E-LDAT: a lightweight system for DDoS flooding attack detection and IP traceback using extended entropy metric

Distributed denial-of-service (DDoS) attacks cause havoc by exploiting threats to Internet services. In this paper, we propose E-LDAT, a lightweight extended-entropy metric-based system for both DDoS flooding attack detection and IP (Internet Protocol) traceback. It aims to identify DDoS attacks effectively by measuring the metric difference between legitimate traffic and attack traffic. IP traceback is performed using the metric values for an attack sample detected by the detection scheme. The method uses a generalized entropy metric with packet intensity computation on the sampled network traffic with respect to time. The E-LDAT system has been evaluated using several real-world DDoS datasets and outperforms competing methods when detecting four classes of DDoS flooding attacks, including constant rate, pulsing rate, increasing rate and subgroup attacks. The IP traceback model is also evaluated using NetFlow data in near real-time and performs well in large-scale attack networks with zombies. Copyright © 2016 John Wiley & Sons, Ltd.