Characterization of worm attacks using entropy, Mahalanobis distance and K-nearest neighbors

Proceedings of 2nd International Electronic Conference on Entropy and Its Applications

2015

Self Cite

Different systems, e.g., the anomaly-based network intrusion detection system (A-NIDS), have been continuously developed in order to ensure integrity, availability, and confidentiality of networks. In this paper, we present a structured and comprehensive overview of the research into entropy-based A-NIDS with the intention of providing researchers a quick introduction to essential aspects of this topic. The main components of the general architecture of A-NIDS based on Entropy are discussed. The achieved high detection rates prove the effective use of entropy. Finally, some open issues in entropy-based network traffic anomaly detection are also highlighted.

Section: Feature Extractionmentioning

confidence: 99%

Section: Windowing In Network Trafficmentioning

confidence: 99%

See 1 more Smart Citation

On Entropy in Network Traffic Anomaly Detection

Proceedings of 2nd International Electronic Conference on Entropy and Its Applications

2015

Self Cite

“…An improvement to the previous work [5] was proposed in [6] where the proposed algorithm uses the Mahalanobis distance to the exclusion of outliers, and an ellipsoidal regions were generated by calculating the parameters {x, γ, λ, LT }, wherex is the mean vector of the matrix H, γ, λ are the eigenvectors and eigenvalues of the covariance matrix of H, and LT is the limit of Mahalanobis distance for H [7]. In both works, network traffic behavior was characterized by regular ellipsoidal regions.…”

Section: Introductionmentioning

confidence: 99%

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel

Proceedings of 1st International Electronic Conference on Entropy and Its Applications

Figueroa-Ypiña

2014

Self Cite

Network anomaly detection and classification is an important open issue of network security. Several approaches and systems based on different mathematical tools have been studied and developed. Among them, the Anomaly-Network Intrusion Detection System (A-NIDS), this monitors network traffic and compares it against an established baseline of "normal" traffic profile. Then, it is necessary to characterize the "normal" Internet traffic. This paper presents an approach for anomaly detection and classification based on: the entropy of selected features (including Shannon, Renyi and Tsallis entropies), the construction of regions from entropy data employing the Mahalanobis distance (MD), and One Class Support Vector Machine (OC-SVM) with different kernels (RBF and particularity Mahalanobis) for "normal" and abnormal traffic. Regular and non-regular regions built from "normal" traffic profiles, allow the anomaly detection; whilst the classification is performed under the assumption that regions corresponding to the attack classes have been characterized previously. Although, this approach allows the use of as many features as required, only four well known significant features were selected in our case. To evaluate our approach two different data sets were used: one set of real traffic obtained from an Academic LAN, and the other a subset of the 1998 MIT-DARPA set. The selected features sets computed in our experiments provide detection rates up to 99.90% with "normal" traffic and up to 99.83% with anomalous traffic and false alarm rate of 0.086%. Experimental results show that certain values of the q parameter of the generalized entropies and the use of OC-SVM improves the detection rate of some attack classes, due to a better fit of the region to the data. Besides, our results show that MD allows to obtain high detection rates with an efficient computation time, while OC-SVM achieved detection rates slightly higher but more expensive computationally.

“…If a point is an anomaly and the majority of its temporal neighbors belong to a specific anomaly class, then it belongs to this class. Therefore, results were obtained using the k-temporal nearest neighbors algorithm, as in [6]. Table 2.…”

Section: Classification Of Worm Attacksmentioning

confidence: 99%

Using Generalized Entropies and OC-SVM with Mahalanobis Kernel for Detection and Classification of Anomalies in Network Traffic

Figueroa-Ypiña

et al. 2015

Entropy

Self Cite

Network anomaly detection and classification is an important open issue in network security. Several approaches and systems based on different mathematical tools have been studied and developed, among them, the Anomaly-Network Intrusion Detection System (A-NIDS), which monitors network traffic and compares it against an established baseline of a "normal" traffic profile. Then, it is necessary to characterize the "normal" Internet traffic. This paper presents an approach for anomaly detection and classification based on Shannon, Rényi and Tsallis entropies of selected features, and the construction of regions from entropy data employing the Mahalanobis distance (MD), and One Class Support Vector Machine (OC-SVM) with different kernels (Radial Basis Function (RBF) and Mahalanobis Kernel (MK)) for "normal" and abnormal traffic. Regular and non-regular regions built from "normal" traffic profiles allow anomaly detection, while the classification is performed under the assumption that regions corresponding to the attack classes have been previously characterized. Although this approach allows the use of as many features as required, only four well-known significant features were selected in our case. In order to evaluate our approach, two different data sets were used: one set of real traffic obtained from an Academic Local Area Network (LAN), and the other a subset of the 1998 MIT-DARPA Entropy 2015, 17 6240 set. For these data sets, a True positive rate up to 99.35%, a True negative rate up to 99.83% and a False negative rate at about 0.16% were yielded. Experimental results show that certain q-values of the generalized entropies and the use of OC-SVM with RBF kernel improve the detection rate in the detection stage, while the novel inclusion of MK kernel in OC-SVM and k-temporal nearest neighbors improve accuracy in classification. In addition, the results show that using the Box-Cox transformation, the Mahalanobis distance yielded high detection rates with an efficient computation time, while OC-SVM achieved detection rates slightly higher, but is more computationally expensive.