Arab J Sci Eng DOI 10.1007/s13369-017-2634-8 RESEARCH ARTICLE - COMPUTER ENGINEERING AND COMPUTER SCIENCE Feature Selection of Denial-of-Service Attacks Using Entropy and Granular Computing Suleman Khan 1 · Abdullah Gani 2 · Ainuddin Wahid Abdul Wahab 2 · Prem Kumar Singh 3 Received: 20 December 2016 / Accepted: 7 June 2017 © King Fahd University of Petroleum & Minerals 2017 Abstract Recently, many researchers have paid attention toward denial of services (DoS) and its malicious handling. The Intrusion detection system is one of the most common detection techniques used to detect malicious attack which attempts to compromise the security goals. To deal with such an issue, some of the researchers have used entropy calcu- lation recently to detect malicious attacks. However, it fails to identify the most potential feature for DoS attack which needs to be addressed on its early occurrence. Therefore, this paper focused on identifying some of the potential attributes of a DoS attack based on computed weight for each of the attributes using entropy calculation. In addition, the selection of potential attributes based on user-defined chosen granula- tion is also given using NSL KDD dataset. Keywords Intrusion detection systems · DoS attack · Entropy 1 Introduction In our extensive review of the literature, we found that most of the researchers have evaluated their IDS on a well-known dataset known as the NSL KDD, which is a refined and accurate form of the DARPA KDD’99 dataset without the redundant instances [1]. The NSL KDD dataset is considered B Suleman Khan suleman.khan@monash.edu 1 School of Information Technology, Monash University Malaysia, Subang Jaya, Selangor Darul Ehsan, Malaysia 2 Center for Mobile Cloud Computing Research (C4MCCR), University of Malaya, Kuala Lumpur, Malaysia 3 Amity Institute of Information Technology, Amity University, Noida, India as a benchmark dataset for anomaly detection, especially for intrusion detection. The dataset consists of 41 features repre- senting different features of the network traffic. The network traffic is classified according to two main classes, the normal class and the anomaly class. The anomaly class represents intrusions or attacks found in the network at the time of recording the network traffic. Based on these attacks, the NSL KDD dataset is further classified into four main attack categories including DoS, probing, users to root (U2R), and remote to local (R2L). The DoS attack makes services unavailable to legitimate users by bombarding attack packets on computing or network resources. Examples of DoS attacks include backland, smurf, teardrop, and neptune attacks. Each DoS attack type and its affect is explained in Table 1. Prob- ing attacks collect information from different resources in the network for suspicious purposes. Examples of probing attacks include ipsweep, nmap, saint, and portsweep attacks. In a U2R attack, the attacker uses the user’s account and tries to exploit different vulnerabilities of the system by get- ting access to the root of the system. U2R attacks include access loadmodule, buffere_overflow, and rootkit attacks. In R2L attacks, the attacker finds vulnerabilities in the system in order to access it while not having legitimate access. R2L attacks include ftp_write, warezmaster, guess_password, and IMAP attacks. This paper focused on DoS attacks due to its high rank among the various types of attack in terms of computer crime cost, as mentioned in the 2014 report [2]. A DoS attack is considered a major problem for legitimate users accessing services via the Internet. DoS attacks make ser- vices unavailable to users by draining network or system resources. Although a lot of research has been done by network security experts to overcome the DoS attack prob- lem, DoS attacks are becoming more frequent and have a greater adverse impact with the passage of time. Many 123