Distributed Denial-of-Service attacks have been a challenge to cyberspace, as the attackers send a large number of attack packets similar to the normal traffic, to throttle legitimate flows. These attacks intentionally disrupt the services offered by the systems resulting in heavy cost. A flash crowd or flash event is an unexpected surge in the number of visitors to a particular website resulting in a sudden increase in server load. Flash crowds, which are legitimate flows, are difficult to be discriminated from Distributed Denial-of-Service attacks that are illicit flows. Effective and accurate detection of Distributed Denial of Service attacks still remains a challenge due to the difficulty in its detection and the false alerts generated in the case of flash crowds. There is a trade off between detection rate and false positive rate. This work deals with an efficient and early detection of distributed denial of service attacks and discriminates flash crowd by considering two network traffic parameters such as packet size and destination IP address. Using these traffic features two attributes are computed and its generalized entropies are calculated. The threshold is computed using the mean value of network attributes to detect the attacks. Threshold updater can automatically adjust the threshold values according to the changes in the channel conditions. The data sets used to evaluate the performance of the proposed approach are the MIT Lincoln Laboratory DARPA data set and a data set generated in a University network. Experimental results show this research approach achieves higher detection rate and lower false positives in a much reduced processing time as compared to the existing methods.

分布式拒绝服务攻击一直是网络空间的挑战，因为攻击者会发送大量类似于正常流量的攻击数据包，以节制合法流量。这些攻击有意破坏系统提供的服务，从而导致沉重的成本。闪存人群或闪存事件是特定网站访问者数量的意外激增，从而导致服务器负载突然增加。闪存人群是合法流量，很难与非法流量的分布式拒绝服务攻击区分开。由于难以检测到分布式拒绝服务攻击，并且在人群泛滥的情况下产生虚假警报，因此有效和准确地检测分布式拒绝服务攻击仍然是一个挑战。在检测率和误报率之间需要权衡。这项工作致力于对分布式拒绝服务攻击进行有效的早期检测，并通过考虑两个网络流量参数（例如数据包大小和目标IP地址）来区分闪存人群。使用这些流量特征，可以计算两个属性并计算其广义熵。使用网络属性的平均值来计算阈值以检测攻击。阈值更新器可以根据通道条件的变化自动调整阈值。用于评估所提出方法的性能的数据集是MIT林肯实验室DARPA数据集和在大学网络中生成的数据集。