Wireless Personal Communications

, Volume 99, Issue 4, pp 1487–1501 | Cite as

Entropy-Based Anomaly Detection in a Network

  • Ajay Shankar Shukla
  • Rohit Maurya


Every computer on the Internet these days is a potential target for a new attack at any moment. In this paper we propose a method to enhance network security using entropy based anomaly detection. Intrusion detection system Snort is used for collecting the complete network traffic. Snort alert is then processed for selecting the attributes. Then Shannon entropies are calculated to analyze source IP address, source port address, destination IP address, destination port address, source IP threat, source port threat, destination IP threat, destination port threat and datagram length. Renyi cross entropy method is applied on Shannon entropy vector to detect network attack. After detecting attack in network, list of source IP address, source port address, destination IP address, destination port address with respective number of attack are generated for the advance protection of the network. This facilitates the network administrator to block/unblock IP addresses and ports where is attacks were detected. In this method about 90% attacks are detected. The rest 10% network traffic could not be detected. Since some low priority network traffic being treated as genuine traffic.


Entropy IDS Snort 


  1. 1.
    Liao, H.-J., Lin, C.-H. R., Lin, Y.-C., & Tung, K.-Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16–24.CrossRefGoogle Scholar
  2. 2.
    Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973–993.MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., & Rajarajan, M. (2013). A survey of intrusion detection techniques in cloud. Journal of Network and Computer Applications, 36(1), 42–57.CrossRefGoogle Scholar
  4. 4.
    Mitchell, R., & Chen, R. (2014). A survey of intrusion detection in wireless network applications. Computer Communications, 42, 1–23.CrossRefGoogle Scholar
  5. 5.
    Jamdagni, A., Tan, Z., He, X., Nanda, P., & Liu, R. P. (2013). Repids: A multi tier real-time payload-based intrusion detection system. Computer Networks, 57(3), 811–824.CrossRefGoogle Scholar
  6. 6.
    Nyalkalkar, K., Sinhay, S., Bailey, M. & Jahanian, F. (2011). A comparative study of two network-based anomaly detection methods, INFOCOM, 2011 Proceedings IEEE, Shanghai (pp. 176–180).Google Scholar
  7. 7.
    Eimann, R., Speidel, U., Brownlee, N., & Yang, J. (2005). Network event detection with T-entropy. Auckland: Department of Computer Science, The University of Auckland.Google Scholar
  8. 8.
    Weisong, H., Guangmin, H., & Zhou, Y. (2012). Large-scale IP network behavior anomaly detection and identification using substructure-based approach and multivariate time series mining. Telecommunication Systems, 50(1), 1–13.CrossRefGoogle Scholar
  9. 9.
    Fu, X., Graham, B., Bettati, R., & Zhao, W. (2003). On effectiveness of link padding for statistical traffic analysis attacks In Distributed computing systems proceedings (pp. 340–347).Google Scholar
  10. 10.
    Ahmed, M., Mahmood, A. N., & Hu, J. (2016). A survey of network anomaly detection techniques. Journal of Network and Computer Applications, 60, 19–31.CrossRefGoogle Scholar
  11. 11.
    The Global State of Information Security Survey. (2015). Accessed 02 May 2016Google Scholar
  12. 12.
    Kaur, R., & Singh, S. (2015). A survey of data mining and social network analysis based anomaly detection techniques. Egyptian Informatics Journal, 17, 199–216.CrossRefGoogle Scholar
  13. 13.
    Pawar, A. B., Kyatanavar, D. N., & Jawale, M. A. (2014). Article: Advanced intrusion detection system with prevention capabilities. International Journal of Computer Applications, 106(13), 17–24.Google Scholar
  14. 14.
    Gao, M., & Wang, N. (2014). A network intrusion detection method based on improved K-means algorithm. Advanced Science and Technology Letters, 53, 429–433.CrossRefGoogle Scholar
  15. 15.
    Celenk, M., Conley, T., Willis, J., & Graham, J. (2010). Predictive network anomaly detection and visualization. IEEE Transactions on Information Forensics and Security, 5(2), 288–299.CrossRefGoogle Scholar
  16. 16.
    Gu, Y., McCallum, A., & Towsley, D. (2005). Detecting anomalies in network traffic using maximum entropy estimation. In Proceedings of the 5th ACM SIGCOMM conference on internet measurement (IMC ’05) (pp. 32–32). USENIX Association, Berkeley, CA, USA.Google Scholar
  17. 17.
    Yu, S., Zhou, W., Doss, R., & Jia, W. (2011). Traceback of DDoS attacks using entropy variations. IEEE Transactions on in Parallel and Distributed Systems, 22(3), 412–425.CrossRefGoogle Scholar
  18. 18.
    Chamoli, N., Kukreja, S., & Semwal, M. (2014). Survey and comparative analysis on entropy usage for several applications in computer vision. International Journal of Computer Applications, 97(16), 1–5.CrossRefGoogle Scholar
  19. 19.
    Sharma, S., Agrawal, J., & Sharma, S. (2013). Classification through machine learning technique: C4.5 algorithm based on various entropies. International Journal of Computer Applications, 82(16), 28–32.CrossRefGoogle Scholar
  20. 20.
    Christiane, F. L. L., de Assis F. M., & de Souza, C. P. (2012). A comparative study of use of Shannon, Rnyi and Tsallis entropy for attribute selecting in network intrusion detection. In Proceedings of the 13th international conference on intelligent data engineering and automated learning (IDEAL’12) (pp. 492–501).Google Scholar
  21. 21.
    Berezinski, P., Pawelec, J., Maowidzki, M., & Piotrowski, R. (2014). Entropy-based internet traffic anomaly detection: A case study. In Proceedings of the ninth international conference on dependability and complex systems (pp. 47–58).Google Scholar
  22. 22.
    Yang, L., Gasior, W., Katipally, R., & Cui, X. (2010). Alerts analysis and visualization in network-based intrusion detection systems. In 2010 IEEE second international conference on social computing (SocialCom) (pp. 785–790).Google Scholar
  23. 23.
    Tapaswi, S., et al. (2014). Markov chain based roaming schemes for honeypots. Wireless Personal Communications: An International Journal, 78(2), 995–1010.CrossRefGoogle Scholar
  24. 24.
    Liu, T., Wang, Z., Wang, H., & Ke, L. (2012). An entropy-based method for attack detection in large scale network. International Journal of Computer Communication, 7(3), 509–517.CrossRefGoogle Scholar
  25. 25.
    Microsoft Software License Terms for Windows 7 Home Basic by Microsoft. Accessed 15 May 2016.Google Scholar
  26. 26.
    Thomas, K., Sicam, J., Channelle, A., Thomas, A., & Sicam, C. (2009). Beginning Ubuntu Linux. New York: Apress.CrossRefGoogle Scholar
  27. 27.
    Rehman, R. U. (2003). Intrusion detection systems with Snort: Advanced IDS techniques using Snort, Apache, MySQL, PHP, and ACID. Englewood Cliffs: Prentice Hall Professional.Google Scholar
  28. 28.
    Caswell, B., & Beale, J. (2004). Snort 2.1 intrusion detection. Reading: Addison Wesley Professional.Google Scholar
  29. 29.
    Holsopple, J., Yang, S. J., & Sudit, M. (2006). TANDI: Threat assessment of network data and information. In Proceedings of SPIE (Vol. 6242). The International Society for Optical Engineering.Google Scholar
  30. 30.
    Shannon, C. E. (2001). A mathematical theory of communication. SIGMOBILE Mobile Computing and Communications Review, 5, 3–55.CrossRefGoogle Scholar
  31. 31.
    Renyi, A. (1961). On measures of entropy and information. In Proceedings of the fourth Berkeley symposium on mathematical statistics and probability (Vol. 1, pp. 547–561).Google Scholar
  32. 32.
    Kuhlman, D. (2009). A python book: Beginning python, advanced python, and python exercises. Lutz: Dave Kuhlman.Google Scholar
  33. 33.
    Pritchett, W. (2012). BackTrack 5 Cookbook. Birmingham: Packt Publishing Ltd.Google Scholar
  34. 34.
    Li, P. (2010). Selecting and using virtualization solutions: Our experiences with VMware and VirtualBox. Journal of Computing Sciences in Colleges, 25(3), 11–17.Google Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.All India Institute of Ayurveda (AIIA)New DelhiIndia
  2. 2.UBSoftPuneIndia

Personalised recommendations