Detection of anomalous packet traffic via entropy

Abstract

We study if information entropy of packet traffic passing through selected set of routers may detect anomalous packet traffic (e.g., distributed denial-of-service (DDoS) attacks) in a packet switching network (PSN) model. Given a certain PSN model setup (i.e., topology, routing algorithm, and source load value) a “natural” entropy profile of normal packet traffic monitored at selected routers characterizes normal operation of PSN model. When entropy of packet traffic deviates significantly from this “natural” profile it means that some anomaly in packet traffic emerges. Our simulations of ping DDoS attacks show that after start of attacks the entropy of packet traffics monitored network-wide at relatively small sets of routers may significantly drop and that it is easier to detect these drops if static routing is used instead of dynamic routing. Thus, for detection of DDoS attacks and other anomalous packet traffic information entropy of packet traffic monitored network-wide at properly selected routers can be a useful tool.