The value of flow size distribution in entropy-based detection of DoS attacks

AbstractThis paper investigates the use of flow size distribution as a source in entropy-based detection. The performance of detection based on this distribution is compared with the performance of detection based on simple packet distribution, namely distribution of addresses, which outperforms other simple distributions in detection of distributed denial-of-service attacks. The following parameters are compared: true and false positive rate and detection delay. The dependence of the aforementioned parameters on detection threshold is given. The results for detection delay show that two detectors are very close with respect to this feature. Regarding the detection rate, experiments show that in most cases, the performance of flow-size based detector is superior to the performance of address-based detector. Copyright © 2015 John Wiley & Sons, Ltd.