307 / 1971-01-01 00:00:00

A Fine-grained And Dynamic Unit For Aggregating Ip-flows To Detect Dos Attacks With Entropy

5462,5836,931,5798

As a complement of payload-based intrusion detection, flow-based intrusion detection is considered as an alternative to packet inspection for high-speed links. Methods using information entropy on flow level have been demonstrated as an efficient and effective way to detect DoS attacks. However, the victim host and attacker cannot be located immediately once the DoS attacks are detected by these methods because different IP addresses are aggregated to calculate entropy as a feature and are not able to be determined directly. In the case of detecting attacks based on a huge volume of traffic, for example on a edge router, the decrease of anomaly intensity also makes negative impact on the detection rate. To address these issues, we propose a fine-grained and dynamic unit called session windows to aggregate IP flows and use a one-class SVM model to detect DoS attacks. Our evaluations demonstrated our model can detect various kinds of DoS attacks with a high detection rate and low false alarm rate.