An Improved Packet size Entropy Based DoS Attack Detection Scheme

Abstract

A denial-of-service attack is an attempt by a single person or a group of people to disrupt an online service. The cost of the attack depends on the importance of the online service in the Internet world, whether it is online banking or online shopping. Shutting down some services for some hours can cost millions and millions of dollars for companies like Amazon, eBay, HSBC, etc. So a denial-of-service attack is a very serious problem in the online world. By recognizing such an attack at the beginning can reduce the damage caused by these attacks. Even so, such an attempt is extremely difficult on the networks where the traffic is very high. Furthermore, people who were determined to take down a particular network service will definitely do a lot of homework and can cause much more damage than a general denial-of-service attack can. However, there are a lot of mechanisms available today to identify the denial-of-service attacks. One such method is entropy based detection scheme. In entropy based detection scheme, packet size entropy based scheme is much faster and easy to implement. Even so, there are some shortcomings as well to this method. This thesis introduces a new parameter to the packet size entropy based DoS attack detection scheme so that it can improve the detection accuracy. The new parameter is the entropy of the source and destination IP address combination. I.e. a concatenation of both addresses will give a hash like value, which can uniquely identify a particular path. By this parameter, even if the attacker changes the packet size using simple application programs for packets such as ICMP, the attack can be detected.