![]() ![]() Subasi found that the Tsallis formula is hundreds of times more sensitive than Shannon at weeding out false alarms and differentiating legitimate flash events, such as high traffic to a World Cup website, from an attack. Subasi instead settled on a formula known as Tsallis entropy for some of the underlying mathematics. Many denial-of-service detection algorithms rely on a formula known as Shannon entropy. In addition, Subasi explored alternative options to calculate entropy. To improve accuracy further, the PNNL team added a twist by not only looking at static entropy levels but also watching trends as they change over time.įormula vs. ![]() The improvement isn’t due only to the avoidance of thresholds. The PNNL formula correctly identified 99 percent of such attacks. In PNNL’s testing, 10 standard algorithms correctly identified on average 52 percent of DOS attacks the best one correctly identified 62 percent of attacks. But the sources of those clicks, whether people, zombies or bots, originate in many different places-high entropy. At the target address, many more clicks than usual are going to one place, a state of low entropy. But during a denial-of-service attack, two measures of entropy go in opposite directions. Usually on the internet, there’s consistent disorder everywhere. Instead, the team focused on the evolution of entropy, a measure of disorder in a system. To improve detection accuracy, the PNNL team sidestepped the concept of thresholds completely. The behavior is almost identical.”Īs principal investigator Kevin Barker said: “You don’t want to throttle the network yourself when there isn’t an attack underway.” “Your network needs to be able to differentiate between an attack and a harmless event where traffic suddenly surges, like the Super Bowl. You need to understand that traffic, which is constantly evolving over time,” said Subasi. “It’s not enough to detect high-volume traffic. ![]() False positives can force defenders to take a site offline and bring legitimate traffic to a standstill-effectively doing what a real denial-of-service attack, also known as a DOS attack, aims to do. “A simple threshold can easily miss actual attacks, with serious consequences, and the defender may not even be aware of what’s happening.”Ī threshold can also create false alarms that have serious consequences themselves. “A threshold just doesn’t offer much insight or information about what it is really going on in your system,” said Subasi. But relying on a threshold can leave systems vulnerable. If the number of users trying to access a site rises above that number, an attack is considered likely, and defensive measures are triggered. Many systems try to detect such attacks by relying on a raw number called a threshold. Motives vary: Attackers might hold a website for ransom, or their aim might be to disrupt businesses or users. The scientists modified the playbook most commonly used to detect denial-of-service attacks, where perpetrators try to shut down a website by bombarding it with requests. The findings were presented on August 2 by PNNL scientist Omer Subasi at the IEEE International Conference on Cyber Security and Resilience, where the manuscript was recognized as the best research paper presented at the meeting. The new technique developed by computer scientists at the Department of Energy’s Pacific Northwest National Laboratory works by keeping a watchful eye over ever-changing traffic patterns on the internet. Newswise - Scientists have developed a better way to recognize a common internet attack, improving detection by 90 percent compared to current methods. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |