Denying Denial-of-Service: Strengthening Defenses Against Common Cyberattack

Usually on the internet, there’s consistent disorder everywhere. But during a denial-of-service attack, two measures of entropy go in opposite directions. At the target address, many more clicks than usual are going to one place, a state of low entropy. But the sources of those clicks, whether people, zombies or bots, originate in many different places—high entropy. The mismatch could signify an attack.

In PNNL’s testing, 10 standard algorithms correctly identified on average 52 percent of DOS attacks; the best one correctly identified 62 percent of attacks. The PNNL formula correctly identified 99 percent of such attacks.

The improvement isn’t due only to the avoidance of thresholds. To improve accuracy further, the PNNL team added a twist by not only looking at static entropy levels but also watching trends as they change over time.

Formula vs. Formula: Tsallis Entropy for the Win
In addition, Subasi explored alternative options to calculate entropy. Many denial-of-service detection algorithms rely on a formula known as Shannon entropy. Subasi instead settled on a formula known as Tsallis entropy for some of the underlying mathematics.

Subasi found that the Tsallis formula is hundreds of times more sensitive than Shannon at weeding out false alarms and differentiating legitimate flash events, such as high traffic to a World Cup website, from an attack.

That’s because the Tsallis formula amplifies differences in entropy rates more than the Shannon formula. Think of how we measure temperature. If our thermometer had a resolution of 200 degrees, our outdoor temperature would always appear to be the same. But if the resolution were 2 degrees or less–like most thermometers–we’d detect dips and spikes many times each day. Subasi showed that it’s similar with subtle changes in entropy, detectable through one formula but not the other.

The PNNL solution is automated and doesn’t require close oversight by a human to distinguish between legitimate traffic and an attack. The researchers say that their program is “lightweight”—it doesn’t need much computing power or network resources to do its job. This is different from solutions based on machine learning and artificial intelligence, said the researchers. While those approaches also avoid thresholds, they require a large amount of training data.

Now, the PNNL team is looking at how the buildout of 5G networking and the booming internet of things landscape will have an impact on denial-of-service attacks.

“With so many more devices and systems connected to the internet, there are many more opportunities than before to attack systems maliciously,” Barker said. “And more and more devices like home security systems, sensors and even scientific instruments are added to networks every day. We need to do everything we can to stop these attacks.”

Tom Rickey is a senior science writer at the Pacific Northwest National Laboratory (PNNL). The article was originally posted to the website of the Pacific Northwest National Laboratory.