An Empirical Evaluation of Entropy-based Anomaly Detection
نویسندگان
چکیده
There is considerable interest in using entropy-based analysis of traffic feature distributions for anomaly detection. Entropy-based metrics are appealing since they provide more fine-grained insights into traffic structure than traditional traffic volume analysis. While previous work has demonstrated the benefits of using the entropy of different traffic distributions in isolation to detect anomalies, there has been little effort in comprehensively understanding the detection power provided by entropy-based analysis of multiple traffic distribution used in conjunction with each other. We compare and contrast the anomaly detection capabilities provided by different entropybased metrics. We consider two classes of distributions: flow-header features (IP addresses, ports, and flow-sizes), and behavioral features (outand in-degree of hosts measuring the number of distinct destination/source IP addresses that each host communicates with). Somewhat surprisingly, we observe that the entropy of the address and port distributions are strongly correlated with each other, and also detect very similar anomalies in our traffic trace. The behavioral and flow size distributions appear less correlated and detect incidents that do not show up as anomalies among the port and address distributions. Further analysis using synthetically generated anomalies also suggests that the port and address distributions have limited utility in detecting scan and bandwidth flood anomalies. Based on our results we derive implications for selecting traffic distributions in entropy-based anomaly detection. In support of the thesis and future work, we present the Datapository Anomaly Detection Testbed, a framework and storage facility for analyzing and developing detection methods, generating and labeling anomalies, and analyzing traffic features with user provided traffic sets or publicly available traffic sets in the Datapository database. Through the collaboration of future users, we hope to expand the set of available detection methods, synthetic anomaly models, and publicly available traffic data and tools for analysis. To the Greeks, whose support and dancing gets me through the day.
منابع مشابه
Assessment Methodology for Anomaly-Based Intrusion Detection in Cloud Computing
Cloud computing has become an attractive target for attackers as the mainstream technologies in the cloud, such as the virtualization and multitenancy, permit multiple users to utilize the same physical resource, thereby posing the so-called problem of internal facing security. Moreover, the traditional network-based intrusion detection systems (IDSs) are ineffective to be deployed in the cloud...
متن کاملAn Entropy-Based Network Anomaly Detection Method
Data mining is an interdisciplinary subfield of computer science involving methods at the intersection of artificial intelligence, machine learning and statistics. One of the data mining tasks is anomaly detection which is the analysis of large quantities of data to identify items, events or observations which do not conform to an expected pattern. Anomaly detection is applicable in a variety o...
متن کاملDistribution-based anomaly detection via generalized likelihood ratio test: A general Maximum Entropy approach
We address the problem of detecting ‘‘anomalies’’ in the network traffic produced by a large population of end-users following a distribution-based change detection approach. In the considered scenario, different traffic variables are monitored at different levels of temporal aggregation (timescales), resulting in a grid of variable/timescale nodes. For every node, a set of per-user traffic cou...
متن کاملHybrid Approach for Detection of Anomaly Network Traffic using Data Mining Techniques
Anomaly based Intrusion Detection System (IDS) is getting popularity due to its adaptability to the changes in the behavior of network traffic as it has the ability to detect the new attacks. As it is very difficult to set any predefined rule for identifying correctly attack traffic since there is no major difference between normal and attack traffic. In this paper, Anomaly traffic detection sy...
متن کاملGeometric entropy minimization (GEM) for anomaly detection and localization
We introduce a novel adaptive non-parametric anomaly detection approach, called GEM, that is based on the minimal covering properties of K-point entropic graphs when constructed on N training samples from a nominal probability distribution. Such graphs have the property that as N → ∞ their span recovers the entropy minimizing set that supports at least ρ = K/N(100)% of the mass of the Lebesgue ...
متن کامل