Real Time Network Anomaly Detection Using Relative Entropy (original) (raw)
Related papers
An Entropy-Based Network Anomaly Detection Method
Data mining is an interdisciplinary subfield of computer science involving methods at the intersection of artificial intelligence, machine learning and statistics. One of the data mining tasks is anomaly detection which is the analysis of large quantities of data to identify items, events or observations which do not conform to an expected pattern. Anomaly detection is applicable in a variety of domains, e.g., fraud detection, fault detection, system health monitoring but this article focuses on application of anomaly detection in the field of network intrusion detection.The main goal of the article is to prove that an entropy-based approach is suitable to detect modern botnet-like malware based on anomalous patterns in network. This aim is achieved by realization of the following points: (i) preparation of a concept of original entropy-based network anomaly detection method, (ii) implementation of the method, (iii) preparation of original dataset, (iv) evaluation of the method.
2015
Abstract: Network anomaly detection and classification is an important open issue of network security. Several approaches and systems based on different mathematical tools have been studied and developed. Among them, the Anomaly-Network Intrusion Detection System (A-NIDS), this monitors network traffic and compares it against an established baseline of “normal ” traffic profile. Then, it is necessary to characterize the “normal ” Internet traffic. This paper presents an approach for anomaly detection and classification based on: the entropy of selected features (including Shannon, Renyi and Tsallis entropies), the construction of regions from entropy data employing the Mahalanobis distance (MD), and One Class Support Vector Machine (OC-SVM) with different kernels (RBF and particularity Mahalanobis) for “normal ” and abnormal traffic. Regular and non-regular regions built from “normal ” traffic profiles, allow the anomaly detection; whilst the classification is performed under the as...
2019
The network behavior analysis relies on the understanding of normal or acceptable behavior characteristics in the network communication, in order to efficiently detect the anomalous traffic patterns and deviations that could cause performance issues or indicate a breach, thus allowing near real-time alerting and visibility of the potential network security threats. In contrast to the signature based intrusion detection systems, this approach is extremely beneficial not only for identifying unknown threats, zero-day attacks, and suspicious behavior regardless the used cryptographic methodology, but also to identify and allow the performance optimization opportunities. We propose a comprehensive architecture for practical implementation of the flow based anomaly detection solution for real life use cases, which is based on the combination of the entropy calculation and machine learning techniques, with the ability to model the attacks and generate representative labelled training data set.