Using normalized entropy to compare traffic differences in stable and unstable time slots
暂无分享,去创建一个
A darknet is a set of routed but unused IP address spaces on the Internet in which no active service resides. Dark- net traffic includes only abnormal traffic and reflects malicious activities such as the results of attacks, experiments, or errors. Thus, darknet traffic analysis is a powerful tool for measuring and characterizing cyber attack activities like worms, distributed denial of service attacks, backscatter, misconfiguration, or other scans. We analyzed darknet TCP traffic stability and found numerous unstable time slots, but the traffic difference between stable and unstable time slots has not been thoroughly investigated. In this paper, we report analysis results for the traffic found in unstable time slots. We compare the traffic data for stable and unstable time slots from the viewpoint of the randomness of IP addresses and ports by evaluating the normalized entropy. The concept of normalized entropy is used to measure the uncertainty or randomness of the traffic in each time slot. The analysis results show that the traffic difference between the stable and unstable time slots from the viewpoint of the randomness of the IP addresses and ports is the result of backscatter, misconfiguration, and scan activity. We conclude that evaluating the normalized entropy is a useful method for detecting and classifying the type of event in unstable time slots.
[1] George M. Mohay,et al. Characterising Anomalous Events Using Change - Point Correlation on Unsolicited Network Traffic , 2009, NordSec.
[2] Marcin Szpyrka,et al. An Entropy-Based Network Anomaly Detection Method , 2015, Entropy.
[3] Stefan Savage,et al. Inferring Internet denial-of-service activity , 2001, TOCS.
[5] V. Sangeetha,et al. Entropy based Anomaly Detection System to Prevent DDoS Attacks in Cloud , 2013, ArXiv.