RHG TECHNOLOGY PRIVATE LIMITED

DEPARTMENT OF ELECTRONICS AND COMMUNICATION ENGINEERING

Entropy Based Detection for DDoS Attack

Detection
Project Report submitted in partial fulfillment of the requirement
for the Project degree of

RHG TECHNOLOGY

THANIKONDA LEKHYA
S.No CONTENT

1. ABSTRACT

2 INTRODUCTION

3. EXISTING METHOD

4. PROPOSED METHOD WITH ARCHITECTURE

5 METHODOLOGY

6. IMPLEMENTATION

7. CONCLUSION
 3.ABSTRACT
Distributed Denial of Service (DDoS) attacks have emerged a
popular means of causing mass targeted service disruptions,
sometime for extended periods of time. The relative ease and low
cost of launching such attacks, supplemented by the current
inadequate defense mechanism, have made them one of the top
threats to the Internet community today. Since the increasing
popularity of web-based applications has led to several critical
services being provided over the Internet, it is necessary to monitor
the network traffic so as to prevent malicious attackers from
depleting the resources of the network and denying services to
legitimate users. Due to increase in sophistication of attacks and
large complex networks have made the defense mechanism
challenging. Although a number of techniques have been proposed
• This method is based on the entropy variation of the
YT

destination host targeted with its IP address and can detect the
attack within the first 250 packets of malicious traffic
attacking a particular host. Then, fingrained packet-based
detection is performed using a deep-learning model to classify
the attack into different types of attack categories. Lastly, the
controller sends the updated traffic information neighbor
controllers. The chi-squared (x2) test feature selection
algorithm was also employed to reveal the most relevant
features that scored the highest in the provided data set. The
experiment result demonstrated that the proposed Long Short-
Term Memory (LSTM) modelachieved an accuracy of up to
99.42% using the data set CICDDoS2019, which has the
potential to detect and classify the DDoS attack traffic
effectively in multicontroller SDN environment. In this regard,
it has an enhanced accuracy level to 0.42%
tr
 YT

• Bandwidth-based attacks
• Attacks of this type send mass junk data messages to cause an
overload, leading to the
• depletion of network bandwidth or equipment resources.
Often the attacked routers,
• servers and firewalls processing resources are limited.
Overload attacks lead to their
• failure in handling normal legal access, resulting in either a
sharp decline in the quality of
• service or a complete denial of service - in either case it
means your customers, users, etc
• installed at the victim in order to consume excess amounts of
its resources. It includes
• Attacks of this type often send application-layer data.
Date of Review: Review No.
• In information theory, entropy is a measure of the uncertainty
st

associated with a random

• variable. The entropy detection method is mainly used to
calculate the distribution
• randomness of some attributes in the network packets‘ headers.
These attributes could be
• the packet‘s source IP address, or some other values indicating
the packet‘s properties.
• After analyzing the characteristics of DDoS attack, we know
that, when the attack comes
• out, there is large number of data packets, high volume of
traffic flow, and many
• incomplete connection requests. The attackers always fabricate
a lot of data packets, and
• The IP addresses of these packets are generally different and
 re

𝒏
𝒊=𝟏
•
•

𝒑𝒊
• Where,
•
• is the emergence probability of each distinct source IP address.
• n is the total number of packets being analyzed, and
• H is the entropy.
• Misuse Detection: Identify well-defined patterns of known
exploits and then looks .
• out for the occurrences of such patterns. These patterns are
defined as attack
• signatures. Several popular network monitors perform signature-
based detection,
 2.INTRODUCTION
• SDN is a new design that consists of three layers: data,
control, and application plane, with the data and control
planes being independent of one another .The data plane is
made up of switches and routers that forward network traffic;
the control plane is comprised of NOX, POX, Beacon,
Floodlight, and Open Daylight controllers; and the
application plane contains applications that configure SDN.
When the network is under a DDoS attack, the SDN
controller is unable to respond to the normal traffic that is
coming from the rest of the network, and the SDN loses
centralized control. As a result, the key benefit of SDN,
which is a centralized network control, is threatened by
DDoS attacks .In this regard, most of the recent works are
focused on detecting and classifying DDoS attacks with a
single controller using different mechanisms and are also
focused on either the accuracy or efficiency, not both. There
 td

The open challenges in DDoS attack detection and classification using

entropy and a deep-learning model for multicontroller SDN could
include the following: Developing more robust and accurate models:
while the current study proposes a model for detecting and classifying
DDoS attacks using entropy and deep learning, there is still room for
improvement in terms of accuracy and robustness. Future studies
could explore different machine-learning algorithms, feature selection
techniques, and architectures to improve the performance of the
model. Evaluating the model’s performance in a real-world
environment: the current study evaluates the proposed model using
simulated DDoS attacks. However, it is important to evaluate the
model’s performance in a real-world environment where there are
multiple types of traffic and network conditions are constantly
changing. Future studies could explore how the model performs in
actual network environments. Addressing the issue of false positives:
false positives can be a significant issue in DDoS attack detection, as
they can lead to unnecessary network downtime
 iu

DDoS attacks using entropy and deep learning, there is still room for
improvement in terms of accuracy and robustness. Future studies could
explore different machine-learning algorithms, feature selection
techniques, and architectures to improve the performance of the model.
Evaluating the model’s performance in a real-world environment: the
current study evaluates the proposed model using simulated DDoS
attacks. However, it is important to evaluate the model’s performance in
a real-world environment where there are multiple types of traffic and
network conditions are constantly changing. Future studies could
explore how the model performs in actual network environments.
Addressing the issue of false positives: false positives can be a
significant issue in DDoS attack detection, as they can lead to
unnecessary network downtime or resource allocation. Future studies
could explore ways to reduce the number of false positives generated by
the model. Considering the impact of DDoS attacks on different types
of networks: the current study.
 EXISTING METHOD
• Entropy-based detection methods for Distributed Denial of Service
(DDoS) attacks rely on the principle that DDoS attacks often
introduce significant changes in network traffic patterns. These
changes disrupt the natural randomness (entropy) of certain traffic
parameters. Below is an overview of the existing methods:
Key Concepts of Entropy-Based Detection:
• Measures the randomness or uncertainty in data distribution.
• 1.Entropy
• High entropy indicates diverse and random data, while low entropy
suggests concentration or regularity.
• 2. Entropy Analysis:
• Observes traffic attributes like source IPs, destination IPs, packet
sizes, and protocol usage.
No.
 uf

• Calculates entropy values for these attributes over time.

3. Anomaly Detection:

• A sharp drop in entropy signals abnormal concentration in

traffic (e.g., many packets from a single IP).

• A significant rise in entropy could also indicate anomalous

behavior.
 5.PROPOSED METHOD WITH
ARCHITECTURE
The main contribution of the study is DDoS attack detection and
classification in a multicontroller SDN that is also implemented
with three POX controllers. Its performance is also evaluated
through accuracy, recall, F1-measure, and precision.

. Proposed Model Architecture

Figure 3 shows the architecture for the DDoS attack detection
system and classification method. Based on this context, the gaps of
the proposed model architecture solution are addressed.
The irrelevant attribute and high training time are addressed using a
feature selection algorithm.
The binary classification (attack and normal) does not have a
detailed description of the attack type. This proposed model
addresses this issue by adding a categorical classification
o.03
.
re

Using the single controller topology leads to the single point of failure.
This proposed model addresses this issue by using multiple controller
detection
• Entropy-Based Method (Controller Detection Design)
Entropy-based methods depend on network feature
distributions to detect anomalous network activities [19].
Entropy is calculated using probability distributions for
several network features including source IP address,
destination IP address, and port numbers. Anomalies are
detected using predetermined criteria on changes in the
entropy values. The initial section of the overall method
includes PACKET_IN message rate detection, port
entropy detection, and the control module.
No.
 METHODOLOGY
• The methodology for entropy-based detection of DDoS attacks involves systematic monitoring, analysis, and decision-making based on traffic randomness. Here's a step-by-step outline of the approach:
1. Data Collection
• Objective: Gather network traffic data to analyze patterns.
Sources:
NetFlow or packet capture tools (e.g., Wireshark, tcpdump).
Network monitoring systems (e.g., SNMP-based tools).
Parameters: Collect attributes like:
Source IP addresses
Destination IP addresses
Packet sizes

• Protocol types

• Time-to-live (TTL) values

• ---

• 2. Feature Extraction

• Goal: Identify key attributes to compute entropy.

• Examples:

• Source IP: Helps detect concentration or spoofing of addresses.

• Destination IP: Reveals single-target floods.

• Packet Size: Identifies repetitive patterns in attack traffic.

• Protocol: Highlights unusual spikes in a specific protocol (e.g., UDP floods).

• ---

• 3. Entropy Calculation

• Entropy is calculated using Shannon's entropy formula:

• H(X) = -\sum_{i=1}^{n} P(x_i) \cdot \log_2(P(x_i))

• Where:

• : Traffic attribute being analyzed (e.g., source IP).

• : Probability of occurrence of a specific value .

• Steps:

• 1. Compute the probability distribution of the selected traffic attribute over a fixed time window.

• 2. Apply the formula to calculate entropy.

• ---

• 4. Monitoring Entropy Trends

• Baseline Entropy: Establish the normal entropy range during regular traffic conditions.

• Anomaly Detection:

• Low Entropy: Indicates concentrated traffic patterns (e.g., many packets from few IPs).

• High Entropy: Suggests randomized but abnormal traffic (e.g., distributed spoofed packets).

• ---

• 5. Thresholding

• Set thresholds based on historical data and network baselines.

• Compare real-time entropy values against thresholds to identify anomalies.

• Example:

• Normal source IP entropy: 6–8 bits.

• Anomaly threshold: Drop below 4 bits for possible attack detection.

o.
 gf

2. Feature Extraction

• Goal: Identify key attributes to compute entropy.

Examples:
Source IP: Helps detect concentration or spoofing of addresses.
Destination IP: Reveals single-target floods.
Packet Size: Identifies repetitive patterns in attack traffic.
Protocol: Highlights unusual spikes in a specific protocol (e.g.,
UDP floods).
3. Entropy Calculation
Entropy is calculated using Shannon's entropy formula:
H(X) = -\sum_{i=1}^{n} P(x_i) \cdot \log_2(P(x_i))
.
 IMPLEMENTATION
• To implement entropy-based DDoS detection, first capture
network traffic using tools like Wireshark or Python's scapy.
Extract key attributes such as source IPs, destination IPs, or
packet sizes. Divide the traffic into fixed time windows and
calculate entropy using Shannon’s formula:

• H(X) = -\sum P(x_i) \log_2(P(x_i))

• Monitor entropy trends, with normal traffic showing high
entropy due to randomness. A significant drop in entropy
indicates concentrated traffic patterns typical of DDoS attacks.
Compare entropy to a predefined threshold, flagging
anomalies. Automate real-time detection with scripts, logging
alerts, and implementing mitigation steps like rate limiting or
blacklisting.
No.
 CONCLUSION
• The networking industry and academia have concluded that
distributed controller designs are necessary for the future of
SDN because centralized systems cannot meet the demands of
efficiency, scalability, and availability. Also, DDoS attack
detection and classifications in multicontroller SDN have
significant benefits to the new SDN-based data centers being
designed. An entropy-based and deep-learning model is
proposed for effectively and accurately classifying the
attacks. To ensure high accuracy and low computational
complexity at the same time, two-level detection is applied
for network traffic. The controller performs a preliminary
section based on information entropy to assure high
efficiency. The deep detection server is used for the packet-
based deep detection to guarantee fine granularity and high
accuracy.
 NB

• The chi-square (x2) test is used as the feature selection

algorithm to reveal the most relevant features and perform an
effective classification. Secondly, the baseline model is limited
to binary classification (attack and normal)

Date of Review: Review No.