PNNL

Abstract

Denial-of-Service (DoS) attacks are one the most common and consequential cyber attacks in computer networks. While existing research offers a plethora of detection methods, the issue of achieving scalability, a low false positive rate, and high detection accuracy remains open. In this work, we address this problem by developing a differential method based on generalized entropy progression. In this method, named as DoDGE, we continuously fit the line of best fit to the entropy progression of destination addresses and check if the derivative, that is, the slope of this line is less than the negative of the dynamically computed standard deviation of the derivatives. Furthermore, to distinguish from flash events, we leverage the symmetry that when a flash event occurs, the derivative of the entropy progression of source addresses is positive. With this design, we omit the usage of the thresholds and the results with five real-world network traffic datasets confirm that DoDGE outperforms threshold-based DoS attack detection by two orders of magnitude in terms of false positives on average. When compared to ten machine learning (ML) models, DoDGE achieves a balanced accuracy of 99%, while the average balanced accuracy for the ML models is 52%. Moreover, the results show that DoDGE successfully differentiates between a flash event and a DoS attack. Furthermore, since the main computation cost of DoDGE is the entropy computation, which is linear in the volume of the unit-time network flow, uses integer only operations, and works on a small fraction of the total flow, it is lightweight and scalable.