Using Renyi cross entropy to analyze traffic matrix and detect DDoS attacks

In this study, we propose Renyi cross entropy to analyze matrix traffic and detect anomaly rather than other entropy metrics, such as Shannon entropy, used extensively in many earlier studies. At first, we introduce a new type of traffic termed IF-flow (internal flow) collected in router. IF-flow can make the attack traffic more conspicuous in a large number of normal traffics, which makes attacks, especially DDoS attacks, spotted more easily. Then, the analysis of Renyi cross entropy of IF-flow matrix traffic, Abilene matrix traffic confirms that matrix traffic distribution has local stability in time. This conclusion provides a guidance to accurately detect anomaly. Finally, Renyi cross entropy is used to detect DDoS attacks existed in IF-flow testing data set and Abilene testing data set. The results of detection experiments show Renyi cross entropy based method can detect DDoS attacks at the beginning with higher detection rate, lower false alarm than Shannon entropy based method.