An Entropy Algorithm to Improve the Performance and Protection from Denial-of-Service Attacks in NIDS

Distributed Denial-of-Service (DDoS) attacks have emerged as a popular means of causing mass targeted service disruptions, often for extended periods of time. The approaches used in the existing defense techniques are based on traffic characteristics such as traffic deviation, attack pattern matching etc, which may not yield accurate detection and involves high complexity. In this paper, we propose an entropy based architecture to defend such distributed denial-of-service attacks.Our architecture includes attack tree construction, attacks detection and clustering of alerts. By calculating the predicted entropy for a router, alerts are raised for flows in which the predicted entropy is more than a threshold value. Then the alerts are grouped into different clusters according to their source, target, time and attack-type. It helps to avoid group redundant alerts and to associate alerts that are of the same nature. By simulation results, we show that the proposed architecture improves the detection accuracy and throughput while reducing the alert overhead.