Share Email Print

Proceedings Paper

Deceiving entropy-based DoS detection
Author(s): İlker Özçelik; Richard R. Brooks
Format Member Price Non-Member Price
PDF $17.00 $21.00

Paper Abstract

Denial of Service (DoS) attacks disable network services for legitimate users. A McAfee report shows that eight out of ten Critical Infrastructure Providers (CIPs) surveyed had a significant Distributed DoS (DDoS) attack in 2010.1 Researchers proposed many approaches for detecting these attacks in the past decade. Anomaly based DoS detection is the most common. In this approach, the detector uses statistical features; such as the entropy of incoming packet header fields like source IP addresses or protocol type. It calculates the observed statistical feature and triggers an alarm if an extreme deviation occurs. However, intrusion detection systems (IDS) using entropy based detection can be fooled by spoofing. An attacker can sniff the network to collect header field data of network packets coming from distributed nodes on the Internet and fuses them to calculate the entropy of normal background traffic. Then s/he can spoof attack packets to keep the entropy value in the expected range during the attack. In this study, we present a proof of concept entropy spoofing attack that deceives entropy based detection approaches. Our preliminary results show that spoofing attacks cause significant detection performance degradation.

Paper Details

Date Published: 20 June 2014
PDF: 7 pages
Proc. SPIE 9091, Signal Processing, Sensor/Information Fusion, and Target Recognition XXIII, 90911P (20 June 2014); doi: 10.1117/12.2054434
Show Author Affiliations
İlker Özçelik, Clemson Univ. (United States)
Richard R. Brooks, Clemson Univ. (United States)

Published in SPIE Proceedings Vol. 9091:
Signal Processing, Sensor/Information Fusion, and Target Recognition XXIII
Ivan Kadar, Editor(s)

© SPIE. Terms of Use
Back to Top
Sign in to read the full article
Create a free SPIE account to get access to
premium articles and original research
Forgot your username?