Denial-of-Service Attack Detection via Differential Analysis of Generalized Entropy Progressions

TL;DR

This paper introduces a scalable, threshold-free method for detecting DoS attacks using differential analysis of generalized entropy progressions, significantly improving detection accuracy and reducing false positives in real network traffic.

Contribution

It proposes a novel entropy progression-based differential detection method that outperforms traditional threshold-based approaches in accuracy and scalability.

Findings

Outperforms threshold-based detection by two orders of magnitude.

Achieves false positive rates up to 7%, with an average of 3%.

Method is lightweight, scalable, and suitable for real-time network traffic analysis.

Abstract

Denial-of-Service (DoS) attacks are one of the most common and consequential cyber attacks in computer networks. While existing research offers a plethora of detection methods, the issue of achieving both scalability and high detection accuracy remains open. In this work, we address this problem by developing a differential method based on generalized entropy progression. In this method, we continuously fit the line of best fit to the entropy progression and check if the derivative, that is, the slope of this line is less than the negative of the dynamically computed standard deviation of the derivatives. As a result, we omit the usage of the thresholds and the results with five real-world network traffic datasets confirm that our method outperforms threshold-based DoS attack detection by two orders of magnitude on average. Our method achieves false positive rates that are up to 7% where the arithmetic mean is 3% with Tsallis entropy and only 5% sampling of the total network flow. Moreover, since the main computation cost of our method is the entropy computation, which is linear in the volume of the unit-time network flow and it uses integer only operations and a small fraction of the total flow, it is therefore lightweight and scalable.