Authors:
Domenico Vitali
1
;
Antonio Villani
2
;
Angelo Spognardi
1
;
Roberto Battistoni
1
and
Luigi V. Mancini
1
Affiliations:
1
“Sapienza” University of Rome, Italy
;
2
University of Roma Tre, Italy
Keyword(s):
DDoS, Attack Detection, Information Divergence, Relative Entropy, Autonomous System, Internet Security.
Related
Ontology
Subjects/Areas/Topics:
Critical Infrastructure Protection
;
Information and Systems Security
;
Network Security
;
Security in Information Systems
;
Security Metrics and Measurement
;
Wireless Network Security
Abstract:
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) constitute one of the main issues for critical Internet services. The widespread availability and simplicity of automated stressing tools has also promoted the voluntary participation to extensive attacks against known websites. Today the most effective (D)DoS detection schemes are based on information theory metrics, but their effectiveness is often evaluated with synthetic network traffic. In this work we present a comparison of the main metrics proposed in the literature carried on a huge dataset formed by real netflows. This comparison considers the ability of each metric to detect (D)DoS attacks at an early stage, in order to launch effective and timely countermeasures. The evaluation is based on a large dataset, collected from an Italian transit tier II Autonomous System (AS) located in Rome. This AS network is connected to all the three main network infrastructures present in Italy (Commercial, Research and Publ
ic Administration networks), and to several international providers (even for Internet transit purposes). Many attempted attacks to Italian critical IT infrastructures can be observed inside the network traffic of this AS. Several publicly declared attacks have been traced and many other malicious activities have been found by ex-post analysis.
(More)