DDoS Flooding Attack Detection Based on Joint-Entropy with Multiple Traffic Features

摘要

Distributed Denial of Service (DDoS) attacks are still considered as severe threats to the Internet. Previous works have used information entropy to detect DDoS flooding attacks. However, these methods usually only used source address as the feature of packets, and ignored other features. Besides, the entropy with single variable also has restricts in abnormal detection. In this paper, we propose a new joint-entropy-based DDoS detection solution with multiple features of packets. We choose flow duration, packet length, source address and destination port as the key features to detect different types of DDoS flooding attacks. We carry out the experiments with simulated campus network based on Software-defined Networking (SDN) architecture. The results show that our proposed method can effectively detect attacks of both forged and non-forged source address, and outperforms the previous single-entropy methods in terms of accuracy and false positive rate.