Article
Identification of Distributed Denial of Services Anomalies by
Using Combination of Entropy and Sequential Probabilities
Ratio Test Methods
Basheer Husham Ali
1,2
, Nasri Sulaiman
1,
*, Syed Abdul Rahman Al-Haddad
3
, Rodziah Atan
4
,
Siti Lailatul Mohd Hassan
5
and Mokhalad Alghrairi
1,6
Citation: Ali, B.H.; Sulaiman, N.;
Al-Haddad, S.A.R.; Atan, R.; Hassan,
S.L.M.; Alghrairi, M. Identification of
Distributed Denial of Services
Anomalies by Using Combination of
Entropy and Sequential Probabilities
Ratio Test Methods. Sensors 2021, 21,
6453. https://doi.org/10.3390/
s21196453
Academic Editors: Hamed Badihi,
Tao Chen and Ningyun Lu
Received: 8 August 2021
Accepted: 16 September 2021
Published: 27 September 2021
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
published maps and institutional affil-
iations.
Copyright: © 2021 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
1
Department of Electrical and Electronic Engineering, Faculty of Engineering, Universiti Putra Malaysia,
Serdang 43400, Malaysia; gs58547@student.upm.edu.my or basheer.husham@aliraqi.edu.iq (B.H.A.);
mokhalad.khalel@alkadhum-col.edu.iq (M.A.)
2
Department of Computer Engineering, Al-Iraqia University, Baghdad 10054, Iraq
3
Department of Computer and Communication Systems Engineering, Faculty of Engineering, Universiti Putra
Malaysia, Serdang 43400, Malaysia; sar@upm.edu.my
4
Department of Software Engineering and Information Systems, Faculty of Computer Science and Information
Technology, Universiti Putra Malaysia, Serdang 43400, Malaysia; rodziah@upm.edu.my
5
Faculty of Electrical Engineering, Universiti Teknologi MARA, Shah Alam 40450, Malaysia;
sitilailatul@uitm.edu.my
6
Department of Computer Techniques Engineering, Imam Al kadhum College (IKC), Baghdad 10087, Iraq
* Correspondence: nasri_sulaiman@upm.edu.my; Tel.: +60-17-977-4029
Abstract:
One of the most dangerous kinds of attacks affecting computers is a distributed denial
of services (DDoS) attack. The main goal of this attack is to bring the targeted machine down and
make their services unavailable to legal users. This can be accomplished mainly by directing many
machines to send a very large number of packets toward the specified machine to consume its
resources and stop it from working. We implemented a method using Java based on entropy and
sequential probabilities ratio test (ESPRT) methods to identify malicious flows and their switch
interfaces that aid them in passing through. Entropy (E) is the first technique, and the sequential
probabilities ratio test (SPRT) is the second technique. The entropy method alone compares its
results with a certain threshold in order to make a decision. The accuracy and F-scores for entropy
results thus changed when the threshold values changed. Using both entropy and SPRT removed the
uncertainty associated with the entropy threshold. The false positive rate was also reduced when
combining both techniques. Entropy-based detection methods divide incoming traffic into groups of
traffic that have the same size. The size of these groups is determined by a parameter called window
size. The Defense Advanced Research Projects Agency (DARPA) 1998, DARPA2000, and Canadian
Institute for Cybersecurity (CIC-DDoS2019) databases were used to evaluate the implementation
of this method. The metric of a confusion matrix was used to compare the ESPRT results with the
results of other methods. The accuracy and f-scores for the DARPA 1998 dataset were 0.995 and
0.997, respectively, for the ESPRT method when the window size was set at 50 and 75 packets. The
detection rate of ESPRT for the same dataset was 0.995 when the window size was set to 10 packets.
The average accuracy for the DARPA 2000 dataset for ESPRT was 0.905, and the detection rate was
0.929. Finally, ESPRT was scalable to a multiple domain topology application.
Keywords:
distributed denial of services attack; entropy; sequential probability ratio test; confu-
sion matrix
1. Introduction
With the rapid development of technology, new devices are being connected through
the internet each day. Many companies, organizations, universities, hospitals, banks,
government units, and other associations have become dependent on computer technology
Sensors 2021, 21, 6453. https://doi.org/10.3390/s21196453 https://www.mdpi.com/journal/sensors
