An Entropy-Based Network Anomaly Detection Method (original) (raw)
Related papers
2015
Abstract: Network anomaly detection and classification is an important open issue of network security. Several approaches and systems based on different mathematical tools have been studied and developed. Among them, the Anomaly-Network Intrusion Detection System (A-NIDS), this monitors network traffic and compares it against an established baseline of “normal ” traffic profile. Then, it is necessary to characterize the “normal ” Internet traffic. This paper presents an approach for anomaly detection and classification based on: the entropy of selected features (including Shannon, Renyi and Tsallis entropies), the construction of regions from entropy data employing the Mahalanobis distance (MD), and One Class Support Vector Machine (OC-SVM) with different kernels (RBF and particularity Mahalanobis) for “normal ” and abnormal traffic. Regular and non-regular regions built from “normal ” traffic profiles, allow the anomaly detection; whilst the classification is performed under the as...
Entropy-based network traffic anomaly classification method resilient to deception
Computer Science and Information Systems, 2022
Entropy-based network traffic anomaly detection techniques are attractive due to their simplicity and applicability in a real-time network environment. Even though flow data provide only a basic set of information about network communications, they are suitable for efficient entropy-based anomaly detection techniques. However, a recent work reported a serious weakness of the general entropy-based anomaly detection related to its susceptibility to deception by adding spoofed data that camouflage the anomaly. Moreover, techniques for further classification of the anomalies mostly rely on machine learning, which involves additional complexity. We address these issues by providing two novel approaches. Firstly, we propose an efficient protection mechanism against entropy deception, which is based on the analysis of changes in different entropy types, namely Shannon, R?nyi, and Tsallis entropies, and monitoring the number of distinct elements in a feature distribution as a new detection ...
2019
The network behavior analysis relies on the understanding of normal or acceptable behavior characteristics in the network communication, in order to efficiently detect the anomalous traffic patterns and deviations that could cause performance issues or indicate a breach, thus allowing near real-time alerting and visibility of the potential network security threats. In contrast to the signature based intrusion detection systems, this approach is extremely beneficial not only for identifying unknown threats, zero-day attacks, and suspicious behavior regardless the used cryptographic methodology, but also to identify and allow the performance optimization opportunities. We propose a comprehensive architecture for practical implementation of the flow based anomaly detection solution for real life use cases, which is based on the combination of the entropy calculation and machine learning techniques, with the ability to model the attacks and generate representative labelled training data set.