Deceiving entropy based DoS detection

Oezcelik I., Brooks R. R.

COMPUTERS & SECURITY, vol.48, pp.234-245, 2015 (SCI-Expanded) identifier identifier

  • Publication Type: Article / Article
  • Volume: 48
  • Publication Date: 2015
  • Doi Number: 10.1016/j.cose.2014.10.013
  • Journal Name: COMPUTERS & SECURITY
  • Journal Indexes: Science Citation Index Expanded (SCI-EXPANDED), Scopus
  • Page Numbers: pp.234-245
  • Recep Tayyip Erdoğan University Affiliated: No


Denial of Service (DoS) attacks disable network services for legitimate users. As a result of growing dependence on the Internet by both the general public and service providers, the availability of Internet services has become a concern. While DOS attacks cause inconvenience for users, and revenue loss for service providers; their effects on critical infrastructures like the smart grid and public utilities could be catastrophic. For example, an attack on a smart grid system can cause cascaded power failures and lead to a major blackout. Researchers have proposed approaches for detecting these attacks in the past decade. Anomaly based DoS detection is the most common. The detector uses network traffic statistics; such as the entropy of incoming packet header fields (e.g. source IF addresses or protocol type). It calculates the observed statistical feature and triggers an alarm if an extreme deviation occurs. Entropy features are common in recent DDoS detection publications. They are also one of the most effective features for detecting these attacks. However, intrusion detection systems (IDS) using entropy based detection approaches can be a victim of spoofing attacks. An attacker can sniff the network and calculate background traffic entropy before a (D)DoS attack starts. They can then spoof attack packets to keep the entropy value in the expected range during the attack. This paper explains the vulnerability of entropy based network monitoring systems. We present a proof of concept entropy spoofing attack and show that by exploiting this vulnerability, the attacker can avoid detection or degrade detection performance to an unacceptable level. (C) 2014 Elsevier Ltd. All rights reserved.