Information theory based detection against network behavior mimicking DDoS attacks

DDoS is a spy-on-spy game between attackers and detectors. Attackers are mimicking network traffic patterns to disable the detection algorithms which are based on these features. It is an open problem of discriminating the mimicking DDoS attacks from massive legitimate network accessing. We observed that the zombies use controlled function(s) to pump attack packages to the victim, therefore, the attack flows to the victim are always share some properties, e.g. packages distribution behaviors, which are not possessed by legitimate flows in a short time period. Based on this observation, once there appear suspicious flows to a server, we start to calculate the distance of the package distribution behavior among the suspicious flows. If the distance is less than a given threshold, then it is a DDoS attack, otherwise, it is a legitimate accessing. Our analysis and the preliminary experiments indicate that the proposed method- can discriminate mimicking flooding attacks from legitimate accessing efficiently and effectively.

Principles of information warfare

This paper examines the fundamental concepts needed to understand the broad spectrum of activities encompassed by the Information Warfare phenomenon. It provides a theoretical background to these activities, and examines the context in which these are most effective.

Hybrid threshold adaptable quantum secret sharing scheme with reverse Huffman-Fibonacci-tree coding

With prevalent attacks in communication, sharing a secret between communicating parties is an ongoing challenge. Moreover, it is important to integrate quantum solutions with classical secret sharing schemes with low computational cost for the real world use. This paper proposes a novel hybrid threshold adaptable quantum secret sharing scheme, using an m-bonacci orbital angular momentum (OAM) pump, Lagrange interpolation polynomials, and reverse Huffman-Fibonacci-tree coding. To be exact, we employ entangled states prepared by m-bonacci sequences to detect eavesdropping. Meanwhile, we encode m-bonacci sequences in Lagrange interpolation polynomials to generate the shares of a secret with reverse Huffman-Fibonacci-tree coding. The advantages of the proposed scheme is that it can detect eavesdropping without joint quantum operations, and permits secret sharing for an arbitrary but no less than threshold-value number of classical participants with much lower bandwidth. Also, in comparison with existing quantum secret sharing schemes, it still works when there are dynamic changes, such as the unavailability of some quantum channel, the arrival of new participants and the departure of participants. Finally, we provide security analysis of the new hybrid quantum secret sharing scheme and discuss its useful features for modern applications.

Groups, graphs and mutually unbiased bases

A new characteristic free approach to constructing large sets of mutually unbiased bases in Hilbert space is developed. We associate with a seed set of bases a finite subgroup of which defines a strongly regular graph. Large sets of mutually unbiased bases are obtained as the cliques of the graph.

An ensemble of classifiers with genetic algorithmBased Feature Selection

Different data classification algorithms have been developed and applied in various areas to analyze and extract valuable information and patterns from large datasets with noise and missing values. However, none of them could consistently perform well over all datasets. To this end, ensemble methods have been suggested as the promising measures. This paper proposes a novel hybrid algorithm, which is the combination of a multi-objective Genetic Algorithm (GA) and an ensemble classifier. While the ensemble classifier, which consists of a decision tree classifier, an Artificial Neural Network (ANN) classifier, and a Support Vector Machine (SVM) classifier, is used as the classification committee, the multi-objective Genetic Algorithm is employed as the feature selector to facilitate the ensemble classifier to improve the overall sample classification accuracy while also identifying the most important features in the dataset of interest. The proposed GA-Ensemble method is tested on three benchmark datasets, and compared with each individual classifier as well as the methods based on mutual information theory, bagging and boosting. The results suggest that this GA-Ensemble method outperform other algorithms in comparison, and be a useful method for classification and feature selection problems.

Entropy-based collaborative detection of DDOS attacks on community networks

A community network often operates with the same Internet service provider domain or the virtual network of different entities who are cooperating with each other. In such a federated network environment, routers can work closely to raise early warning of DDoS attacks to void catastrophic damages. However, the attackers simulate the normal network behaviors, e.g. pumping the attack packages as poisson distribution, to disable detection algorithms. It is an open question: how to discriminate DDoS attacks from surge legitimate accessing. We noticed that the attackers use the same mathematical functions to control the speed of attack package pumping to the victim. Based on this observation, the different attack flows of a DDoS attack share the same regularities, which is different from the real surging accessing in a short time period. We apply information theory parameter, entropy rate, to discriminate the DDoS attack from the surge legitimate accessing. We proved the effectiveness of our method in theory, and the simulations are the work in the near future. We also point out the future directions that worth to explore in the future.

An abnormal-based approach to effectively detect DDOS attacks

Distributed Denial-of-Service (DDoS) attacks are a serious threat to the safety and security of cyberspace. In this paper we propose a novel metric to detect DDoS attacks in the Internet. More precisely, we use the function of order α of the generalized (Rényi) entropy to distinguish DDoS attacks traffic from legitimate network traffic effectively. In information theory, entropies make up the basis for distance and divergence measures among various probability densities. We design our abnormal-based detection metric using the generalized entropy. The experimental results show that our proposed approach can not only detect DDoS attacks early (it can detect attacks one hop earlier than using the Shannon metric while order  α =2, and two hops earlier than the Shannon metric while order α =10.) but can also reduce both the false positive rate and the false negative rate, compared with the traditional Shannon entropy metric approach.

Effective DDoS attacks detection using generalized entropy metric

In information theory, entropies make up of the basis for distance and divergence measures among various probability densities. In this paper we propose a novel metric to detect DDoS attacks in networks by using the function of order α of the generalized (Rényi) entropy to distinguish DDoS attacks traffic from legitimate network traffic effectively. Our proposed approach can not only detect DDoS attacks early (it can detect attacks one hop earlier than using the Shannon metric while order α=2, and two hops earlier to detect attacks while order α=10.) but also reduce both the false positive rate and the false negative rate clearly compared with the traditional Shannon entropy metric approach.

CALD : surviving various application-layer DDoS attacks that mimic flash crowd

Distributed denial of service (DDoS) attack is a continuous critical threat to the Internet. Derived from the low layers, new application-layer-based DDoS attacks utilizing legitimate HTTP requests to overwhelm victim resources are more undetectable. The case may be more serious when suchattacks mimic or occur during the flash crowd event of a popular Website. In this paper, we present the design and implementation of CALD, an architectural extension to protect Web servers against various DDoS attacks that masquerade as flash crowds. CALD provides real-time detection using mess tests but is different from other systems that use resembling methods. First, CALD uses a front-end sensor to monitor thetraffic that may contain various DDoS attacks or flash crowds. Intense pulse in the traffic means possible existence of anomalies because this is the basic property of DDoS attacks and flash crowds. Once abnormal traffic is identified, the sensor sends ATTENTION signal to activate the attack detection module. Second, CALD dynamically records the average frequency of each source IP and check the total mess extent. Theoretically, the mess extent of DDoS attacks is larger than the one of flash crowds. Thus, with some parameters from the attack detection module, the filter is capable of letting the legitimate requests through but the attack traffic stopped. Third, CALD may divide the security modules away from the Web servers. As a result, it keeps maximum performance on the kernel web services, regardless of the harassment from DDoS. In the experiments, the records from www.sina.com and www.taobao.com have proved the value of CALD.

The development of a generic framework for the implementation of a cheap, component-based virtual video-conferencing system

We address the problem of virtual-videoconferencing. The proposed solution is effected in terms of a generic framework based on an in-house Virtual Reality system. The framework is composed of a number of distinct components: model acquisition, head tracking, expression analysis, network transmission and avatar reconstruction. The framework promises to provide a unique, cheap, and fast system for avatar construction, transmission and animation. This approach affords a conversion from the traditional video stream approach to the management of an avatar remotely and consequently makes minimal demands on network resources.

Expected shannon entropy and shannon differentiation between subpopulations for neutral genes under the finite island model

Shannon entropy H and related measures are increasingly used in molecular ecology and population genetics because (1) unlike measures based on heterozygosity or allele number, these measures weigh alleles in proportion to their population fraction, thus capturing a previously-ignored aspect of allele frequency distributions that may be important in many applications; (2) these measures connect directly to the rich predictive mathematics of information theory; (3) Shannon entropy is completely additive and has an explicitly hierarchical nature; and (4) Shannon entropy-based differentiation measures obey strong monotonicity properties that heterozygosity-based measures lack. We derive simple new expressions for the expected values of the Shannon entropy of the equilibrium allele distribution at a neutral locus in a single isolated population under two models of mutation: the infinite allele model and the stepwise mutation model. Surprisingly, this complex stochastic system for each model has an entropy expressable as a simple combination of well-known mathematical functions. Moreover, entropy- and heterozygosity-based measures for each model are linked by simple relationships that are shown by simulations to be approximately valid even far from equilibrium. We also identify a bridge between the two models of mutation. We apply our approach to subdivided populations which follow the finite island model, obtaining the Shannon entropy of the equilibrium allele distributions of the subpopulations and of the total population. We also derive the expected mutual information and normalized mutual information ("Shannon differentiation") between subpopulations at equilibrium, and identify the model parameters that determine them. We apply our measures to data from the common starling (Sturnus vulgaris) in Australia. Our measures provide a test for neutrality that is robust to violations of equilibrium assumptions, as verified on real world data from starlings.

On the security of compressed sensing-based signal cryptosystem

With the development of the cyber-physical systems (CPS), the security analysis of the data therein becomes more and more important. Recently, due to the advantage of joint encryption and compression for data transmission in CPS, the emerging compressed sensing (CS)-based cryptosystem has attracted much attention, where security is of extreme importance. The existing methods only analyze the security of the plaintext under the assumption that the key is absolutely safe. However, for sparse plaintext, the prior sparsity knowledge of the plaintext could be exploited to partly retrieve the key, and then the plaintext, from the ciphertext. So, the existing methods do not provide a satisfactory security analysis. In this paper, it is conducted in the information theory frame, where the plaintext sparsity feature and the mutual information of the ciphertext, key, and plaintext are involved. In addition, the perfect secrecy criteria (Shannon-sense and Wyner-sense) are extended to measure the security. While the security level is given, the illegal access risk is also discussed. It is shown that the CS-based cryptosystem achieves the extended Wyner-sense perfect secrecy, but when the key is used repeatedly, both the plaintext and the key could be conditionally accessed.