Evaluation of takagi-sugeno-kang fuzzy method in entropy-based detection of DDoS attacks

Abstract

© 2018, ComSIS Consortium. All rights reserved. The detection of distributed denial of service (DDoS) attacks based on internet traffic anomalies is a method which is general in nature and can detect unknown or zero-day attacks. One of the statistical characteristics used for this purpose is network traffic entropy: a sudden change in entropy may indicate a DDoS attack. However, this approach often gives false positives, and this is the main obstacle to its wider deployment within network security equipment. In this paper, we propose a new, two-step method for detection of DDoS attacks. This method combines the approaches of network traffic entropy and the Takagi-Sugeno-Kang fuzzy system. In the first step, the detection process calculates the entropy distribution of the network packets. In the second step, the Takagi-Sugeno-Kang fuzzy system (TSK-FS) method is applied to these entropy values. The performance of the TSK-FS method is compared with that of the typically used approach, in which cumulative sum (CUSUM) change point detection is applied directly to entropy time series. The results show that the TSK-FS DDoS detector reaches enhanced sensitivity and robustness in the detection process, achieving a high true-positive detection rate and a very low false-positive rate. As it is based on entropy, this combined method retains its generality and is capable of detecting various types of attack.