Translator Disclaimer
20 June 2014 Deceiving entropy-based DoS detection
Author Affiliations +
Denial of Service (DoS) attacks disable network services for legitimate users. A McAfee report shows that eight out of ten Critical Infrastructure Providers (CIPs) surveyed had a significant Distributed DoS (DDoS) attack in 2010.1 Researchers proposed many approaches for detecting these attacks in the past decade. Anomaly based DoS detection is the most common. In this approach, the detector uses statistical features; such as the entropy of incoming packet header fields like source IP addresses or protocol type. It calculates the observed statistical feature and triggers an alarm if an extreme deviation occurs. However, intrusion detection systems (IDS) using entropy based detection can be fooled by spoofing. An attacker can sniff the network to collect header field data of network packets coming from distributed nodes on the Internet and fuses them to calculate the entropy of normal background traffic. Then s/he can spoof attack packets to keep the entropy value in the expected range during the attack. In this study, we present a proof of concept entropy spoofing attack that deceives entropy based detection approaches. Our preliminary results show that spoofing attacks cause significant detection performance degradation.
© (2014) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
İlker Özçelik and Richard R. Brooks "Deceiving entropy-based DoS detection", Proc. SPIE 9091, Signal Processing, Sensor/Information Fusion, and Target Recognition XXIII, 90911P (20 June 2014);


CPHD filters with unknown quadratic clutter generators
Proceedings of SPIE (May 21 2015)
Categorification of the Dempster Shafer theory
Proceedings of SPIE (May 21 2015)
Improved demodulator for deep space communication
Proceedings of SPIE (October 01 2011)
CPHD filtering with unknown probability of detection
Proceedings of SPIE (April 27 2010)
Target identification using multi-radar fusion
Proceedings of SPIE (May 07 2007)

Back to Top