Conditional entropy-based hybrid DDoS detection model for IoT networks

Abstract

In a distributed denial-of-service (DDoS) attack, an attacker channelizes the resources of a botnet to launch denial of service attack on the victim. The increased use of IoT devices and dependence of users on e-services like online shopping and online payments have elevated the liability risks. The entropy provides a significant measure of randomness. The variation in entropy of traffic features determines the presence of abrupt traffic. This paper uses entropy and conditional entropy to achieve insights on data and feeds it to the proposed 2-stage detection approach for multi-class classification. The proposed model employs four classifiers for first hand classification. Further, stacking generalization-based second stage achieves the final detection process. The recently launched CIC IoT 2023 dataset is used to illustrate the findings of the study. The proposed approach produces an accuracy of 99.86%. Further, this paper utilizes relative entropy for the determination of deflection of traffic behavior between the attack and legitimate samples. Comparisons have been made among symmetric versions of information divergence, $\varphi$-divergence and Kullback–Leibler divergence along with, Hellinger distance and total variation distance. It is found that the information distance gives a better differentiation between the entropy of legitimate traffic and attack traffic. Significance Statement Entropy has been manipulated to define the nature of incoming traffic for any rule-based detection. This work explores the significance of conditional entropy for the ML-based detection of DDoS attacks in a recently launched IoT-based dataset. Additionally, the effectiveness of KL-divergence, information divergence, $\varphi$-divergence, Hellinger distance and total variation distance is compared for differentiating between legitimate traffic and attack traffic.