Deceiving entropy based DoS detectionComputers & Security


İlker Özçelik, Richard R. Brooks
Computer Science (all) / Law


Saliency Analysis for Car Detection Based on 2-D Entropy and Velocity Prior

Xiaolong Ma, Xudong Xie, Jianming Hu, Yi Zhang

Statistical mechanics based on Renyi entropy

E.K. Lenzi, R.S. Mendes, L.R. da Silva

Structural entropy in detecting background patterns of AFM images

L.M. Molnár, Sz. Nagy, I. Mojzes

Maximum Entropy Generative Models for Similarity-based Learning

Maya R. Gupta, Luca Cazzanti, Anjali J. Koppal


DReceived 5 April 2014

Received in revised form 30 September 2014

Accepted 22 October 2014

Available online xxx


DoS attacks are amajor problem for the Internet. According to accounted for the highest percentage of computer crime cost in 2013 (Ponemon, 2013). Many DoS detection approaches have been proposed (Blazek et al., 2001; Carl et al., 2006a;

Callegari et al., 2012; Lee and Xiang, 2001; Nychis et al., 2008;

Rahmani et al., 2009; Feinstein et al., 2003; Oshima et al., yanthi and Iyengar, be, 2007; Tritilanunt r et al., 2007; Prasad et al., 2012; Jun et al., 2014a; Shin et al., 2013; Gao and Wang, s of network traffic; 01; Carl et al., 2006a;

Callegari et al., 2012) and entropy of packet header fields (Lee and Xiang, 2001; Nychis et al., 2008; Rahmani et al., 2009;

Feinstein et al., 2003; Oshima et al., 2011, 2010a, 2010b; Gu et al., 2005; Jeyanthi and Iyengar, 2012; No and Ra, 2009, 2011; Du and Abe, 2007; Tritilanunt et al., 2010; Yu and Zhou, * Corresponding author. (R.R. Brooks).

Available online at

ScienceDirect .e c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 2E-mail addresses: (_I. €Ozc¸elik), rrb@clemsothe Ponemon Institutes's fourth annual cost of cyber crime study in the United States, Denial of Service (DoS) attacks 2014; Jun et al., 2014b). Different feature such as traffic volume (Blazek et al., 201. Introduction 2011, 2010a, 2010b; Gu et al., 2005; Je 2012; No and Ra, 2009, 2011; Du and A et al., 2010; Yu and Zhou, 2008; KumaEntropy

Detection deceiving

Denial of service


Intrusion detection

Protocol spoofingPlease cite this article in press as: €Ozc¸eli 0167-4048/© 2014 Elsevier Ltd. All rights resegrowing dependence on the Internet by both the general public and service providers, the availability of Internet services has become a concern. While DoS attacks cause inconvenience for users, and revenue loss for service providers; their effects on critical infrastructures like the smart grid and public utilities could be catastrophic. For example, an attack on a smart grid system can cause cascaded power failures and lead to a major blackout. Researchers have proposed approaches for detecting these attacks in the past decade. Anomaly based DoS detection is the most common. The detector uses network traffic statistics; such as the entropy of incoming packet header fields (e.g. source IP addresses or protocol type). It calculates the observed statistical feature and triggers an alarm if an extreme deviation occurs. Entropy features are common in recent DDoS detection publications. They are also one of the most effective features for detecting these attacks.

However, intrusion detection systems (IDS) using entropy based detection approaches can be a victim of spoofing attacks. An attacker can sniff the network and calculate background traffic entropy before a (D)DoS attack starts. They can then spoof attack packets to keep the entropy value in the expected range during the attack. This paper explains the vulnerability of entropy based network monitoring systems. We present a proof of concept entropy spoofing attack and show that by exploiting this vulnerability, the attacker can avoid detection or degrade detection performance to an unacceptable level. © 2014 Elsevier Ltd. All rights reserved.Article history: Denial of Service (DoS) attacks disable network services for legitimate users. As a result ofa r t i c l e i n f o a b s t r a c tHolcombe Department of Electrical and Computer Engineering Clemson University, Clemson, SC 29634-0915, USADeceiving entropy based _Ilker €Ozc¸elik*, Richard R. Brooks journal homepage: wwwk _I, Brooks RR, Deceivin 13 rved.oS detection lsevier .com/locate/coseg entropy based DoS detection, Computers & Security (2014), operational network traffic with live DDoS attacks show that c om p u t e r s & s e c u r i t y x x x ( 2 0 1 4 ) 1e1 22entropy based DDoS detection performs better than other approaches widely studied in the literature (Ozcelik, 2013).

Our results also indicate that entropy based detection is not affected by network utilization as are other approaches (Ozcelik, 2013). Information theory-based metrics (Hartley entropy, Shannon entropy, Renyi's entropy, generalized entropy, Kullback-Leibler divergence and generalized information distribution) are popular for intrusion detection because of their low computation overhead (Bhuyan et al., 2015).

Google Scholar cites more than 250 entropy based DDoS detection journal articles and conference papers published in 2014.

This paper shows that unfortunately entropy based DoS detection approaches are vulnerable to spoofing. An attacker can monitor background traffic entropy to find the distribution before the attack and spoof packets to make the entropy fit the expected distribution during the attack. By exploiting this vulnerability, intrusion detection systems (IDS) using entropy based network monitoring can become useless.

There are many studies on technologies like honeynet which deceive attackers to collect attack data and understand how they operate (Zhang et al., 2003; Dodge et al., 2014;

Milovanov et al., 2012). In this study, we looked at DDoS attacks from an attacker's perspective to deceive a DDoS detection system. We show the vulnerability of network monitoring systems using entropy. We present a proof of concept attack that neutralizes entropy based DoS detection.

We analyze the detection performance with and without spoofing at different network provisioning levels (1 Gigabytes/ second and 100 Megabytes/second). Our results show that, entropy based detection approaches can be deceived by controlling the entropy level during a DoS attack. In addition, by generating false positives, detection systems can be made unreliable. This is the first study that presents and explains the vulnerability of entropy based network monitoring systems. Intrusion detection researchers using traffic entropy, as well as other features, need to consider the ease of packet spoofing when designing IDS techniques. Entropy is not the only feature with this vulnerability. Researchers ignoring these factorsmay be one of the reasons that IDS systems have been notoriously unreliable with high false positive rates (Kumar et al., 2011).