the DARPA Information Survivability Conference and Expostion (DISCEX'03), April 2003.

3. Seong Soo Kim, (2005), “Real-time Analysis of Aggregate Network Traffic for Anomaly Detection”, PhD dissertation, Computer Engineering, Yonsei University, available at: http:// cesg.tamu.edu/wp-content/uploads /2012/02/TAMU-ECE-2005-02.pdf

4. Олифер В.Г. Компьютерные сети. Принципы, технологии, протоколы /В.Г. Олифер, Н.А. Олифер – СПб.: Питер, 2010. – 943 с.

Olifer, V.G. and Olifer, N.A. (2010), Kompyuternye seti. Printsypy, tekhnologii, protokoly [Computer Networks. Principles, Technologies, Protocols], Piter, St.-Petersborg, Russia.

5. Gudkov, O. (2012), “Calculation Algorithm for Network Flow Parameters Entropy in Anomaly Detection. IT Security for the Next Generation”, International Round, Delft University of Technology, May 11–13, 2012.

Files:
2013_2_babenko
Date 2014-05-06 Filesize 510.59 KB Download 1138

Visitors

7351064
Today
This Month
All days
339
40567
7351064

Guest Book

If you have questions, comments or suggestions, you can write them in our "Guest Book"

Registration data

ISSN (print) 2071-2227,
ISSN (online) 2223-2362.
Journal was registered by Ministry of Justice of Ukraine.
Registration number КВ No.17742-6592PR dated April 27, 2011.

Contacts

D.Yavornytskyi ave.,19, pavilion 3, room 24-а, Dnipro, 49005
Tel.: +38 (056) 746 32 79.
e-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.
You are here: Home Archive by issue 2013 Contents No.2 2013 Information technologies, systems analysis and administration Research of network traffic entropy as a DDOS-attack indicator