An Empirical Evaluation of Entropy-based Anomaly Detection

There is considerable interest in using entropy-based analysis of traffic feature distributions for anomaly detection. Entropy-based metrics are appealing since they provide more fine-grained insights into traffic structure than traditional traffic volume analysis. While previous work has demonstrated the benefits of using the entropy of different traffic distributions in isolation to detect anomalies, there has been little effort in comprehensively understanding the detection power provided by entropy-based analysis of multiple traffic distribution used in conjunction with each other. We compare and contrast the anomaly detection capabilities provided by different entropybased metrics. We consider two classes of distributions: flow-header features (IP addresses, ports, and flow-sizes), and behavioral features (outand in-degree of hosts measuring the number of distinct destination/source IP addresses that each host communicates with). Somewhat surprisingly, we observe that the entropy of the address and port distributions are strongly correlated with each other, and also detect very similar anomalies in our traffic trace. The behavioral and flow size distributions appear less correlated and detect incidents that do not show up as anomalies among the port and address distributions. Further analysis using synthetically generated anomalies also suggests that the port and address distributions have limited utility in detecting scan and bandwidth flood anomalies. Based on our results we derive implications for selecting traffic distributions in entropy-based anomaly detection. In support of the thesis and future work, we present the Datapository Anomaly Detection Testbed, a framework and storage facility for analyzing and developing detection methods, generating and labeling anomalies, and analyzing traffic features with user provided traffic sets or publicly available traffic sets in the Datapository database. Through the collaboration of future users, we hope to expand the set of available detection methods, synthetic anomaly models, and publicly available traffic data and tools for analysis. To the Greeks, whose support and dancing gets me through the day.