DDoS Detection with Information Theory Metrics and Netflows - A Real Case

Domenico Vitali, Antonio Villani, Angelo Spognardi, Roberto Battistoni, Luigi V. Mancini


Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) constitute one of the main issues for critical Internet services. The widespread availability and simplicity of automated stressing tools has also promoted the voluntary participation to extensive attacks against known websites. Today the most effective (D)DoS detection schemes are based on information theory metrics, but their effectiveness is often evaluated with synthetic network traffic. In this work we present a comparison of the main metrics proposed in the literature carried on a huge dataset formed by real netflows. This comparison considers the ability of each metric to detect (D)DoS attacks at an early stage, in order to launch effective and timely countermeasures. The evaluation is based on a large dataset, collected from an Italian transit tier II Autonomous System (AS) located in Rome. This AS network is connected to all the three main network infrastructures present in Italy (Commercial, Research and Public Administration networks), and to several international providers (even for Internet transit purposes). Many attempted attacks to Italian critical IT infrastructures can be observed inside the network traffic of this AS. Several publicly declared attacks have been traced and many other malicious activities have been found by ex-post analysis.


  1. Chan, Y.-T. F., Shoniregun, C. A., and Akmayeva, G. A. (2008). A netflow based internet-worm detecting system in large network. In Pichappan, P. and Abraham, A., editors, ICDIM, pages 581-586. IEEE.
  2. Chang, C. I., Du, Y., Wang, J., Guo, S. M., and Thouin, P. D. (2006). Survey and comparative analysis of entropy and relative entropy thresholding techniques. Vision, Image and Signal Processing, IEE Proceedings -, 153(6):837-850.
  3. Choo, K.-K. R. (2010). High tech criminal threats to the national information infrastructure. Inf. Secur. Tech. Rep., 15:104-111.
  4. Cisco Systems (2004). Cisco Systems NetFlow Services Export Version 9. rfc3954.
  5. Cisco Systems (2010). Cisco 2010 Annual Security Report, Highlighting global security threats and trends. http://www.cisco.com/en/US/prod/vpndevc/annual security report.html.
  6. Curtmola, R., Sorbo, A. D., Ateniese, G., and Del, A. (2005). On the performance and analysis of dns security extensions. In in Proceedings of CANS, pages 288-303. SpringerVerlag.
  7. Di Pietro, R. and Mancini, L. V. (2008). Intrusion Detection Systems. Springer-Verlag.
  8. Di Pietro, R., Oligeri, G., Soriente, C., and Tsudik, G. (2010). Intrusion-Resilience in Mobile Unattended WSNs. In INFOCOM, pages 2303-2311. IEEE.
  9. Dübendorfer, T., Wagner, A., and Plattner, B. (2005). A framework for real-time worm attack detection and backbone monitoring. In IWCIP 2005.
  10. Feinstein, L. and Schnackenberg, D. (2003). Statistical approaches to DDOS attack detection and response. In In Proceedings of the DARPA Information Survivability Conference and Exposition, pages 303-314.
  11. Hugh, J. M. (2000). Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur., 3:262-294.
  12. Lawniczak, A. T., Di Stefano, B. N., and Wu, H. (2009). Detection & study of DDoS attacks via entropy in data network models. CISDA'09, pages 59-66, Piscataway, NJ, USA. IEEE Press.
  13. Li, K., Zhou, W., and Yu, S. (2009a). Effective metric for detecting distributed denial-of-service attacks based on information divergence. IET Communications, 3(12):1851-1860.
  14. Li, K., Zhou, W., Yu, S., and Dai, B. (2009b). Effective DDOS attacks detection using generalized entropy metric. ICA3PP 7809, pages 266-280, Berlin, Heidelberg. Springer-Verlag.
  15. Mirkovic, J. and Reiher, P. (2004). A taxonomy of DDOS attack and DDOS defense mechanisms. SIGCOMM Comput. Commun. Rev., 34:39-53.
  16. No, G. and Ra, I. (2009). An efficient and reliable DDOS attack detection using a fast entropy computation method. ISCIT'09, pages 1223-1228, Piscataway, NJ, USA. IEEE Press.
  17. Nychis, G., Sekar, V., Andersen, D. G., Kim, H., and Zhang, H. (2008). An empirical evaluation of entropy-based traffic anomaly detection. IMC 7808, pages 151-156, New York, NY, USA. ACM.
  18. Oshima, S., Nakashima, T., and Sueyoshi, T. (2010). DDoS detection technique using statistical analysis to generate quick response time. BWCCA 7810, pages 672- 677, Washington, DC, USA. IEEE Computer Society.
  19. Sardana, A., Joshi, R., and Kim, T.-h. (2008). Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDOS attacks in ISP domain. In ISA, pages 270-275, Washington, DC, USA. IEEE Computer Society.
  20. Sekar, V. and Merwe, J. V. D. (2006). Lads: Large-scale automated ddos detection system. In In Proc. of USENIX ATC, pages 171-184.
  21. Shannon, C. E. (1948). A mathematical theory of communication. The Bell system technical journal, 27:379- 423.
  22. Xiang, Y., Li, K., and Zhou, W. (2011). Low-rate DDOS attacks detection and traceback by using new information metrics. In Information Forensics and Security, IEEE Transactions, volume 99. IEEE Press.

Paper Citation

in Harvard Style

Vitali D., Villani A., Spognardi A., Battistoni R. and V. Mancini L. (2012). DDoS Detection with Information Theory Metrics and Netflows - A Real Case . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012) ISBN 978-989-8565-24-2, pages 172-181. DOI: 10.5220/0004064501720181

in Bibtex Style

author={Domenico Vitali and Antonio Villani and Angelo Spognardi and Roberto Battistoni and Luigi V. Mancini},
title={DDoS Detection with Information Theory Metrics and Netflows - A Real Case},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)},

in EndNote Style

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2012)
TI - DDoS Detection with Information Theory Metrics and Netflows - A Real Case
SN - 978-989-8565-24-2
AU - Vitali D.
AU - Villani A.
AU - Spognardi A.
AU - Battistoni R.
AU - V. Mancini L.
PY - 2012
SP - 172
EP - 181
DO - 10.5220/0004064501720181