Generalized Network Temperature for DDoS Detection through Renyi Entropy

Distributed Denial-of-Services (DDoS) are serious network threats hardly eliminated. Current network entropy-based DDoS detection methods suffer from distinguishing DDoS attack traffic among normal traffic through a fixed empirical detection threshold, i.e., most of such thresholds are case-sensitive ones. With the Renyi entropy of a network, the paper devised a Generalized Network Temperature (GNT) based approach for DDoS attack detection, where GNT is a novel and fine-granular-scale statistical indicator that describes the network entropy changes in the light of both network traffic and network topology changes. Within a series of predefined time windows, our proposed approach first collects the selected network traffic features and then calculates the GNT for each time window. Second, the DDoS attacks are then acknowledged or denied by comparing each GNT to a dynamically adjustable threshold generated by the Exponentially Weighted Moving Average (EWMA) model. Furthermore, the publicly available CIC DoS 2017 dataset is utilized to test the proposed approach in the paper. The experimental results show that our proposed approach outperforms the known Shannon entropy-based DDoS attack detection methods with respect to both efficacy and efficiency.