1

Adaptive DDoS Detector Design Using Fast Entropy Computation Method

Giseop No
School of Computer Science and Engineering
Seoul National University
Seoul, Korea
[email protected]
Ilkyeun Ra
Dept. of Computer Science and Engineering
University of Colorado Denver,
Denver, Colorado, USA
[email protected]


Recently, the threat of DDoS (Distributed Denial-of-Service)
attacks is growing continuously and acquiring attacking tools
via Internet is getting easy. One of the researches introduced a
fast method to detect attacks using modified information
entropy (so called Fast Entropy). Fast Entropy shows the
significant reduce of computational time compared to
conventional entropy computation while it maintains detection
accuracy. However, Fast Entropy needs the manual threshold
settings during detection process which is not realistic in real
detection facility. We introduce adaptive detector with
dynamic detection window size and adaptive threshold shifting
using Fast Entropy, called AFEA (Adaptive DDoS attack
detection using Fast Entropy Approach). Our adaptive DDoS
detector successfully demonstrates that its performance of the
DDoS detection can be enhanced by the best result of Fast
Entropy detection scheme without manual threshold setting
and system training while it maintains the same computational
time of Fast Entropy detection scheme. In addition, we found
that Dynamic AFEA can enhance detection level more than
fixed (non-dynamic) one when it is equipped with Fast Entropy.
Keywords-component; DDoS, Dynamic Adaptive Detector,
Entropy based approach, Fast Infromatin Entropy
I. INTRODUCTION
By exploiting the main features of Internet (open
environment, scalability), the threat of network intrusion is
growing significantly. Distributed Denial of Service (DDoS)
is one of the network intrusion methods. Denial of Service
Attacks uses multiple systems to attack one or more victim
systems with the intent of denying service to legitimate
users of the victim systems. Thus, DDoS tries to saturate
network channel capacity by sending packets more than
system can tolerate. The degree of automation in attack
tools enables a single attacker to install their tools and
control tens of thousands of compromised systems for use in
attacks. Intruders often search address blocks known to
contain high concentrations of vulnerable systems with
high-speed connections. DoS attacks are effective because
the Internet is comprised of limited and consumable
resources, and Internet security is highly interdependent.
Once Denial of Service occurred in more than two places, it
is called as DDoS. DDoS attack is a common issue in
network security because an attacker can easily launch
DDoS attack via the Internet.
However, the defense against DDoS is getting more
difficult. There are two main problems on defending DDoS
attacks. First of all, it is very difficult to identify DDoS
attacks from legitimate packets since the DDoS attacker
increases the number of packets to consume all victims
resources (computational power or memory usage). Because
of the feature of DDoS, the attackers send packets with
useful or useless packet contents in which defenders are
forced to decide the packets as the normal and legitimate
packets. Second, finding the location of DDoS attackers is
also hard task. Since the attackers spoof the packet
information (source IP address) to prevent the back-tracking
from defenders, there are few ways of detecting hidden
attackers.
One of the effective ways of defending DDoS attacks is
detecting DDoS attack in early phase of the attack. Once
defenders detect the symptoms of DDoS attack, they can
block the suspicious incoming packets so that they can
prevent preserve their system to be shutdown or continue
service for legitimate accesses. However, the accurate early
DDoS attack detection has been hindered by computational
time requirements. In this paper, we propose an adaptive
DDoS attack detection approach which can reduce
computation time to increase efficiency maintaining proper
accuracy level using our previous Fast Entropy detection
scheme [7], and present its performance via our simulation
using actual collected DDoS attacking data.
This paper is presented in the following order. Section II
presents the related work that includes DDoS attack
detection approach, information entropy concept, Fast
Entropy, and Compression Entropy. Adaptive Threshold
Updater design is described in Section III. Dynamic Moving
Average Window approaches are introduced in Section IV.
Simulation and analysis follow in Section V. Finally, our
conclusion is discussed in Section VI.
II. RELATED WORK
A. DDoS attack detection researches
DDoS attackers send a bulk series of normal or
meaningless packets in a short period of time that makes the
defenders difficult to isolate attack packets from the normal
incoming packets. Several ways of DDoS detection
algorithm were explored.
There are three DDoS detection approaches are mainly
considered (Signature Based, Anomaly Based, and Entropy
2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
978-0-7695-4372-7/11 $26.00 2011 IEEE
DOI 10.1109/IMIS.2011.82
97
2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
978-0-7695-4372-7/11 $26.00 2011 IEEE
DOI 10.1109/IMIS.2011.82
86
2

Based Approach). Signature Based Approach (SBA) [1]
uses signatures of known attack and maintains a database to
compare incoming packets with known attack signatures.
SBA is easy to implement and can identify known attacks
with low false negatives. SBA must be trained and use a
huge signature database in order to detect new attacks
effectively which makes very difficult to detect effectively
and quickly if new DDoS attacks do not match with any
previous attack signature.
These limitation of SBA (consuming CPU time to finding
matching a signature of newly intrude attack and previously
trained system) let system security communities look for
another approach, Anomaly Based Approach (ABA) [2]
which monitors the patterns of incoming packet flows and
use distribution analysis approaches, data mining and
statistical method [3-6]. If there is an abnormal pattern,
ABA facility decides the flows as an attack flow. ABA also
has main two limitations: it can usually suffer from high
false alarms if the networks behave unpredictably or handle
sudden bulks transfers, and it also needs often
computationally expensive training sets of network records
in order to learn the normal behavior patterns.
To overcome the limitation of SBA and ABA, Entropy
Based Approach (EBA) was introduced with an idea that if
an attacker launches DDoS attack, the randomness of
network flow should be changed [7]. EBA has showed three
significant benefits in [8]: increased detection sensitivity,
additional diagnostic information, and useful measure
between traffic groups. EBA become a popular approach
against DDoS attack. If the computational time is
considered on EBA with the nature of DDoS which
increases the number of packets in short time, EBA remains
dissatisfied as a DDoS detection facility. To reduce the
computing time of EBA and moderate the sensitivity of
detecting intrusion using EBA, a new computation method
(called Fast Entropy) has been proposed by [7]. Fast
Entropy Approach (FEA) was built on a new information
entropy estimator equipped with Fixed Moving Average
Window (FMAW) detector. However, the main problem of
FEA is that the reliability and efficiency of FEA relies on
the size of moving average window which is fixed and
determined by heuristically. It makes FEA difficult to
accurately response to the various simultaneous attacks in
real time. We will discuss FEA more in Section III.
B. Information Entropy
In 1948, Shannon [9] identified an entropy concept as
the entropy is a conceptual amount or a unit of measure of
uncertainty of given information (expressed as random
variables). Suppose X is a discrete random variable with
alphabet and the probability mass function p(x) = Pr
{X=x}, x . Then, the entropy H(X) of a discrete random
variable X can be defined as

H(X) = -
x
p(x) log p(x)
where 0log0 = 0, and H(X) 0 since 0 p(x ) 1

Entropy is a function of the distribution of X, and it does
not depend on the actual values taken by the random
variable X, but only on the probabilities. Thus, the basic
properties of entropy function can hold a concave function
of the distribution, and its entropy value equals 0 when p =
0 or 1. Similarly, the entropy has the maximum value when
p = 1/2. These properties of entropy can be easily deployed
onto network detection algorithms. For example, if DDoS
attacks are occurred on a particular port number to be out of
service by sending disguise series of bulk packets as
legitimate packets, the entropy value of the being attacked
port will be decreased instead of increasing under normal
traffic.
III. ADAPTIVE THRESHOLD UPDATER DESIGN

Our adaptive DDoS attack detection approach has been
developed to effectively detect more variety of intrusion
attacks in real time based on our previous work, Fast
Entropy approach. We would like to discuss our Fast
Entropy approach with more detail before we present the
design of an adaptive DDoS attack detector using Fast
Entropy approach.
A. Fast Entropy Approach
EBAs are introduced to enhance the performance of the
ABA in [6, 8, 10]. However, the EBAs show a disadvantage
in terms of time of computing entropy values. Since the
fundamental goal of DDoS is to saturate channel capacity,
all EBAs should concentrate on reducing the time of
computing entropy values even though it has good detection
accuracy. As we briefly mentioned in Section II, the FEA [7]
concept was introduced to reduce computational time of
entropy values while it maintains detection accuracy. FEA is
one of the EBAs but it doesnt use conventional entropy
(Information Entropy) any more. The Fast Entropy
Approach is developed as follows:

Let, entropy, H, be a quantity of disorder that represent
the number of different types of symbols. Thus, the value of
H must be increased when the disorder is increased. We can
simplify the expression of entropy as follows [7]:

H = log (the number of possible states within input
information)

Instead of using probabilities to compute H to express
quantity of disorder, we use only the number of different
types of symbols. We redefine the entropy as

H = log (the number of possible system states),
where, possible state means the number of distinct
packets in the system.
98 87
3

We were able to reduce the computing time only the
number of different types of symbols without computing
probabilities for each symbol. However, this approach is not
able to show the total number of being appeared symbols,
which does not allow us effectively detect attacks when an
attacker significantly increases the number of different
symbols (packets) to paralyze a victims system by
saturating a victims system capacity during DDoS attack.
To overcome this weakness, we add the total number of
symbols into the modified entropy, H, and redefine entropy
as [7]:

H = -log
m
n
= log
n
m
, -------- (1)
where, m is the number distinct packets,
n is total number of packets in an input.

However, this new entropy could still increase the false
negatives if attackers increase both the number of packets,
and the number of packet types simultaneously. In that case,
the ratio
n
m
will not be changed noticeably, and the entropy
value will stay almost same, which makes the algorithm
miss attacks. To minimize the false negatives, we proposed
an entropy calibration factor.

Suppose ni is the total number of packets in monitoring
interval ti, and consider two monitor variables, ni-1 and ni at
time ti-1 and ti respectively . Then, the calibration entropy,
H, can be defined as follows [7]:

| log
n
i-1
n
i
|, if n
i
n
i-1
H =
| log
n
i
n
i-1
|, if n
i
< n
i-1
Where,
If n
i
n
i-1
, u <
n
i-1
n
i
1, then - < log
n
i-1
n
i
u.
With the same fashion, n
i
< n
i-1
will have same range

Now,

let be |log
n
i-1
n
i
| if n
i
n
i-1,
and | log
n
i
n
i-1
| if n
i
< n
i-1

Then, the new redefined entropy value H (equation (1))
can be expressed by:
H = -log
m
n
+ , ------ (2)
where, m is the number distinct packets,
n is total number of packets in an input, and
is packet number calibration factor
(same as H).

In FEA, we could obtain only the number of distinct
packets using a heap structure similar to the lossless. In
addition, we used only the insert operation during finding
the value, unlike the lossless compression entropy. This
allowed us to reduce the computational time of Fast Entropy
more than the lossless compression entropy computation.
We proved the runtime of the Fast Entropy can be
represented by O ( log n log ), which is faster than
total runtime of conventional entropy O ( n
2
) and
compression entropy O(n log n) [7].

B. Designing adative DDoS Attack decteor (AFEA)
To reduce computational time for entropy and increase
the intrusion detection accuracy rate by supporting DDoS
attacks abnormal behavior detection, we used the combined
two techniques: Fast Entropy approach and the moving
average concept. With these two methods, FEA has shown a
good speed-up (90% reduce of computation on DDoS
detection, even faster than Compression Entropy) and
detection accuracy [7]. However, the detection reliability
depends on how a system well selects a threshold value of
adjusting size of moving average window. In general, the
threshold value is heuristically chosen based on the result of
passed instruction pattern analysis. Thus, the using static
threshold value FEA might be less practical in the real
network environment since it is impossible to adjust
threshold values whenever a conspicuous flow is detected.
For example, if the difference between the average of
previous monitoring interval and new entropy value is
decreased, the detector cant detect the attacks with high
threshold value because of the steady channel condition and
stealthy attack pattern. In this case we need to decrease the
threshold value. Meanwhile, if the channel is burst but the
detector has relatively small threshold value, the detector
works very sensitively in this situation. As a result, the
detector yields many false positives, a bad characteristic of a
detector. In that case, threshold should be increased
accordingly. To provide the high reliable and efficient
DDoS attack detection service in real network environment,
we have proposed an adaptive DDoS attack detector using
Fast Entropy approach which can dynamically select the
threshold value of moving average window size.

This paper concentrates on designing a Dynamic
Adaptive Detector using FEA, which can maintain the same
level of detection reliability, performance without increasing
the computational time compared to the FEA with a fixed
moving average window (FMAW). Dynamic Adaptive
Detector has two major components: 1) Adaptive Threshold
Updater, 2) Dynamic Moving Average Window. Adaptive
Threshold Updater aims to design an automatic updater,
which can adjust threshold values accordingly whenever the
change of channel condition is occurred. Dynamic Moving
Average Window has a goal to design a monitoring widow
with dynamic size for monitoring the channel so that it can
reduce false alarms.

For detecting DDoS attacks in real time, an intrusion
detection system should continuously monitor entropy
values sequentially per every monitoring interval, called
99 88
4

window size. Therefore, each entropy value should be
calculated with respect to each size of moving average
window. To design an Adaptive Threshold Updater (ATU),
we start from a basic FMAW shown in Figure 1 [7]. If we
have a monitoring interval of t seconds, we monitor the
entropy value for kt seconds where k is the size of Moving
Average Window. In every monitoring interval t, an entropy
value is computed.



Lets define as follows:

i
: i-th average of Moving Average Window
: Standard Deviation of H
n-m
~ H
n-1
with
i

D
i
: absolute value of difference between
i
and
H
n
(i.e., D
i
= |
i
- H
n
| )
: threshold multiplication factor, positive
integer value (default = 3)
: threshold ( = * )

Figure 1: Attack monitoring system using moving average
concept

After
i
is computed, it will be compared with H
n
. With
the newly obtained value, we consider current network is
under an attack in current monitoring interval n, if D
i
,
otherwise traffic condition is still normal condition (out of
attack). Once a comparison is done, the Moving Average
Window will be moving forward along with time evolution
(
i
will start at

t
n-m+1
). According to the result of [7], we
have learned that the multiplication factor, , needs to be
varied according to the packet traffic condition accordingly.

According to our simulation with field data, we
recognized that the multiplication factor, , needs to be
varied according to the packet traffic condition accordingly.
On one hand, if an attacker sends malicious traffic with
small change in traffic at the time the channel is stable, the
detector cannot detect the attack with high value of .
Because of the steady channel condition and stealthy attack
pattern, the detection facility doesnt work properly with
highly set . On the other hand, if the channel is burst but
the detector has small , the detector works very sensitively
in this situation. As a result, the detector yields many false
positives, which are not severe but a bad characteristic of
the detector.
An idea of an ATU is that if the new entropy is a
relatively high value compared to an average value,
i
, with
previous n entropies, it has high probability to be a burst
channel. After we see this phenomenon, we increase
threshold multiplication factor, . With this automated shift
setting, one doesnt need to monitor or keep track of false
positives or negatives to enhanced detector performance
because ATU updates the threshold values accordingly.
We define be [3, 6] since we observed the fact that if
is over 6, the detector couldnt detect almost any anomalies.
On the other hand, the detector is too sensitive to detect an
attack precisely producing many false negatives if is (0,
2]. The will be changed under the following rules:

If H
n
> 1.5
i
, then increase by 1
If 0.5
i
H
n
1.5
i
, then maintain current
If H
n
< 0.5
i
, then decrease by 1

The adaptive detection algorithm is shown in Figure 2.



Figure 2: Adaptive Detector Algorithm Flow

IV. DYNAMIC MOVING AVERAGE WINDOW DESIGN

We designed ATU in Section III which updates the
threshold values accordingly under the channel burst
condition. We see the result that ATU can reduce false
negatives the same or less than the best case of manual
threshold setting. However, ATU still produces more false
positives than the best case of manual threshold setting. An
idea of reducing detection errors is to make FMAW be a
Dynamic Moving Average Window (DMAW) under the
change of the network channel condition. There may be
several DMAW methods. We suggest three DMAW methods.
Note that Three DMAWs are built work on top of ATU.
100 89
5

A. Simple DMAW
Initially, the concept of Moving Average Window (MAW)
is designed to move forward whenever it finishes comparing
a new entropy value with an average value in the window,
but it doesnt change its size during all detection procedure.
Now, we adopt a Simple Dynamic Moving Average
Window (SDMAW). Once an attack is detected, the channel
is clearly burst. In that case, we need to make the detector
insensitive. If the channel stays in normal condition several
detection periods, the channel is steady that means we need
to reduce the SDMAW to make it more sensitive for the
next detection period. SDMAW works as follows;

The detector has one MAW.
Four detection criteria (source IP address,
destination IP address, source port, and destination
port entropy) share the MAW size.
Whenever an attack occur, the size of SDMAW
increased by 1
If the channel shows normal condition during 30
detection periods in a row, the size of SDMAW is
decreased by 1.
B. Multiple DMAW Updated with Threshold Shift
The Multiple Dynamic Moving Average Window with
Threshold Shift (MDMAW_TS) has four MAWs (source IP
address, destination IP address, source port, and destination
port MAW, respectively). The detector manages the size of
each MDMAW size. The size of individual MDMAW_TS
changes its value whenever a threshold value changes. An
evidence of the channel condition changes should be a
threshold value shift since the multiplication factor, , is
updated by the channel condition, accordingly. A positive
shift of shows high probability of burst condition, then
increase the size of MDMAW_TS to monitor channel
efficiently. If there is a negative shift of , the detector
decreases the size of MDMAW_TS. MDMAW_TS works
as follows;
The detector has four MAWs to monitor the
channel condition of source IP address,
destination IP address, source port, and destination
port entropy respectively.
If has a positive shift, the size of MDMAW is
increased by 1, respectively.
If has a negative shift, the size of MDMAW is
decreased by 1, respectively
If has no shift, the size of MDMAW is
maintained with same size.
C. Multiple DMAW Updated with Attack Occurrence
Multiple DMAW with Attack Occurrence
(MDMAW_AO) has four Moving Average Windows.
MDMAW_AO works as a same fashion of SDMAW.
However, each MAW of the MDMAW_AO is updated
separately.
V. SIMULATION AND ANALYSIS
A. Input Data
We use the same filed datasets shown in [7] which have
four different datasets as follows:

Normal Data Flow (University Computer Lab)
University computer lab filled with normal users
(students) packets at the Behavioral Science (BSS)
Lab of University of Colorado Denver.
DoS and Port Sweep Attack (99 DARPA Dataset)
It contains two network flows (University Computer
Lab and 1999 DARPA dataset). It has five DoS
attacks and 2 stealthy Probing attacks.
Typical DDoS (Non-Stealthy 00 DARPA Dataset)
The 2000 DARPA dataset (00 DARPA) is a typical
dataset of DDoS attack traffic. We can categorize the
five attack phases in the 00 DARPA dataset: phase1
(IP sweeping), phase2 (Probing IPs), phase3
(Penetrating via vulnerability), phase4 (Install attack
software), and phase5 (Launching DDoS).
Stealthy DDoS (00 DARPA Stealthy Dataset)

The 2000 DARPA Stealthy dataset (00 Stealthy DARPA)
is stealthier than the 1999 DARPA dataset, and it has 5
attack phases as does the Non-Stealthy 2000 DARPA
dataset.
B. Detection Accuracy Analysis
In the previous simulation in [7] without adaptive
passion and fixed window size, we saw the detection
accuracy results (see TABLE I).
We simulated three entropy schemes to evaluate the
detection accuracy with the three datasets with the threshold
range between 2 and 6.


TABLE I. DETECTION ACCURACY RESULT
Threshold: = 4
Entropy
Type
Input Data
Error Type
False
Negatives
False
Positives
Conventional
DoS
a
6 1
Typical DDoS
b
4 1
Stealthy DDoS
c
4 0
Compression
DoS 3 3
Typical DDoS 3 6
Stealthy DDoS 2 12
Fast
DoS 4 0
Typical DDoS 2 3
Stealthy DDoS 2 1
a
DoS: 99 DARPA Dataset
b
Typical Dataset: Non-Stealthy 00 DARPA Dataset
c
Stealthy DDoS: Stealthy 00 DARPA Dataset
101 90
6

The Adaptive Entropy Detector (FMAW) approximates
the best case, which is good detection performance
(characteristic) without any pattern training or history
records. FMAW shows good adaptability with Fast Entropy
Scheme (see Table II). We see the enhancement the
adaptive detector comparing non-adaptive one but it doesnt
need any pattern training.

One the other hand, FMAW makes detection performance
decline with the Conventional Entropy Scheme. The
FMAW scheme is suitable for general DoS attack and
Stealthy attack. However, it still has good performance in
general DDoS attack. If we adopt an adaptive scheme with
Fast Entropy Scheme, we can get more stable result. The
FMAW can reduce false positives but produce a few more
false negatives than the best case when it uses no DMAW
scheme.
When we adopted DMAW scheme on top of Adaptive
detector, it shows an enhancement on reducing false
negatives all over the entropy schemes compared to FMAW
when DMAW is equipped on Conventional and Fast
Entropy Scheme. Since Compression Entropy Scheme is
very sensitive, there is little contribution to reduce false
positives with DMAW in Compression Entropy Scheme.
DMAWs with Fast Entropy produce a few more false
negatives with 99 DARPA dataset. However, if we consider
99 DARPA dataset contains two stealthy attacks, the
detection performance is still tolerable. Note that detectors
on DMAW schemes remain in bad detection accuracy with
Conventional Entropy Scheme even thought we use
dynamic window scheme, which is the same as FMAW.
MDMAW_AO shows not only the best detection
performance among three DMAW approaches but also the
best fit with our Fast Entropy.
We can enhance detection accuracy against the false
negatives with Adaptive Detector scheme. Furthermore,
when we facilitate DMAW approach on Adaptive Detector
scheme equipped with FEA, we can improve false positives
against Best Cases and FMAW. For instance, false positives
of MDMAW_AO with Fast Entropy are significantly less
than those of FMAW with Compression Entropy.
C. Runtime Analysis
Compression Entropy and Fast Entropy with FMAW can
reduce the computational time more than 90%. Also, the
Fast Entropy scheme with FMAW can reduce the
computation time about 12% compared to Compression
Entropy scheme (see TABLE III). However, as we have
seen in previous paragraphs, the Compression Entropy
Scheme has high false positives over the all thresholds,
which means it doesnt work well to the network monitoring
algorithm with information entropy, even though it has fast
data compression ability (see TABLE II).


We estimate the runtime of detectors with dynamic
window with the same input datasets with three different
DMAWs. We present the simulation results of
MDMAW_AO in Table IV because the MDMAW_AO
has the best detection performance (see TABLE II).
Table IV shows that MDMAW_AO has almost the
same reduce of the computational time (91% reduce
compared to Conventional Entropy Scheme, and 14%
reduce compared to Compression Entropy Scheme)
compared to the FMAW.
TABLE III. RUNTIME RESULT OF FMAW
Unit; Millisecond
Attack
Patterns
Conven-
tional
Entropy
Compression
Entropy
Fast
Entropy
a
R/time R/time
compare
to
b
conv
R/time
compare
to conv
compare
to
c
comp
99
DARPA
8,984 781 -91% 673 -93% -14%
00
DARPA
20,008 1,883 -91% 1,665 -92% -12%
00 DARPA
(Stealthy
DARPA)
16,213 1,550 -90% 1,398 -91% -10%
Average Speed Reduce -91%

-92% -12%

a
R/time: Run Time over a detection process
b
conv: the runtime of the Conventional Entropy
c
comp: the runtime of the Conventional Entropy


TABLE II. ADAPTIVE DETECTOR RESULT
False Negatives / False Positives
Entropy
Detector
Type
Input Dataset
99
DARPA
00
DARPA
00
Stealthy
DARPA
Conven-
tional
a
Best Case
3/19 1/2 3/45
b
FMAW 4/5 2/8 5/4
SDMAW 6/2 2/5 5/0
MDMAW_ TS 6/1 2/6 5/1
MDMAW_AO 5/1 2/5 5/2
Comp-
ression
Best Case
1/7 1/5 2/12
FMAW 1/5 3/12 2/16
SDMAW 3/5 3/17 2/15
MDMAW_TS 2/5 3/18 2/14
MDMAW_AO 3/3 3/12 2/14
Fast
Best Case
1/8 1/6 1/6
FMAW 1/2 2/7 1/9
SDMAW 3/1 2/6 2/6
MDMAW_TS 3/1 3/5 1/5
MDMAW_AO 2/0 2/6 1/6

a
Best Case: Best Case is the best result among all simulation results between
2 ~ 6. The first criterion is low false negatives but allowing 1 miss. If there
isnt 1 miss, we will choose a minimum of false negative as the best case. If false
negatives are the same, having low false positives is the best case.
b
FMAW: FMAW is a basic Adaptive Entropy Detector, which has a fixed
window size. Four detection variables (source/destination IP address,
source/destination port number) have the same size of window. The algorithm
changes the threshold value with observing network flow data accordingly. It
starts with = 3. Any among source address, destination address, source port,
and destination port will be changed after evaluation at every monitoring interval.
102 91
We depict the runtime distribution o
MDMAW_AO detector in Figure 3.

Figure 3. Runtime Distribution
As shown in Figure 3, MDMAW
computational overhead compared to F
compare the computational time of Fas
FMAW and MDMAW_AO, MDMA
approximately 22% additional computat
Table V). The growth of computational tim
from a burden of managing and updatin
monitoring windows.
However, we can also see that the
overhead is almost similar when we consid
runtime reduce between FMAW and MDM
of using Fast Entropy. Even though the M
increases the computational time, it st
computation performance which can re
computational time significantly about
Entropy scheme compared to Conventional

TABLE IV. RUNTIME RESULT OF MDMA
Attack
Patterns
Conven-
tional
Entropy
Compression
Entropy
R/time R/time
compare
to conv
R/time
99
DARPA
10,218 1,032 -90% 838
00
DARPA
21,758 2,158 -90% 1,917
00 DARPA
(Stealthy
DARPA)
17,764 2,006 -89% 1,745
Average Speed Reduce -90%


7


of FMAW and

W has a little
FMAW. If we
st Entropy with
AW_AO needs
tional time (see
me mainly comes
ng four dynamic
result of speed
der the rate of the
MAW_AO in case
MDMAW scheme
till has a good
educe the total
90% with Fast
Entropy scheme.
VI. CONCLU
We find the best threshold varie
manual simulation, and the threshol
detection. The outside of the range
insensitive in DDoS attack detection
ATU working on top of the sim
Detector (FMAW), which changes t
2 ~ 6 at the end of all monitoring
of monitoring windows. The ATU
positive approximated the best cas
when it uses FMAW. However, it s
negatives than the best case. Seco
DMAW schemes (SDMAW,
MDMAW_AO) on top of ATU. We
can reduce false negatives over
DMAW may increase a little comp
needs to manage and update f
However, it still has powerful comp
reduce the computational time appr
Fast Entropy scheme. By combinin
scheme, our proposed approach
dynamic adaptive detector which ca
case of manual threshold setting
computational time, and can be
environment.
REFERENCE
[1] T. Ditcheva, Lisa Fowler,
Detection class notes for COMP2
Carolina at Chapel Hill, Feb. 2005.
[2] Beetle, Sasha, A Strict Anom
IDS, Phrack, vol. 10, issue 56,
[3] S. Singh, C. Estan, G. Varghese, a
Worm Fingerprinting, in Sigcom P
2004, pp. 45-60.
[4] V. Karamcheti, D. Geiger, Z. Kedm
Detecting Malicious Network
Distribution of Packet Contents, in
2005, pp. 22-26.

TABLE V. COMPUTATION OVER
M
Attack
Patterns
FMAW
Conventional
Entropy
(Runtime in
Millisecond)
Fast Entropy
Compared to
Adaptive with
Conventional
99
DARPA
8,984 / - 673 / -93%
00
DARPA
20,008 / - 1,665 / -92%
00 Stealthy
DARPA
16,213 / - 1,398 / -91%
Average Speed Overhead
-92%

AW_AO
Unit: Millisecond
Fast
Entropy
compare
to conv
compare
to comp
-92% -19%
-91% -11%
-90% -13%
-91% -14%

USION
ed between 2 ~ 6 with
ld range has a meaning in
e shows too sensitive or
n. First, we developed an
mple Adaptive Entropy
thresholds in the range of
g intervals with fixed size
U can reduce the false
se of manual simulation
still produces a few false
ond, we introduced three
MDMAW_TS, and
e find the MDMAW_AO
three entropy schemes.
putational time because it
four dynamic windows.
putational time which can
roximately 90% if we use
g ATU and DMAW_AO
suggest we can design
an approximates the best
with small amount of
used for real network
ES
Signature-based Intrusion
90-040, University of North
.
moly Detection Model for
, May 2000.
and S. Savage, Automated
Proceeding of the 6
th
OSDI,
mem, and S. Muthukrishnan,
Traffic Using Inverse
n SIGCOMM 05 Workshop,
RHEAD COMPARISON
Millisecond / Runtime Overhead
MDMAW_AO
Fast Entropy
Compared to
Adaptive with
Conventional
Compared to
Adaptive with
FMAW
838 / -91% +25%
1,917 / -90% +15%
1,745 / -89% +25%
-90% +22%
103 92
8

[5] E. Besson, A. Gouget, and H. Sibert, The GAIA Sensor: an
Early DDoS detection Tool, in ACMSIG METRICS
Performance Evaluation Review34, 2006, pp. 7-8.
[6] B. Song, J. Heo, and C. Hong, Collaborative Defense
Mechanism Using Statistical Detection Method against DDoS
Attacks, in IEICE TRANS. COMMUN, 2007, pp. 2655-2664.
[7] G. No, I. Ra, An Efficient and Reliable DDoS Attack
Detection Algorithm Using a Fast Entropy Computation
Method, Proc. of the 9
th
International Conference on
Communications and Information technologies (ISCIT),
Incheon Songdo, South Korea, September, 2009, pp. 1223-
1228.
[8] A. Lall, V. Sekar, M. Ogihara, J. Xu, and H. Zhang, Data
Streaming Algorithms for Estimating Entropy of Network
Traffic, in SIGMETRICS/Performance 06, 2006, pp. 145-
156.
[9] C.E. Shannon, A Mathematical Theory of Communication,
Bell System Technical Journal, vol. 27, pp. 379-423 & 623-
656, Oct 1948.
[10] P. DU and S. ABE, IP Packet Size Entropy-Based Scheme
for Detection of DoS/DDoS attacks, in IEICE TRANS. INF &
SYST, 2008, pp. 1274-1281.
[11] J. E. Smith and F. W. Weingarten, Research Challenges For
the Next Generation Internet, My 12-14, 1997, Computing
Research Association
104 93