Network Anomaly Detection by IP Flow Graph Analysis: A DDoS Attack Case Study

This paper introduces a novel approach for anomaly detection. The solution consists of an automatic detection system that operates without the need of network administrator intervention. Network IP flows are modeled by a graph and Tsallis entropy is applied in order to detect anomalies. Furthermore, our solution can extract and present detailed information from the network traffic. It provides to the network administrator a wide view of the damages that network anomalies cause. In order to evaluate the effectiveness of the proposed solution, it was used real data collected from a DDoS attack.

[1]  Didier Sornette,et al.  Beyond Shannon: Characterizing Internet Traffic with Generalized Entropy Metrics , 2009, PAM.

[2]  Joel J. P. C. Rodrigues,et al.  Holt-Winters statistical forecasting and ACO metaheuristic for traffic characterization , 2013, 2013 IEEE International Conference on Communications (ICC).

[3]  Mario Lemes Proença,et al.  Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment , 2007, Journal of Network and Systems Management.

[4]  Joel J. P. C. Rodrigues,et al.  Parameterized Anomaly Detection System with Automatic Configuration , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[5]  Mario Lemes Proença,et al.  Anomaly detection for network servers using digital signature of network segment , 2005, Advanced Industrial Conference on Telecommunications/Service Assurance with Partial and Intermittent Resources Conference/E-Learning on Telecommunications Workshop (AICT/SAPIR/ELETE'05).

[6]  Altyeb Altaher,et al.  Real time network anomaly detection using relative entropy , 2011, 8th International Conference on High-capacity Optical Networks and Emerging Technologies.

[7]  Artur Ziviani,et al.  Network anomaly detection using nonextensive entropy , 2007, IEEE Communications Letters.

[8]  Joel J. P. C. Rodrigues,et al.  Inference of network anomaly propagation using spatio-temporal correlation , 2012, J. Netw. Comput. Appl..

[9]  Joel J. P. C. Rodrigues,et al.  Anomaly detection using DSNS and Firefly Harmonic Clustering Algorithm , 2012, 2012 IEEE International Conference on Communications (ICC).

[10]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[11]  Thomas M. Cover,et al.  Elements of Information Theory: Cover/Elements of Information Theory, Second Edition , 2005 .

[12]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).