Information theory based detection against network behavior mimicking DDoS attacks

DDoS is a spy-on-spy game between attackers and detectors. Attackers are mimicking network traffic patterns to disable the detection algorithms which are based on these features. It is an open problem of discriminating the mimicking DDoS attacks from massive legitimate network accessing. We observed that the zombies use controlled function(s) to pump attack packages to the victim, therefore, the attack flows to the victim are always share some properties, e.g. packages distribution behaviors, which are not possessed by legitimate flows in a short time period. Based on this observation, once there appear suspicious flows to a server, we start to calculate the distance of the package distribution behavior among the suspicious flows. If the distance is less than a given threshold, then it is a DDoS attack, otherwise, it is a legitimate accessing. Our analysis and the preliminary experiments indicate that the proposed method- can discriminate mimicking flooding attacks from legitimate accessing efficiently and effectively.

Principles of information warfare

This paper examines the fundamental concepts needed to understand the broad spectrum of activities encompassed by the Information Warfare phenomenon. It provides a theoretical background to these activities, and examines the context in which these are most effective.

An ensemble of classifiers with genetic algorithmBased Feature Selection

Different data classification algorithms have been developed and applied in various areas to analyze and extract valuable information and patterns from large datasets with noise and missing values. However, none of them could consistently perform well over all datasets. To this end, ensemble methods have been suggested as the promising measures. This paper proposes a novel hybrid algorithm, which is the combination of a multi-objective Genetic Algorithm (GA) and an ensemble classifier. While the ensemble classifier, which consists of a decision tree classifier, an Artificial Neural Network (ANN) classifier, and a Support Vector Machine (SVM) classifier, is used as the classification committee, the multi-objective Genetic Algorithm is employed as the feature selector to facilitate the ensemble classifier to improve the overall sample classification accuracy while also identifying the most important features in the dataset of interest. The proposed GA-Ensemble method is tested on three benchmark datasets, and compared with each individual classifier as well as the methods based on mutual information theory, bagging and boosting. The results suggest that this GA-Ensemble method outperform other algorithms in comparison, and be a useful method for classification and feature selection problems.

Entropy-based collaborative detection of DDOS attacks on community networks

A community network often operates with the same Internet service provider domain or the virtual network of different entities who are cooperating with each other. In such a federated network environment, routers can work closely to raise early warning of DDoS attacks to void catastrophic damages. However, the attackers simulate the normal network behaviors, e.g. pumping the attack packages as poisson distribution, to disable detection algorithms. It is an open question: how to discriminate DDoS attacks from surge legitimate accessing. We noticed that the attackers use the same mathematical functions to control the speed of attack package pumping to the victim. Based on this observation, the different attack flows of a DDoS attack share the same regularities, which is different from the real surging accessing in a short time period. We apply information theory parameter, entropy rate, to discriminate the DDoS attack from the surge legitimate accessing. We proved the effectiveness of our method in theory, and the simulations are the work in the near future. We also point out the future directions that worth to explore in the future.

An abnormal-based approach to effectively detect DDOS attacks

Distributed Denial-of-Service (DDoS) attacks are a serious threat to the safety and security of cyberspace. In this paper we propose a novel metric to detect DDoS attacks in the Internet. More precisely, we use the function of order α of the generalized (Rényi) entropy to distinguish DDoS attacks traffic from legitimate network traffic effectively. In information theory, entropies make up the basis for distance and divergence measures among various probability densities. We design our abnormal-based detection metric using the generalized entropy. The experimental results show that our proposed approach can not only detect DDoS attacks early (it can detect attacks one hop earlier than using the Shannon metric while order  α =2, and two hops earlier than the Shannon metric while order α =10.) but can also reduce both the false positive rate and the false negative rate, compared with the traditional Shannon entropy metric approach.

Effective DDoS attacks detection using generalized entropy metric

In information theory, entropies make up of the basis for distance and divergence measures among various probability densities. In this paper we propose a novel metric to detect DDoS attacks in networks by using the function of order α of the generalized (Rényi) entropy to distinguish DDoS attacks traffic from legitimate network traffic effectively. Our proposed approach can not only detect DDoS attacks early (it can detect attacks one hop earlier than using the Shannon metric while order α=2, and two hops earlier to detect attacks while order α=10.) but also reduce both the false positive rate and the false negative rate clearly compared with the traditional Shannon entropy metric approach.

CALD : surviving various application-layer DDoS attacks that mimic flash crowd

Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when suchattacks mimic or occur during the flash crowd event of a popular Website. In this paper, we present the design and implementation of CALD, an architectural extension to protect Web servers against various DDoS attacks that masquerade as flash crowds. CALD provides real-time detection using mess tests but is different from other systems that use resembling methods. First, CALD uses a front-end sensor to monitor thetraffic that may contain various DDoS attacks or flash crowds. Intense pulse in the traffic means possible existence of anomalies because this is the basic property of DDoS attacks and flash crowds. Once abnormal traffic is identified, the sensor sends ATTENTION signal to activate the attack detection module. Second, CALD dynamically records the average frequency of each source IP and check the total mess extent. Theoretically, the mess extent of DDoS attacks is larger than the one of flash crowds. Thus, with some parameters from the attack detection module, the filter is capable of letting the legitimate requests through but the attack traffic stopped. Third, CALD may divide the security modules away from the Web servers. As a result, it keeps maximum performance on the kernel web services, regardless of the harassment from DDoS. In the experiments, the records from www.sina.com and www.taobao.com have proved the value of CALD.

The development of a generic framework for the implementation of a cheap, component-based virtual video-conferencing system

We address the problem of virtual-videoconferencing. The proposed solution is effected in terms of a generic framework based on an in-house Virtual Reality system. The framework is composed of a number of distinct components: model acquisition, head tracking, expression analysis, network transmission and avatar reconstruction. The framework promises to provide a unique, cheap, and fast system for avatar construction, transmission and animation. This approach affords a conversion from the traditional video stream approach to the management of an avatar remotely and consequently makes minimal demands on network resources.

Expected shannon entropy and shannon differentiation between subpopulations for neutral genes under the finite island model

Shannon entropy H and related measures are increasingly used in molecular ecology and population genetics because (1) unlike measures based on heterozygosity or allele number, these measures weigh alleles in proportion to their population fraction, thus capturing a previously-ignored aspect of allele frequency distributions that may be important in many applications; (2) these measures connect directly to the rich predictive mathematics of information theory; (3) Shannon entropy is completely additive and has an explicitly hierarchical nature; and (4) Shannon entropy-based differentiation measures obey strong monotonicity properties that heterozygosity-based measures lack. We derive simple new expressions for the expected values of the Shannon entropy of the equilibrium allele distribution at a neutral locus in a single isolated population under two models of mutation: the infinite allele model and the stepwise mutation model. Surprisingly, this complex stochastic system for each model has an entropy expressable as a simple combination of well-known mathematical functions. Moreover, entropy- and heterozygosity-based measures for each model are linked by simple relationships that are shown by simulations to be approximately valid even far from equilibrium. We also identify a bridge between the two models of mutation. We apply our approach to subdivided populations which follow the finite island model, obtaining the Shannon entropy of the equilibrium allele distributions of the subpopulations and of the total population. We also derive the expected mutual information and normalized mutual information ("Shannon differentiation") between subpopulations at equilibrium, and identify the model parameters that determine them. We apply our measures to data from the common starling (Sturnus vulgaris) in Australia. Our measures provide a test for neutrality that is robust to violations of equilibrium assumptions, as verified on real world data from starlings.

On the security of compressed sensing-based signal cryptosystem

With the development of the cyber-physical systems (CPS), the security analysis of the data therein becomes more and more important. Recently, due to the advantage of joint encryption and compression for data transmission in CPS, the emerging compressed sensing (CS)-based cryptosystem has attracted much attention, where security is of extreme importance. The existing methods only analyze the security of the plaintext under the assumption that the key is absolutely safe. However, for sparse plaintext, the prior sparsity knowledge of the plaintext could be exploited to partly retrieve the key, and then the plaintext, from the ciphertext. So, the existing methods do not provide a satisfactory security analysis. In this paper, it is conducted in the information theory frame, where the plaintext sparsity feature and the mutual information of the ciphertext, key, and plaintext are involved. In addition, the perfect secrecy criteria (Shannon-sense and Wyner-sense) are extended to measure the security. While the security level is given, the illegal access risk is also discussed. It is shown that the CS-based cryptosystem achieves the extended Wyner-sense perfect secrecy, but when the key is used repeatedly, both the plaintext and the key could be conditionally accessed.

Chalk and cheese: Grounded theory case studies of the introduction and usage of activity-based information in two British banks

During the conduct of a research project into influences on the use of management accounting information, the use of activity-based techniques and information in two British banks was studied by the application of grounded theory principles. Juxtaposition of these two case studies reveals insights about the managers' significantly different experiences of ongoing applications, and the different outcomes of implementation that may arise, despite commonality in the organization and industry environment. This paper presents these two case studies, highlights the similarities and differences between them, and draws some conclusions about the causes of the differences. Factors that can be managed to achieve a greater use of these particular management accounting techniques, and the information they generate, are revealed. In particular, the findings suggest that the introduction of transfer charging between the bank's internal units highlights the need for activity-based techniques, and that education, communication and implementor support are vital, both for implementation success and for the widespread continuing use of the resultant applications. Further, between the two cases the greatest consensus was found in a common concern about the amount of detail in the databank and reports.

Structuration theory and information systems development - frameworks for practice

Giddens’ structuration theory (ST) offers an account of social life in terms of social practices developing and changing over time and space, which makes no attempt to directly theorize the Information Systems (IS) domain. IS researchers have long been interested in it as a way of deepening understanding; a common application is the analysis of empirical situations using Giddens’ ‘dimensions of the duality of structure’ model. Other writers, most notably Orlikowski, have used it help theorize the field. Often the mode of research employed has been the interpretative case study. However, direct attempts to influence practice (an important component of working in an applied field), perhaps through the vehicle of action research, have yet to be undertaken. There are at least three serious problems with attempting this. The first is the inaccessibility of the theory to IS researchers and practitioners. The second is the absence of specific theories of technology. The third is Giddens’ own disinterest in practical uses of his work – which leaves no obvious path to follow. This paper explores that path, in the context of information system development (ISD). Some frameworks for practice are suggested which are translated into forms of discourse that are more accessible to the IS community. In particular, we include an empirical illustration to demonstrate the potential of ISD tools based on structuration theory.

A note on the property rights theory and the ex ante value of information

This paper examines the ex ante value of information in the property rights model where the possibility exists that an investing agent can be provided with relevant information before investments are undertaken. When contracts are incomplete, from an ex ante perspective, informing the investing agent does not necessarily increase the expected surplus resulting from a relationship between two economic agents. The paper highlights the fact that the second-best nature of the problem that arises from contractual incompleteness can ensure this.