A Flow-Based Entropy Characterization of a NATed Network and Its Application on Intrusion Detection

This paper presents a flow-based entropy characterization of a small/medium-sized campus network that uses network address translation (NAT). Although most networks follow this configuration, their entropy characterization has not been previously studied. Measurements from a production network show that the entropies of flow elements (external IP address, external port, campus IP address, campus port) and tuples have particular characteristics. Findings include: i) entropies may widely vary in the course of a day. For example, in a typical weekday, the entropies of the campus and external ports may vary from below 0.2 to above 0.8 (in a normalized entropy scale 0–1). A similar observation applies to the entropy of the campus IP address; ii) building a granular entropy characterization of the individual flow elements can help detect anomalies. Data shows that certain attacks produce entropies that deviate from the expected patterns; iii) the entropy of the 3-tuple {external IP, campus IP, campus port} is high and consistent over time, resembling the entropy of a uniform distribution's variable. A deviation from this pattern is an encouraging anomaly indicator; iv) strong negative and positive correlations exist between some entropy time-series of flow elements.

[1]  Kimberly C. Claffy,et al.  Nightlights: Entropy-Based Metrics for Classifying Darkspace Traffic Patterns , 2014, PAM.

[2]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[3]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[4]  Panagiotis Papapetrou,et al.  Entropy-based Prediction of Network Protocols in the Forensic Analysis of DNS Tunnels , 2017, ArXiv.

[5]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[6]  Alberto Dainotti,et al.  Inferring Carrier-Grade NAT Deployment in the Wild , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[7]  Christian Callegari,et al.  Entropy-based network anomaly Detection , 2017, 2017 International Conference on Computing, Networking and Communications (ICNC).

[8]  Aiko Pras,et al.  Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX , 2014, IEEE Communications Surveys & Tutorials.

[9]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[10]  Jason Leigh,et al.  Monitoring Big Data Transfers Over International Research Network Connections , 2017 .

[11]  Jerry Sobieski,et al.  GÉANT world testbed facility: Federated and distributed testbeds as a service facility of GÉANT , 2014, 2014 26th International Teletraffic Congress (ITC).

[12]  A. NurZincir-Heywood,et al.  Can we identify NAT behavior by analyzing Traffic Flows , 2014 .

[13]  Pavel Celeda,et al.  Network traffic characterisation using flow-based statistics , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[14]  Rick Hofstede,et al.  Towards multi-layered intrusion detection in high-speed networks , 2014, 2014 6th International Conference On Cyber Conflict (CyCon 2014).

[15]  Marcin Szpyrka,et al.  An Entropy-Based Network Anomaly Detection Method , 2015, Entropy.