Beyond Shannon: Characterizing Internet Traffic with Generalized Entropy Metrics

Tellenbach, Bernhard; Burkhart, Martin; Sornette, Didier; Maillart, Thomas

doi:10.1007/978-3-642-00975-4_24

Cited by 38 publications

(25 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Nychis in [8], based on his results of pairwise correlation reported dependencies between addresses and ports and recommended the use of volume-based and behavior-based feature distributions. In opposite, Tellenbach in [15] found no correlation among header-based features.…”

Section: Detection Via Feature Distributionsmentioning

confidence: 92%

“…In several review papers [26][27][28][29][30][31][32] various network anomaly detection methods have been summarized. From aforementioned surveys one can find that the most effective methods of network anomaly detection are Principle Component Analysis [33][34][35], Wavelet analysis [36][37][38], Markovian models [39,40], Clustering [41][42][43], Histograms [44,45], Sketches [46,47], and Entropies [8,15,48].…”

Section: General Overview Of Network Anomaly Techniquesmentioning

confidence: 99%

“…Several feature distributions, i.e., header-based (addresses, ports, flags), volume-based (host or service specific percentage of flows, packets and bytes) and behavior-based (in/out connections for particular host) have been suggested in the past [8,15,64]. However, it is unclear which feature distributions perform best.…”

Section: Detection Via Feature Distributionsmentioning

confidence: 99%

“…Thus, such goals like finding the proper value of parameter for entropy in order to improve detection of particular group of anomalies remains unachieved. Some authors, e.g., Tellenbach et al [9,15,84] employed a set of α-values in their methods. The authors proposed the Traffic Entropy Telescope prototype based on Tsallis entropy capable to detect a broad spectrum of anomalies in a backbone traffic including fast-spreading worms (not that common nowadays), scans and different form of DoS/DDoS attacks.…”

Section: Detection Via Feature Distributionsmentioning

confidence: 99%

“…Entropy-based methods proposed in the past e.g. [8,10,15] deals with a massive spreads of old types of worms (not botnet-like) or different types of Distributed Denial of Service (DDoS) attacks in a high-speed networks. In this article we propose an effective entropy based method for detection and categorization of network anomalies that indicate existence of the botnet-like malware in the local networks.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

An Entropy-Based Network Anomaly Detection Method

Bereziński

Jasiul

Szpyrka

2015

Entropy

162

View full text Add to dashboard Cite

Data mining is an interdisciplinary subfield of computer science involving methods at the intersection of artificial intelligence, machine learning and statistics. One of the data mining tasks is anomaly detection which is the analysis of large quantities of data to identify items, events or observations which do not conform to an expected pattern. Anomaly detection is applicable in a variety of domains, e.g., fraud detection, fault detection, system health monitoring but this article focuses on application of anomaly detection in the field of network intrusion detection.The main goal of the article is to prove that an entropy-based approach is suitable to detect modern botnet-like malware based on anomalous patterns in network. This aim is achieved by realization of the following points: (i) preparation of a concept of original entropy-based network anomaly detection method, (ii) implementation of the method, (iii) preparation of original dataset, (iv) evaluation of the method.

show abstract

Section: Detection Via Feature Distributionsmentioning

confidence: 92%

Section: General Overview Of Network Anomaly Techniquesmentioning

confidence: 99%

Section: Detection Via Feature Distributionsmentioning

confidence: 99%

Section: Detection Via Feature Distributionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

An Entropy-Based Network Anomaly Detection Method

Bereziński

Jasiul

Szpyrka

2015

Entropy

162

View full text Add to dashboard Cite

show abstract

Application of entropy formulas in detection of denial‐of‐service attacks

Basicevic

Ocovaj

2019

Int J Communication

View full text Add to dashboard Cite

Summary The paper compares five entropy formulas (Shannon, Tsallis, Rényi, Bhatia‐Singh, and Ubriaco) and their application in the detection of distributed denial‐of‐service (DDoS) attacks. The Shannon formula has been used extensively for this purpose for more than a decade. The use of the Tsallis and Rényi formulas in this context has also been proposed. Bhatia‐Singh entropy is a novel information metric with promising results in initial applications in this area. Ubriaco proposed an entropy function based on the fractional calculus. In this paper, flow size distribution was used as the input for detection. The type of DDoS attack is SYN flood, and simulation was used to obtain the input dataset. The results show that the Rényi and Bhatia‐Singh detectors perform better than the rest. Rényi and Tsallis performed similarly with respect to the true positive rate, but Rényi had a much lower false positive rate. The Bhatia‐Singh detector had the best true positive rate but a higher false positive rate than Rényi. The Ubriaco detector performed similar to the Shannon detector. With respect to detection delay, Tsallis, Ubriaco, and Shannon produced similar results, with a slight advantage associated with the Ubriaco detector, while Rényi and Bhatia‐Singh had a larger detection delay than the former three.

show abstract

Use of Tsallis entropy in detection of SYN flood DoS attacks

Basicevic

Ocovaj

Popović

2015

Security Comm Networks

View full text Add to dashboard Cite

In this paper, we present results of application of Tsallis entropy in detection of denial of service attacks. Two detectors, one based on Tsallis and the other one based on Shannon's entropy, have been applied in several attack simulations, and their properties have been compared. The simulated attack is Synchronize packet (SYN) flood. A simple packet distribution, that is, entropy of source addresses are considered. In both cases, cumulative sum control chart algorithm is used for change point detection. Properties of two detectors that are compared are detection delay and rate of true and false positives. The results show that Tsallis entropy‐based detector can outperform (with respect to false positive rate) Shannon‐based one but that requires careful tuning of Tsallis Q parameter that depends on characteristics of network traffic. The detection delay of two detectors is approximately the same. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

Beyond Shannon: Characterizing Internet Traffic with Generalized Entropy Metrics

Cited by 38 publications

References 13 publications

An Entropy-Based Network Anomaly Detection Method

An Entropy-Based Network Anomaly Detection Method

Application of entropy formulas in detection of denial‐of‐service attacks

Use of Tsallis entropy in detection of SYN flood DoS attacks

Contact Info

Product

Resources

About