George Nychis
David G. Andersen
ABSTRACT
Entropy-based approaches for anomaly detection are appealing since they provide more fine-grained insights than traditional traffic volume analysis. While previous work has demonstrated the benefits of entropy-based anomaly detection, there has been little effort to comprehensively understand the detection power of using entropy-based analysis of multiple traffic distributions in conjunction with each other. We consider two classes of distributions: flow-header features (IP addresses, ports, and flow-sizes), and behavioral features (degree distributions measuring the number of distinct destination/source IPs that each host communicates with). We observe that the timeseries of entropy values of the address and port distributions are strongly correlated with each other and provide very similar anomaly detection capabilities. The behavioral and flow size distributions are less correlated and detect incidents that do not show up as anomalies in the port and address distributions. Further analysis using synthetically generated anomalies also suggests that the port and address distributions have limited utility in detecting scan and bandwidth flood anomalies. Based on our analysis, we discuss important implications for entropy-based anomaly detection.
- Snort. http://www.snort.org.Google Scholar
- Argus. http://qosient.com/argus/.Google Scholar
- Barford, P., Kline, J., Plonka, D., and Ron, A. A signal analysis of network traffic anomalies. In Proc. of IMW (2002). Google ScholarDigital Library
- Brauckhoff, D., Tellenbach, B., Wagner, A., Lakhina, A., and May, M. Impact of traffic sampling on anomaly detection metrics. In Proc. of ACM/USENIX IMC (2006). Google ScholarDigital Library
- Feinstein, L., Schnackenberg, D., Balupari, R., and Kindred, D. Statistical Approaches to DDoS Attack Detection and Response. In Proc. of DARPA Information Survivability Conference and Exposition (2003).Google ScholarCross Ref
- Jung, J., Paxson, V., Berger, A. W., and Balakrishnan, H. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proc. of the IEEE Symposium on Security and Privacy (2004).Google ScholarCross Ref
- Karamcheti, V., Geiger, D., Kedem, Z., and Muthukrishnan, S. Detecting malicious network traffic using inverse distributions of packet contents. In Proc. of ACM SIGCOMM MineNet (2005). Google ScholarDigital Library
- Kazaa. www.kazaa.com.Google Scholar
- Kumar, A., Sung, M., Xu, J., and Wang, J. Data streaming algorithms for efficient and accurate estimation of flow distribution. In Proc. of ACM SIGMETRICS (2004). Google ScholarDigital Library
- Lakhina, A., Crovella, M., and Diot, C. Mining anomalies using traffic feature distributions. In Proc. of ACM SIGCOMM (2005). Google ScholarDigital Library
- Lall, A., Sekar, V., Xu, J., Ogihara, M., and Zhang, H. Data streaming algorithms for estimating entropy of network traffic. In Proc. of ACM SIGMETRICS (2006). Google ScholarDigital Library
- Lee, W., and Xiang, D. Information-theoretic measures for anomaly detection. In Proc. of IEEE Symposium on Security and Privacy (2001). Google ScholarDigital Library
- Morrison, J. Blaster revisited. ACM Queue vol. 2 no. 4, June 2004. Google ScholarDigital Library
- Cisco Netflow. http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml.Google Scholar
- Nychis, G., Sekar, V., Andersen, D. G., Kim, H., and Zhang, H. An Empirical Evaluation of Entropy-Based Traffic Anomaly Detection. Tech. Rep. CMU-CS-08-145, Computer Science Department, Carnegie Mellon University, 2008.Google ScholarDigital Library
- Phaal, P., Panchen, S., and Mckee, N. InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks. RFC 3176, 2001. Google ScholarDigital Library
- Trammell, B., and Boschi, E. Bidirectional Flow Export Using IP Flow Information Export (IPFIX). RFC 5103, 2008.Google Scholar
- Wagner, A., and Plattner, B. Entropy Based Worm and Anomaly Detection in Fast IP Networks. In Proc. IEEE WET ICE (2005). Google ScholarDigital Library
- Xu, J., Fan, J., Ammar, M. H., and Moon, S. B. Prefix-preserving IP Address Anonymization: Measurement-based Security Evaluation and New Cryptography-based Scheme. In Proc. of IEEE ICNP (2002). Google ScholarDigital Library
- Xu, K., Zhang, Z., and Bhattacharyya, S. Profiling internet backbone traffic: Behavior models and applications. In Proc. of ACM SIGCOMM (2005). Google ScholarDigital Library
Index Terms
- An empirical evaluation of entropy-based traffic anomaly detection
Recommendations
Comparison of Properties between Entropy and Chi-Square Based Anomaly Detection Method
NBIS '11: Proceedings of the 2011 14th International Conference on Network-Based Information SystemsAs the typical anomaly detection methods using statistics, entropy and chi-square based method has been researched and reported in terms of their properties for anomaly attacks. In this research, we compare the properties of both methods and discuss the ...
A Network Anomaly Detection Method Based on Relative Entropy Theory
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01Network anomaly detection technology has been the research hotspot in intrusion detection (ID) field for many years. However, some issues like high false alarm rate, low detection rate and limited types of attacks which can be detected are still in ...
Research of K-MEANS Algorithm Based on Information Entropy in Anomaly Detection
MINES '12: Proceedings of the 2012 Fourth International Conference on Multimedia Information Networking and SecurityAnomaly detection is a vital component of Intrusion Detection system. The anomaly detection approaches can be classified into semi-supervised and unsupervised anomaly detection. Unsupervised anomaly detection technique is the mainly approaches establish ...
Comments