DoS Attack Detection using Source IP address entropy and Average packet arrival time interval

Keiichirou Kurihara and Kazuki Katagishi


DoS attack, entropy, regression analysis


DoS attack is the threat to ICT(Information and communications technology) society. There are many detection methods. But countermeasures have been become difficult according to complication of attacks. In conventional methods, the property of entropy is used to detect attacks. It enables to estimate increase and decrease of dispersion of header information values, like IP address, by comparing before and after entropy values in time series. In these methods, the detection rate with only one header information is low in accuracy. Therefore various kinds of header information are necessary for accurate detection. However, it takes a long time to distinguish DoS attacks and also the detection method becomes complicated. This paper proposes the detection method with only 2 header information, "Packet arrival time" and "Source IP address". The method can be used to detect DoS attacks with fewer number of header information than conventional methods. In addition, False Positive and False Negative are less than $2\%$ and $0\%$, respectively. From these results, the method is not only simple but also accurate.

