论文信息 - Detecting anomalies in network traffic using Entropy and Mahalanobis distance

Detecting anomalies in network traffic using Entropy and Mahalanobis distance

This paper proposes an Entropy-Mahalanobis-based methodology to detect certain anomalies in IP traffic. The balanced estimator II is used to model the normal behavior of two intrinsic traffic features: source and destination IP addresses. Mahalanobis distance allows to describe an ellipse that characterizes the network entropy, which allows to determine whether a given actual traffic-slot is normal or anomalous. Experimental tests were conducted to evaluate the performance detection of portscan and worm attacks deployed in a campus network, showing that the methodology is effective in timely and accurate detection of these attacks.

Deni Torres Román | Pablo Velarde-Alvarado | Jayro Santiago-Paz

[1] P. Mahalanobis. On the generalized distance in statistics , 1936 .

[2] César Vargas Rosales,et al. Detecting anomalies in network traffic using the method of remaining elements , 2009, IEEE Communications Letters.

[3] W. Härdle,et al. Applied Multivariate Statistical Analysis , 2003 .

[4] Zhi-Li Zhang,et al. Profiling internet backbone traffic: behavior models and applications , 2005, SIGCOMM '05.

[5] Arthur B. Maccabe,et al. The architecture of a network level intrusion detection system , 1990 .

[6] Kensuke Fukuda,et al. A PCA Analysis of Daily Unwanted Traffic , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[7] P Velarde Alvarado,et al. Entropy-based profiles for intrusion detection in LAN traffic , 2008 .

[8] J. Edward Jackson,et al. A User's Guide to Principal Components. , 1991 .

[9] J. Edward Jackson,et al. A User's Guide to Principal Components: Jackson/User's Guide to Principal Components , 2004 .