Streaming Estimation of Information-Theoretic Metrics for Anomaly Detection (Extended Abstract)

  • Sergey Bratus
  • Joshua Brody
  • David Kotz
  • Anna Shubina
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5230)

Abstract

Information-theoretic metrics hold great promise for modeling traffic and detecting anomalies if only they could be computed in an efficient, scalable way. Recent advances in streaming estimation algorithms give hope that such computations can be made practical. We describe our work in progress that aims to use streaming algorithms on 802.11a/b/g link layer (and above) features and feature pairs to detect anomalies.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Cache, J.: Fingerprinting 802.11 implementations via statistical analysis of the duration field. Uninformed Journal 5(1) (September 2006)Google Scholar
  2. 2.
    Chakrabarti, A., Cormode, G., McGregor, A.: A near-optimal algorithm for computing the entropy of a stream. In: SODA 2007: Proceedings of the eighteenth annual ACM-SIAM symposium on Discrete algorithms, pp. 328–335 (2007)Google Scholar
  3. 3.
    Gu, G., Fogla, P., Dagon, D., Lee, W., Skoric, B.: Towards an information-theoretic framework for analyzing intrusion detection systems. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 527–546. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Gu, Y., McCallum, A., Towsley, D.: Detecting anomalies in network traffic using maximum entropy estimation. In: IMC 2005: Proceedings of the 5th ACM SIGCOMM conference on Internet measurement, pp. 1–6 (2005)Google Scholar
  5. 5.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: SIGCOMM 2005: Proceedings of the 2005 Conference on Computer Communication, pp. 217–228. ACM, New York (2005)Google Scholar
  6. 6.
    Lall, A., Sekar, V., Ogihara, M., Xu, J., Zhang, H.: Data streaming algorithms for estimating entropy of network traffic. SIGMETRICS Performance Evaluation Review 34(1), 145–156 (2006)CrossRefGoogle Scholar
  7. 7.
    Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proc. of the 2001 IEEE Symposium on Security and Privacy, pp. 130–143 (2001)Google Scholar
  8. 8.
    Ptacek, T.H., Newsham, T.N.: Insertion, evasion, and denial of service: Eluding network intrusion detection, January 1998. Secure Networks, Inc. (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Sergey Bratus
    • 1
  • Joshua Brody
    • 1
  • David Kotz
    • 1
  • Anna Shubina
    • 1
  1. 1.Institute for Security Technology Studies Department of Computer ScienceDartmouth CollegeUSA

Personalised recommendations