Visible to the public Entropy clustering approach for improving forecasting in DDoS attacks

TitleEntropy clustering approach for improving forecasting in DDoS attacks
Publication TypeConference Paper
Year of Publication2015
AuthorsOlabelurin, A., Veluru, S., Healing, A., Rajarajan, M.
Conference Name2015 IEEE 12th International Conference on Networking, Sensing and Control
Date Publishedapr
Keywordsalert management, Algorithm design and analysis, clustering algorithm, Clustering algorithms, Computer crime, computer network security, cyber-range simulation dataset, DDoS Attacks, digital forensic analysis, digital forensics, distributed denial-of-service, distributed denial-of-service (DDoS) detection, Entropy, entropy clustering approach, false positive rate, feature extraction, Forecasting, forecasting theory, FPR, IDS, intrusion detection system, k-means clustering analysis, network analysis, Network security, online anomaly detection, pattern clustering, Ports (Computers), proactive forecast, project industrial partner, pubcrawl170109, Shannon entropy, Shannon-entropy concept, volume anomaly
Abstract

Volume anomaly such as distributed denial-of-service (DDoS) has been around for ages but with advancement in technologies, they have become stronger, shorter and weapon of choice for attackers. Digital forensic analysis of intrusions using alerts generated by existing intrusion detection system (IDS) faces major challenges, especially for IDS deployed in large networks. In this paper, the concept of automatically sifting through a huge volume of alerts to distinguish the different stages of a DDoS attack is developed. The proposed novel framework is purpose-built to analyze multiple logs from the network for proactive forecast and timely detection of DDoS attacks, through a combined approach of Shannon-entropy concept and clustering algorithm of relevant feature variables. Experimental studies on a cyber-range simulation dataset from the project industrial partners show that the technique is able to distinguish precursor alerts for DDoS attacks, as well as the attack itself with a very low false positive rate (FPR) of 22.5%. Application of this technique greatly assists security experts in network analysis to combat DDoS attacks.

DOI10.1109/ICNSC.2015.7116055
Citation Keyolabelurin_entropy_2015