Abstract
This paper describes an approach to detecting distributed denial of service (DDoS) attacks that is based on fundamentals of Information Theory, specifically Kolmogorov Complexity. A theorem derived using principles of Kolmogorov Complexity states that the joint complexity measure of random strings is lower than the sum of the complexities of the individual strings when the strings exhibit some correlation. Furthermore, the joint complexity measure varies inversely with the amount of correlation. We propose a distributed active network-based algorithm that exploits this property to correlate arbitrary traffic flows in the network to detect possible denial-of-service attacks. One of the strengths of this algorithm is that it does not require special filtering rules and hence it can be used to detect any type of DDoS attack. We implement and investigate the performance of the algorithm in an active network. Our results show that DDoS attacks can be detected in a manner that is not sensitive to legitimate background traffic.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
REFERENCES
J Mirkovic, S. Dietrich, D. Dittrich, and P. Reiher. Internet Denial of Service: Attack and Defense Mechanisms, Prentice-Hall , ISBN 0131475738.
T. Gil and M. Poletto, MULTOPS: A Data Structure for Bandwidth Attack Detection, USENIX 2001.
R. Bezeq, H. Kim, B. Rozovskii, and A. Tartakovsky, A Novel Approach to Detection of Denial-of-Service Attacks via Adaptive Sequential and Batch-Sequential Change-Point Methods, IEEE Systems, Man and Cybernetics Information Assurance Workshop, June 2001.
M. Li and P. Vitanyi, An Introduction to Kolmogorov Complexity and its Applications, Springer-Verlag, Berlin, 1997.
D. L. Tennenhouse, J. M. Smith, W. D. Sincoskie, D. J. Wetherall, and G. J. Minden, A survey of active network research, IEEE Communications Magazine, Vol. 35, No. 1, pp. 80–86, January 1997.
A. Kulkarni, G. Minden, R. Hill, Y. Wijata, S. Sheth, H. Pindi, F. Wahhab, A. Gopinath, and A. Nagarajan, Implementation of a Prototype Active Network, IEEE OpenArch, San Francisco, 1998.
K. Park and H. Lee, On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets, Proceedings of ACM SIGCOMM ‘01, 2001.
C. Kotsokalis, D. Kalogeras, and B. Maglaris, Router-Based Detection of DoS and DDoS Attacks, Eighth Workshop of the HP OpenView University Association, Berlin, Germany, June 2001.
FloodGuard: A Distributed Solution for Detecting and Mitigating Flooding Attacks Leading to Denial of Service, White Paper, Reactive Solutions.
ACKNOWLEDGMENTS
The work discussed in this paper was funded by DARPA, under the auspices of the Fault Tolerant Networks program. Our thanks go to Doug Maughan, the Manager for the Fault-Tolerant Networks program and Scott Shyne, Air Force Rome Labs for their generous support.
Author information
Authors and Affiliations
Corresponding author
Additional information
This research has been funded by the Defense Advanced Research Projects Agency (DARPA) contract F30602-01-C-0182 and managed by the Air Force Research Laboratory (AFRL) Information Directorate.
General Electric Global Research Center, Niskayuna, New York.
Rights and permissions
About this article
Cite this article
Kulkarni, A., Bush, S. Detecting Distributed Denial-of-Service Attacks Using Kolmogorov Complexity Metrics. J Netw Syst Manage 14, 69–80 (2006). https://doi.org/10.1007/s10922-005-9016-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-005-9016-3