An Entropy-based Detection for Tracing DDoS Attack Packets using Clustering with Machine Learning

Abstract

The importance of internet in everyone’s life is similar like oxygen. Today it is all about online reputation, internet marketing, online business, online degrees, social media presence and internet banking. Therefore, the availability of internet is very critical for the socio economic growth. One of the serious issue in the current Internet, is the denial-of- service (DoS) attack that prevent the legitimate users from serving by servers.

The main step for stopping DDoS attacks is to detect attacks and generate alarm so that necessary precaution need to be taken. The challenging part for network security is detection of DDoS attacks. In this thesis, an approach is made aims at detecting DDoS attacks in network using Entropy based detection algorithm. The proposed model is being developed in intention to bridge the system complexities acquired in detection by advanced techniques like machine learning, deep neural network with the traditional approach such as Clustering without compromising in accuracies as they possessed. Therefore, the entropy based technique hybrid with machine learning algorithm, K-Nearest Neighbors (KNN) is adapted in which entropy is calculated not only with singular parameter but also with the parameters like source IP, source port, destination IP and destination port with respect to time widows of 1sec, 5sec, 10sec and 15sec and compared with the threshold for each respective parameter. The detection threshold is determined using unsupervised data mining algorithm which is dynamic in nature. For this, k-means clustering algorithm is used since it is much faster than other clustering algorithms. To reduce false alarm and classifying the attacks, K-Nearest Neighbors (KNN) algorithm is used which maximizes the accuracy against clustering alone. The network traffic profiling is also maintained so as entropies against all feature parameters as mentioned earlier which helps in determining flow pattern. Moreover, packet count per second and average packet length per second are also calculated for adding attribute on precision detection. Since, the uses of bandwidth in the network during attacks get significantly higher than the normal the traffic flow. Therefore, the bandwidth is being monitored so closely throughout the testing period.