Anomaly network traffic detection using entropy calculation and support Vector machine

Intrusion detection systems (IDS) have a vital role in protecting computer networks and information systems. In this paper, we propose a method for identifying abnormal traffic behaviour based on entropy and support vector machine. Main challenge is to distinguish between normal traffic and attack traffic since there is no major difference between normal and attack traffic. Our objective is to extract network features and make a model to identify the attack traffic. We propose an anomaly network traffic detection method based on Support Vector Machine (SVM) and entropy of network parameters. Entropies of network parameters are extracted from the traffic coming in the network.Than Support vector machine model is developed to identify the attack traffic. The entropy of network traffic is calculated in certain duration, and then sends its outputs directly to the SVM model for analysis. We made two type of SVM model for identifying the attack traffic and normal traffic. Those are one class SVM and 2 dimensional SVM. Experiments are performed on the 1999 DARPA Intrusion Detection Evaluation at Massachusetts Institute of Technology, Lincoln Lab. The first week of the data is attack free, while the second week of the data contains attacks. To evaluate the ability of the anomaly based intrusion detection system we only considering attack that has anomaly signature. Those are Portsweep, Ipsweep, Mailbomb, and Neptune. Experiment result demonstrates that our method works well with high detection rate of attack traffic and very less false alarm rate. Keywords—Intrusion detection, Denial of service attacks, Support vector machines, Entropy, Anomaly traffic detection.