Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel

Network anomaly detection and classification is an important open issue of network security. Several approaches and systems based on different mathematical tools have been studied and developed. Among them, the Anomaly-Network Intrusion Detection System (A-NIDS), this monitors network traffic and compares it against an established baseline of “normal” traffic profile. Then, it is necessary to characterize the “normal” Internet traffic. This paper presents an approach for anomaly detection and classification based on: the entropy of selected features (including Shannon, Renyi and Tsallis entropies), the construction of regions from entropy data employing the Mahalanobis distance (MD), and One Class Support Vector Machine (OC-SVM) with different kernels (RBF and particularity Mahalanobis) for “normal” and abnormal traffic. Regular and non-regular regions built from “normal” traffic profiles, allow the anomaly detection; whilst the classification is performed under the assumption that regions corresponding to the attack classes have been characterized previously. Although, this approach allows the use of as many features as required, only four well known significant features were selected in our case. To evaluate our approach two different data sets were used: one set of real traffic obtained from an Academic LAN, and the other a subset of the 1998 MIT-DARPA set. The selected features sets computed in our experiments provide detection rates up to 99.90% with “normal” traffic and up to 99.83% with anomalous traffic and false alarm rate of 0.086%. Experimental results show that certain values of the q parameter of the generalized entropies and the use of OC-SVM improves the detection rate of some attack classes, due to a better fit of the region to the data. Besides, our results show that MD allows to obtain high detection rates with an efficient computation time, while OC-SVM achieved detection rates slightly higher but more expensive computationally.