An Empirical Investigation of DDoS and Flash Event Detection Using Shannon Entropy, KOAD and SVM Combined

Daneshgadeh S., Kemmerich T., Ahmed T., BAYKAL N.

International Conference on Computing, Networking and Communications (ICNC), Hawaii, United States Of America, 18 - 21 February 2019, pp.658-662 identifier identifier

  • Publication Type: Conference Paper / Full Text
  • Volume:
  • Doi Number: 10.1109/iccnc.2019.8685632
  • City: Hawaii
  • Country: United States Of America
  • Page Numbers: pp.658-662
  • Keywords: DDoS, Flash Event, KOAD, Shannon entropy, hybrid method, DDoS attack simulation
  • Middle East Technical University Affiliated: Yes


In the world of internet and communication technologies where our personal and business lives are inextricably tied to internet enabled services and applications, Distributed Denial of Service (DDoS) attacks continue to adversely affect the availability of these services and applications. Many frameworks have been presented in academia and industry to predict, detect and defend against DDoS attacks. The available solutions try to protect online services from DDoS attacks, but as yet there is no best-practice method that is widely-accepted in the community. Differentiating DDoS attacks from similar looking legitimate Flash Events (FE) wherein huge numbers of legitimate users try to access a specific internet based service or application, is another challenging issue in the field. This paper proposes a novel hybrid DDoS and FE detection scheme taking three isolated approaches including Kernel Online Anomaly Detection (KOAD), Support Vector Machine (SVM) and Information Theory. We applied our proposed approach on simulated DDoS attacks, real FEs and normal network traffic. The results indicate that information theory works well in combination with machine learning algorithms to detect and discriminate DDoS and FE traffic in terms of both false positive and detection rates.