The Internet is a chaotic medium — packets tend to flow from a uniformly distributed set of sources to a variety of destinations.
Yet, during distributed denial-of-service (DDoS) attacks, the chaos suddenly becomes more ordered: A large number of devices send network packets to a limited number of addresses in a small time frame. By analyzing such unusual changes in the entropy of the Internet, a group of researchers with the Pacific Northwest National Laboratory said they can identify 99% of DDoS attacks with only a 2% false positive rate on average. They compared their method to a set of 10 standard algorithms, which only identified 52% of attacks on average, and 62% of attacks in the best-case scenario.