Advertisement

Network Anomaly Detection Using Parameterized Entropy

  • Przemysław Bereziński
  • Marcin Szpyrka
  • Bartosz Jasiul
  • Michał Mazur
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8838)

Abstract

Entropy-based anomaly detection has recently been extensively studied in order to overcome weaknesses of traditional volume and rule based approaches to network flows analysis. From many entropy measures only Shannon, Titchener and parameterized Renyi and Tsallis entropies have been applied to network anomaly detection. In the paper, our method based on parameterized entropy and supervised learning is presented. With this method we are able to detect a broad spectrum of anomalies with low false positive rate. In addition, we provide information revealing the anomaly type. The experimental results suggest that our method performs better than Shannon-based and volume-based approach.

Keywords

anomaly detection entropy netflow network traffic measurement 

References

  1. 1.
  2. 2.
    Verizon. 2014 Data Breach Investigations Report, http://www.verizonenterprise.com/DBIR/2014/
  3. 3.
    Weka project homepage, http://www.cs.waikato.ac.nz/ml/weka
  4. 4.
    Bereziński, P., Pawelec, J., Małowidzki, M., Piotrowski, R.: Entropy-based internet traffic anomaly detection: A case study. In: Zamojski, W., Mazurkiewicz, J., Sugier, J., Walkowiak, T., Kacprzyk, J. (eds.) Proceedings of the Ninth International Conference on DepCoS-RELCOMEX. AISC, vol. 286, pp. 47–58. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  5. 5.
    Brauckhoff, D.: Network traffic anomaly detection and evaluation. ETH, Zurich (2010)zbMATHGoogle Scholar
  6. 6.
    Brauckhoff, D., Tellenbach, B., Wagner, A., May, M., Lakhina, A.: Impact of packet sampling on anomaly detection metrics. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, IMC 2006, pp. 159–164. ACM (2006)Google Scholar
  7. 7.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: A survey. ACM Computing Surveys 41(3) 15, 1–15 (2009)CrossRefGoogle Scholar
  8. 8.
    Choraś, M., Kozik, R., Piotrowski, R., Brzostek, J., Hołubowicz, W.: Network events correlation for federated networks protection system. In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds.) ServiceWave 2011. LNCS, vol. 6994, pp. 100–111. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Davis, J., Goadrich, M.: The relationship between precision-recall and roc curves. In: Proc. of the 23rd Int. Conference on Machine Learning, ICML 2006, pp. 233–240. ACM (2006)Google Scholar
  10. 10.
    Dimitropoulos, X., Stoecklin, M., Hurley, P., Kind, A.: The eternal sunshine of the sketch data structure. Computer Networks 52(17), 3248–3257 (2008)CrossRefzbMATHGoogle Scholar
  11. 11.
    Fillatre, L., Nikiforov, I., Casas, P., Vaton, S.: Optimal volume anomaly detection in network traffic flows. In: Proceedings of the 16th European Signal Processing Conference, EURASIPCO 2008. EURASIP (2008)Google Scholar
  12. 12.
    Jasiul, B., Śliwa, J., Gleba, K., Szpyrka, M.: Identification of malware activities with rules. In: Proceedings of the Federated Conference on Computer Science and Information Systems, Warsaw, Poland (2014)Google Scholar
  13. 13.
    Jasiul, B., Szpyrka, M., Śliwa, J.: Malware behavior modeling with Colored Petri nets. In: Saeed, K., Snášel, V. (eds.) CISIM 2014. LNCS, vol. 8838, pp. 667–679. Springer, Heidelberg (2014)Google Scholar
  14. 14.
    Kind, A., Stoecklin, M.P., Dimitropoulos, X.: Histogram-based traffic anomaly detection. IEEE Trans. on Netw. and Serv. Manag. 6(2), 110–121 (2009)CrossRefGoogle Scholar
  15. 15.
    Kopylova, Y., Buell, D.A., Huang, C.-T., Janies, J.: Mutual information applied to anomaly detection. Journal of Communications and Networks 10(1), 89–97 (2008)CrossRefGoogle Scholar
  16. 16.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, SIGCOMM 2005, pp. 217–228. ACM (2005)Google Scholar
  17. 17.
    Nychis, G., Sekar, V., Andersen, D.G., Kim, H., Zhang, H.: An empirical evaluation of entropy-based traffic anomaly detection. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, IMC 2008, pp. 151–156. ACM (2008)Google Scholar
  18. 18.
    Renyi, A.: Probability Theory. Dover Books on Mathematics Series. Dover Publ. Inc. (1973)Google Scholar
  19. 19.
    Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Computers and Security 31(3), 357–374 (2012)CrossRefGoogle Scholar
  20. 20.
    Szpyrka, M., Jasiul, B., Wrona, K., Dziedzic, F.: Telecommunications networks risk assessment with bayesian networks. In: Saeed, K., Chaki, R., Cortesi, A., Wierzchoń, S. (eds.) CISIM 2013. LNCS, vol. 8104, pp. 277–288. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  21. 21.
    Tellenbach, B., Burkhart, M., Schatzmann, D., Gugelmann, D., Sornette, D.: Accurate network anomaly classification with generalized entropy metrics. Computer Networks 55(15), 3485–3502 (2011)CrossRefGoogle Scholar
  22. 22.
    Tsallis, C., de Pesquisas Físicas, C.B.: Possible Generalization of Boltzmann-Gibbs Statistics. Notas de física. Centro Brasileiro de Pesquisas Físicas (1987)Google Scholar
  23. 23.
    Xiang, Y., Li, K., Zhou, W.: Low-rate ddos attacks detection and traceback by using new information metrics. Trans. Info. For. Sec. 6(2), 426–437 (2011)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Przemysław Bereziński
    • 1
  • Marcin Szpyrka
    • 2
  • Bartosz Jasiul
    • 1
  • Michał Mazur
    • 1
  1. 1.C4I Systems’ DepartmentMilitary Communication InstituteZegrzePoland
  2. 2.Department of Applied Computer ScienceAGH University of Science and TechnologyKrakówPoland

Personalised recommendations