Entropy-minimization clustering technique for probabilistic packet marking scheme

Probabilistic packet marking (PPM) has been proposed for the identification of the true sources of spoofed IP packets typically used in denial of service (DoS) attacks. However, PPM suffers from high combination overhead and large false positives under large scale DDoS attacks. In this paper, we propose to use an entropy-minimization clustering technique to solve the limitations in PPM scheme. This technique is used to divide the attack traffics into clusters based on shared bottleneck. Consequently, it reduces the combination overhead and false positive. Our technique also preserves the advantages of the PPM scheme, as it works with any type of traffic (TCP, UDP, etc). It does not generate any new network traffic and it utilizes only the information at the IP layer. We have carried out theoretical analysis and simulation studies using ns-2 software to evaluate the proposed technique. Our results demonstrated that our approach gives significant higher precision and lower combination overhead for attack paths reconstruction under large scale DDoS.