On the Use of Information Theory Metrics for Detecting DDoS attacks and Flash Events: An Empirical Analysis, Comparison, and Future Directions


  • Jagdeep Singh Research Scholar SBS State Technical Campus, Ferozepur, Punjab, India
  • Navjot Jyoti Research Scholar SBS State Technical Campus, Ferozepur, Punjab, India
  • Dr. Sunny Behal Associate Professor SBS State Technical Campus, Ferozepur, Punjab, India




DDoS Attacks, Network Security, entropy, Information divergence, Empirical Investigation


A Distributed Denial of Service (DDoS) attack is one of the lethal threats that can cripple down the computing and communication resources of a web server hosting Internet-based services and applications. It has motivated the researchers over the years to find diversified and robust solutions to combat against DDoS attacks. In recent times, the volume of legitimate traffic has also magnified to manifolds. It results in behavioural similarities of attack traffic and legitimate traffic that makes it difficult to differentiate between these two types of traffic. Predominantly, flow-based techniques are in use for detecting legitimate and attack traffic flows. Over the last decade, information theory has been extensively used for flow-based DDoS defense solutions. This paper elucidates the efficacy and effectiveness of information theory based various entropy and divergence measures in the field of DDoS attack detection. The proposed generalized detection methodology has validated using different detection system evaluation metrics such as Detection rate (Recall), Precision, F-Measure, FPR, Classification rate and as well as Receiver-Operating Characteristics (ROC) curves are used for the same. It has observed that the generalized divergence based metrics produce more accuracy in detecting different types of attack flows in contrast to entropy metrics.


harvarditem{Alcorn harvardand Chow}{2014}{alcorn2014framework}

Alcorn, J.~A. harvardand Chow, C.~E. harvardyearleft 2014harvardyearright

, A framework for large-scale modeling and simulation of attacks on an

openflow network, {em in} `2014 23rd International Conference on Computer

Communication and Networks (ICCCN)', IEEE, pp.~1--6.

harvarditem{Basicevic harvardand Ocovaj}{2019}{basicevic2019}

Basicevic, I. harvardand Ocovaj, S. harvardyearleft 2019harvardyearright ,

`Application of entropy formulas in detection of denial-of-service attacks',

{em International Journal of Communication Systems} p.~e4067.

harvarditem[Basicevic et~al.]{Basicevic, Ocovaj harvardand


Basicevic, I., Ocovaj, S. harvardand Popovic, M. harvardyearleft

harvardyearright , `Use of tsallis entropy in detection of syn flood dos

attacks', {em Security and Communication Networks} {bf 8}(18),~3634--3640.

harvarditem{Behal harvardand Kumar}{2017{em a}}{behal2017detection1}

Behal, S. harvardand Kumar, K. harvardyearleft 2017{em a}harvardyearright

, `Detection of ddos attacks and flash events using information theory

metrics--an empirical investigation', {em Computer Communications} {bf


harvarditem{Behal harvardand Kumar}{2017{em b}}{behal2017detection}

Behal, S. harvardand Kumar, K. harvardyearleft 2017{em b}harvardyearright

, `Detection of ddos attacks and flash events using novel information theory

metrics', {em Computer Networks} {bf 116},~96--110.

harvarditem[Berezi{'n}ski et~al.]{Berezi{'n}ski, Jasiul harvardand


Berezi{'n}ski, P., Jasiul, B. harvardand Szpyrka, M. harvardyearleft

harvardyearright , `An entropy-based network anomaly detection method',

{em Entropy} {bf 17}(4),~2367--2408.

harvarditem[Bhandari et~al.]{Bhandari, Sangal harvardand


Bhandari, A., Sangal, A.~L. harvardand Kumar, K. harvardyearleft

harvardyearright , `Characterizing flash events and distributed

denial-of-service attacks: an empirical investigation', {em Security and

Communication Networks} {bf 9}(13),~2222--2239.

harvarditem{Bhatia harvardand Singh}{2013}{bhatia2013new}

Bhatia, P. harvardand Singh, S. harvardyearleft 2013harvardyearright , `On

a new csiszar’s f-divergence measure', {em Cybernetics and information

technologies} {bf 13}(2),~43--57.

harvarditem[Bhatia et~al.]{Bhatia, Schmidt harvardand


Bhatia, S., Schmidt, D. harvardand Mohay, G. harvardyearleft

harvardyearright , Ensemble-based ddos detection and mitigation model,

{em in} `Proceedings of the Fifth International Conference on Security of

Information and Networks', ACM, pp.~79--86.

harvarditem[Bhuyan et~al.]{Bhuyan, Bhattacharyya harvardand


Bhuyan, M.~H., Bhattacharyya, D. harvardand Kalita, J.~K. harvardyearleft

harvardyearright , `An empirical evaluation of information metrics for

low-rate and high-rate ddos attack detection', {em Pattern Recognition

Letters} {bf 51},~1--7.

harvarditem[Bhuyan et~al.]{Bhuyan, Bhattacharyya harvardand


Bhuyan, M.~H., Bhattacharyya, D. harvardand Kalita, J.~K. harvardyearleft

harvardyearright , `E-ldat: a lightweight system for ddos flooding

attack detection and ip traceback using extended entropy metric', {em

Security and Communication Networks} {bf 9}(16),~3251--3270.

harvarditem{Bhuyan harvardand Elmroth}{2018}{bhuyan2018multi}

Bhuyan, M.~H. harvardand Elmroth, E. harvardyearleft 2018harvardyearright

, Multi-scale low-rate ddos attack detection using the generalized total

variation metric, {em in} `2018 17th IEEE International Conference on

Machine Learning and Applications (ICMLA)', IEEE, pp.~1040--1047.

harvarditem[Campbell et~al.]{Campbell, De~Meer, Kounavis, Miki, Vicente

harvardand Villela}{1999}{campbell1999survey}

Campbell, A.~T., De~Meer, H.~G., Kounavis, M.~E., Miki, K., Vicente, J.~B.

harvardand Villela, D. harvardyearleft 1999harvardyearright , `A survey

of programmable networks', {em ACM SIGCOMM Computer Communication Review}

{bf 29}(2),~7--23.

harvarditem{Chen harvardand Yonezawa}{2005}{chen2005practical}

Chen, E.~Y. harvardand Yonezawa, A. harvardyearleft 2005harvardyearright ,

Practical techniques for defending against ddos attacks, {em in} `The 3rd

ACS/IEEE International Conference onComputer Systems and Applications,

', IEEE, p.~72.


Clicks harvardyearleft 2019harvardyearright ,



Crooks, G.~E. harvardyearleft 2017harvardyearright , `On measures of entropy

and information', {em Tech. Note} {bf 9},~v4.


Fall, K. harvardyearleft 1999harvardyearright , Network emulation in the

vint/ns simulator, {em in} `Proceedings IEEE International Symposium on

Computers and Communications (Cat. No. PR00250)', IEEE, pp.~244--250.

harvarditem[Feinstein et~al.]{Feinstein, Schnackenberg, Balupari harvardand


Feinstein, L., Schnackenberg, D., Balupari, R. harvardand Kindred, D.

harvardyearleft 2003harvardyearright , Statistical approaches to ddos

attack detection and response, {em in} `Proceedings DARPA information

survivability conference and exposition', Vol.~1, IEEE, pp.~303--314.


Fundation, O.~N. harvardyearleft 2012harvardyearright , `Software-defined

networking: The new norm for networks', {em ONF White Paper} {bf 2},~2--6.

harvarditem[Ghorbani et~al.]{Ghorbani, Lu harvardand


Ghorbani, A.~A., Lu, W. harvardand Tavallaee, M. harvardyearleft

harvardyearright , Network attacks, {em in} `Network Intrusion

Detection and Prevention', Springer, pp.~1--25.

harvarditem{{em Global Threat landscape Report}}{2019}{imperva2019}

{em Global Threat landscape Report} harvardyearleft 2019harvardyearright .



Hellinger, E. harvardyearleft 1909harvardyearright , `Neue begr{"u}ndung

der theorie quadratischer formen von unendlichvielen ver{"a}nderlichen.',

{em Journal f{"u}r die reine und angewandte Mathematik (Crelles Journal)}

{bf 1909}(136),~210--271.


ITA harvardyearleft 1998harvardyearright ,


newblock 25/3/2019,Accessed on 16/03/2020.

harvarditem{Jeyanthi harvardand Iyengar}{2012}{jeyanthi2012entropy}

Jeyanthi, N. harvardand Iyengar, N. C. S.~N. harvardyearleft

harvardyearright , `An entropy based approach to detect and distinguish

ddos attacks from flash crowds in voip networks.', {em IJ Network Security}

{bf 14}(5),~257--269.

harvarditem[Jung et~al.]{Jung, Krishnamurthy harvardand


Jung, J., Krishnamurthy, B. harvardand Rabinovich, M. harvardyearleft

harvardyearright , Flash crowds and denial of service attacks:

Characterization and implications for cdns and web sites, {em in}

`Proceedings of the 11th international conference on World Wide Web',


harvarditem[Kumar et~al.]{Kumar, Joshi harvardand


Kumar, K., Joshi, R. harvardand Singh, K. harvardyearleft

harvardyearright , A distributed approach using entropy to detect ddos

attacks in isp domain, {em in} `2007 International Conference on Signal

Processing, Communications and Networking', IEEE, pp.~331--337.

harvarditem[Lee et~al.]{Lee, Kim, Kwon, Han harvardand


Lee, K., Kim, J., Kwon, K.~H., Han, Y. harvardand Kim, S. harvardyearleft

harvardyearright , `Ddos attack detection method using cluster

analysis', {em Expert systems with applications} {bf 34}(3),~1659--1665.

harvarditem{Li, Zhou, Li, Hai harvardand Liu}{2009}{li2009distinguishing}

Li, K., Zhou, W., Li, P., Hai, J. harvardand Liu, J. harvardyearleft

harvardyearright , Distinguishing ddos attacks from flash crowds using

probability metrics, {em in} `2009 Third International Conference on Network

and System Security', IEEE, pp.~9--17.

harvarditem{Li, Zhou harvardand Yu}{2009}{li2009effective}

Li, K., Zhou, W. harvardand Yu, S. harvardyearleft 2009harvardyearright ,

`Effective metric for detecting distributed denial-of-service attacks based

on information divergence', {em IET communications} {bf 3}(12),~1851--1860.

harvarditem[Li et~al.]{Li, Zhou harvardand Xiao}{2007}{li2007ddos}

Li, L., Zhou, J. harvardand Xiao, N. harvardyearleft 2007harvardyearright

, Ddos attack detection algorithms based on entropy computing, {em in}

`International Conference on Information and Communications Security',

Springer, pp.~452--466.


Lin, J. harvardyearleft 1991harvardyearright , `Divergence measures based on

the shannon entropy', {em IEEE Transactions on Information theory} {bf


harvarditem{lincoln~laboratory LLSDDos0.2.2~dataset}{n.d.}{mitdata}

lincoln~laboratory LLSDDos0.2.2~dataset, M. harvardyearleft

n.d.harvardyearright ,


newblock 25/03/2019.

harvarditem{Ma harvardand Chen}{2013}{ma2013ddos}

Ma, X. harvardand Chen, Y. harvardyearleft 2013harvardyearright , `Ddos

detection method based on chaos analysis of network traffic entropy', {em

IEEE Communications Letters} {bf 18}(1),~114--117.


Machado, J.~T. harvardyearleft 2010harvardyearright , `Entropy analysis of

integer and fractional dynamical systems', {em Nonlinear Dynamics} {bf


harvarditem{{em Netscout WISR Report}}{2019}{arbor2019}

{em Netscout WISR Report} harvardyearleft 2019harvardyearright .


harvarditem[Patil et~al.]{Patil, Krishna, Kumar harvardand


Patil, N.~V., Krishna, C.~R., Kumar, K. harvardand Behal, S.

harvardyearleft 2019harvardyearright , `E-had: A distributed and

collaborative detection framework for early detection of ddos attacks', {em

Journal of King Saud University-Computer and Information Sciences} .


Pearson, K. harvardyearleft 1900harvardyearright , `X. on the criterion that

a given system of deviations from the probable in the case of a correlated

system of variables is such that it can be reasonably supposed to have arisen

from random sampling', {em The London, Edinburgh, and Dublin Philosophical

Magazine and Journal of Science} {bf 50}(302),~157--175.

harvarditem{Plastino harvardand Plastino}{1993}{plastino1993tsallis}

Plastino, A. harvardand Plastino, A. harvardyearleft 1993harvardyearright

, `Tsallis' entropy, ehrenfest theorem and information theory', {em Physics

Letters A} {bf 177}(3),~177--179.

harvarditem[Popa et~al.]{Popa, Ghodsi harvardand Stoica}{2010}{popa2010http}

Popa, L., Ghodsi, A. harvardand Stoica, I. harvardyearleft

harvardyearright , Http as the narrow waist of the future internet, {em

in} `Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks',


harvarditem[Prasad et~al.]{Prasad, Reddy harvardand


Prasad, K.~M., Reddy, A. R.~M. harvardand Rao, K.~V. harvardyearleft

harvardyearright , `Discriminating ddos attack traffic from flash crowds

on internet threat monitors (itm) using entropy variations', {em African J.

Comput. ICT} {bf 6}(2),~53--62.

harvarditem[Rahmani et~al.]{Rahmani, Sahli harvardand Kamoun}{2012{em


Rahmani, H., Sahli, N. harvardand Kamoun, F. harvardyearleft 2012{em

a}harvardyearright , `Ddos flooding attack detection scheme based on

f-divergence', {em Computer Communications} {bf 35}(11),~1380--1391.

harvarditem[Rahmani et~al.]{Rahmani, Sahli harvardand Kamoun}{2012{em


Rahmani, H., Sahli, N. harvardand Kamoun, F. harvardyearleft 2012{em

b}harvardyearright , `Distributed denial-of-service attack detection

scheme-based joint-entropy', {em Security and Communication Networks} {bf



R{'e}nyi, A. harvardyearleft 1965harvardyearright , `On the foundations of

information theory', {em Revue de l'Institut International de Statistique}


harvarditem{Sachdeva harvardand Kumar}{2014}{sachdeva2014traffic}

Sachdeva, M. harvardand Kumar, K. harvardyearleft 2014harvardyearright ,

`A traffic cluster entropy based approach to distinguish ddos attacks from

flash event using deter testbed', {em ISRN Communications and Networking}

{bf 2014}.

harvarditem[Sachdeva et~al.]{Sachdeva, Kumar harvardand


Sachdeva, M., Kumar, K. harvardand Singh, G. harvardyearleft

harvardyearright , `A comprehensive approach to discriminate ddos

attacks from flash events', {em Journal of information security and

applications} {bf 26},~8--22.

harvarditem{Sahoo, Puthal, Tiwary, Rodrigues, Sahoo harvardand


Sahoo, K.~S., Puthal, D., Tiwary, M., Rodrigues, J.~J., Sahoo, B. harvardand

Dash, R. harvardyearleft 2018harvardyearright , `An early detection of low

rate ddos attack to sdn based data center networks using information distance

metrics', {em Future Generation Computer Systems} {bf 89},~685--697.

harvarditem{Sahoo, Tiwary harvardand Sahoo}{2018}{sahoo2018detection}

Sahoo, K.~S., Tiwary, M. harvardand Sahoo, B. harvardyearleft

harvardyearright , Detection of high rate ddos attack from flash events

using information metrics in software defined networks, {em in} `2018 10th

International Conference on Communication Systems & Networks (COMSNETS)',

IEEE, pp.~421--424.

harvarditem{Saleh harvardand Abdul~Manaf}{2015}{saleh2015novel}

Saleh, M.~A. harvardand Abdul~Manaf, A. harvardyearleft

harvardyearright , `A novel protective framework for defeating

http-based denial of service and distributed denial of service attacks', {em

The Scientific World Journal} {bf 2015}.

harvarditem[Salem et~al.]{Salem, Na{"i}t-Abdesselam harvardand


Salem, O., Na{"i}t-Abdesselam, F. harvardand Mehaoua, A. harvardyearleft

harvardyearright , Anomaly detection in network traffic using

jensen-shannon divergence, {em in} `2012 IEEE International Conference on

Communications (ICC)', IEEE, pp.~5200--5204.

harvarditem[Saravanan et~al.]{Saravanan, Shanmuganathan harvardand


Saravanan, R., Shanmuganathan, S. harvardand Palanichamy, Y.

harvardyearleft 2016harvardyearright , `Behavior-based detection of

application layer distributed denial of service attacks during flash events',

{em Turkish Journal of Electrical Engineering & Computer Sciences} {bf


harvarditem[Sengar et~al.]{Sengar, Wang, Wang, Wijesekera harvardand


Sengar, H., Wang, X., Wang, H., Wijesekera, D. harvardand Jajodia, S.

harvardyearleft 2009harvardyearright , Online detection of network traffic

anomalies using behavioral distance, {em in} `2009 17th International

Workshop on Quality of Service', IEEE, pp.~1--9.


Shannon, C.~E. harvardyearleft 2001harvardyearright , `{A mathematical

theory of communication}', {em ACM SIGMOBILE Mobile Computing and

Communications Review} {bf 5}(1),~3--55.

harvarditem[Singh et~al.]{Singh, Dhindsa harvardand Nehra}{2020}{singh2020t}

Singh, K., Dhindsa, K.~S. harvardand Nehra, D. harvardyearleft

harvardyearright , `T-cad: A threshold based collaborative ddos attack

detection in multiple autonomous systems', {em Journal of Information

Security and Applications} {bf 51},~102457.

harvarditem{Tao harvardand Yu}{2013}{tao2013ddos}

Tao, Y. harvardand Yu, S. harvardyearleft 2013harvardyearright , Ddos

attack detection at local area networks using information theoretical

metrics, {em in} `2013 12th IEEE International Conference on Trust, Security

and Privacy in Computing and Communications', IEEE, pp.~233--240.

harvarditem{{em {The CAIDA DDoS Attack Dataset, "Cooperative Analysis for

Internet Data Analysis",


{em {The CAIDA DDoS Attack Dataset, "Cooperative Analysis for Internet Data

Analysis", https://www.caida.org/data/passive/ddos-20070804-dataset.xml}}

harvardyearleft 2010harvardyearright .

harvarditem{{em {The vCORE Emulator,


{em {The vCORE Emulator, http://www.nrl.navy.mil/itd/ncs/products/core}}

harvardyearleft 2016harvardyearright .

harvarditem[Tritilanunt et~al.]{Tritilanunt, Sivakorn, Juengjincharoen

harvardand Siripornpisan}{2010}{tritilanunt2010entropy}

Tritilanunt, S., Sivakorn, S., Juengjincharoen, C. harvardand Siripornpisan,

A. harvardyearleft 2010harvardyearright , Entropy-based input-output

traffic mode detection scheme for dos/ddos attacks, {em in} `2010 10th

International Symposium on Communications and Information Technologies',

IEEE, pp.~804--809.


Tsallis, C. harvardyearleft 1988harvardyearright , `Possible generalization

of boltzmann-gibbs statistics', {em Journal of statistical physics} {bf



Ubriaco, M.~R. harvardyearleft 2009harvardyearright , `Entropies based on

fractional calculus', {em Physics Letters A} {bf 373}(30),~2516--2519.

harvarditem[Wang et~al.]{Wang, Wang, Wang harvardand Su}{2012}{wang2012new}

Wang, F., Wang, H., Wang, X. harvardand Su, J. harvardyearleft

harvardyearright , `A new multistage approach to detect subtle ddos

attacks', {em Mathematical and Computer Modelling} {bf 55}(1-2),~198--213.

harvarditem[Wen et~al.]{Wen, Jia, Zhou, Zhou harvardand


Wen, S., Jia, W., Zhou, W., Zhou, W. harvardand Xu, C. harvardyearleft

harvardyearright , Cald: Surviving various application-layer ddos

attacks that mimic flash crowd, {em in} `2010 Fourth International

Conference on Network and System Security', IEEE, pp.~247--254.

harvarditem[White et~al.]{White, Lepreau, Stoller, Ricci, Guruprasad, Newbold,

Hibler, Barb harvardand Joglekar}{2002}{white2002integrated}

White, B., Lepreau, J., Stoller, L., Ricci, R., Guruprasad, S., Newbold, M.,

Hibler, M., Barb, C. harvardand Joglekar, A. harvardyearleft

harvardyearright , `An integrated experimental environment for

distributed systems and networks', {em ACM SIGOPS Operating Systems Review}

{bf 36}(SI),~255--270.

harvarditem[Xiang et~al.]{Xiang, Li harvardand Zhou}{2011}{xiang2011low}

Xiang, Y., Li, K. harvardand Zhou, W. harvardyearleft 2011harvardyearright

, `Low-rate ddos attacks detection and traceback by using new information

metrics', {em IEEE transactions on information forensics and security} {bf


harvarditem[Yu et~al.]{Yu, Thapngam, Liu, Wei harvardand


Yu, S., Thapngam, T., Liu, J., Wei, S. harvardand Zhou, W. harvardyearleft

harvardyearright , Discriminating ddos flows from flash crowds using

information distance, {em in} `2009 Third International Conference on

Network and System Security', IEEE, pp.~351--356.

harvarditem[Yu et~al.]{Yu, Zhou harvardand Doss}{2008}{yu2008information}

Yu, S., Zhou, W. harvardand Doss, R. harvardyearleft 2008harvardyearright

, `Information theory based detection against network behavior mimicking ddos

attacks', {em IEEE Communications Letters} {bf 12}(4),~318--321.

harvarditem[Yu et~al.]{Yu, Zhou, Jia, Guo, Xiang harvardand


Yu, S., Zhou, W., Jia, W., Guo, S., Xiang, Y. harvardand Tang, F.

harvardyearleft 2011harvardyearright , `Discriminating ddos attacks from

flash crowds using flow correlation coefficient', {em IEEE Transactions on

Parallel and Distributed Systems} {bf 23}(6),~1073--1080.

harvarditem[Zhang et~al.]{Zhang, Estrin, Burke, Jacobson, Thornton, Smetters,

Zhang, Tsudik, Massey, Papadopoulos et~al.}{2010}{zhang2010named}

Zhang, L., Estrin, D., Burke, J., Jacobson, V., Thornton, J.~D., Smetters,

D.~K., Zhang, B., Tsudik, G., Massey, D., Papadopoulos, C. et~al.

harvardyearleft 2010harvardyearright , `Named data networking (ndn)

project', {em Relat{'o}rio T{'e}cnico NDN-0001, Xerox Palo Alto Research

Center-PARC} {bf 157},~158.