A Simple Detection Method for DoS Attacks Based on IP Packets Entropy Values

Abstract

DoS attack is the threat to ICT (Information and communications technology) society. There are many existed detection methods, but countermeasures has been become difficult according to complication of attacks. In conventional methods, entropy-based methods detect attacks using the property of entropy that it enables to estimate increase and decrease of dispersion of header information values, like IP address, by comparing before and after entropy values in time series. In this method, the detection with only one header information is low accuracy, so some or many header information is necessary for accurate detection. Therefore, time for calculating their entropy is needed and the detection method becomes complicated. In this way, requiring some or many header information is the cause of the such problem. So in this paper, we propose the detection method with only 2 header information that is fewer than conventional methods: "packet arrival time" and "source IP address". First, we analyzed two datasets, calculated entropy values of header information. Second, we extracted common features of DoS attacks between two datasets, proposed the detection method detect that feature. As a result, the proposed method with only 2 header information became simpler than conventional methods. And we was able to distinguish the attack time from the non-attack time clearly.