Accurate network anomaly classification with generalized entropy metrics

The accurate detection and classification of network anomalies based on traffic feature distributions is still a major challenge. Together with volume metrics, traffic feature distributions are the primary source of information of approaches scalable to high-speed and large scale networks. In previous work, we proposed to use the Tsallis entropy based traffic entropy spectrum (TES) to capture changes in specific activity regions, such as the region of heavy-hitters or rare elements. Our preliminary results suggested that the TES does not only provide more details about an anomaly but might also be better suited for detecting them than traditional approaches based on Shannon entropy. We refine the TES and propose a comprehensive anomaly detection and classification system called the entropy telescope. We analyze the importance of different entropy features and refute findings of previous work reporting a supposedly strong correlation between different feature entropies and provide an extensive evaluation of our entropy telescope. Our evaluation with three different detection methods (Kalman filter, PCA, KLE), one classification method (SVM) and a rich set of anomaly models and real backbone traffic demonstrates the superiority of the refined TES approach over TES and the classical Shannon-only approaches. For instance, we found that when switching from Shannon to the refined TES approach, the PCA method detects small to medium sized anomalies up to 20% more accurately. Classification accuracy is improved by up to 19% when switching from Shannon-only to TES and by another 8% when switching from TES to the refined TES approach. To complement our evaluation, we run the entropy telescope on one month of backbone traffic finding that most prevalent anomalies are different types of scanning (69-84%) and reflector DDoS attacks (15-29%).

[1]  Marc Ph. Stoecklin Anomaly detection by finding feature distribution outliers , 2006, CoNEXT '06.

[2]  R. Fisher THE USE OF MULTIPLE MEASUREMENTS IN TAXONOMIC PROBLEMS , 1936 .

[3]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[4]  Xenofontas A. Dimitropoulos,et al.  The eternal sunshine of the sketch data structure , 2008, Comput. Networks.

[5]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[6]  M. S. Alencar,et al.  A relation between the Renyi distance of order /spl alpha/ and the variational distance , 1998, ITS'98 Proceedings. SBT/IEEE International Telecommunications Symposium (Cat. No.98EX202).

[7]  Sanjay Ranka,et al.  Statistical change detection for multi-dimensional data , 2007, KDD '07.

[8]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[9]  Martin May,et al.  FLAME: A Flow-Level Anomaly Modeling Engine , 2008, CSET.

[10]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.

[11]  Jianbo Gao,et al.  Power-law sensitivity to initial conditions in a time series with applications to epileptic seizure detection , 2005 .

[12]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[13]  Kavé Salamatian,et al.  Combining filtering and statistical methods for anomaly detection , 2005, IMC '05.

[14]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[15]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[16]  Muhammad Zubair Shafiq,et al.  Improving accuracy of immune-inspired malware detectors by using intelligent features , 2008, GECCO '08.

[17]  Artur Ziviani,et al.  Network anomaly detection using nonextensive entropy , 2007, IEEE Communications Letters.

[18]  Matthew Roughan,et al.  The need for simulation in evaluating anomaly detectors , 2008, CCRV.

[19]  Amir D. Aczel Statistics:Concepts and Applications , 1995 .

[20]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[21]  Didier Sornette,et al.  Beyond Shannon: Characterizing Internet Traffic with Generalized Entropy Metrics , 2009, PAM.

[22]  Bernhard Plattner,et al.  Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone , 2005, DIMVA.

[23]  Shuguang Cui,et al.  Fast Convergence with q-expectation in EM-based Blind Iterative Detection , 2006, 2006 Fortieth Asilomar Conference on Signals, Systems and Computers.

[24]  Martin May,et al.  Applying PCA for Traffic Anomaly Detection: Problems and Solutions , 2009, IEEE INFOCOM 2009.

[25]  Martin May,et al.  The risk-utility tradeoff for IP address truncation , 2008, NDA '08.

[26]  Antonio Pescapè,et al.  Worm Traffic Analysis and Characterization , 2007, 2007 IEEE International Conference on Communications.

[27]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[28]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[29]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[30]  M E Torres,et al.  Automatic detection of slight parameter changes associated to complex biomedical signals using multiresolution q-entropy1. , 2003, Medical engineering & physics.

[31]  Kensuke Fukuda,et al.  Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures , 2007, LSAD '07.

[32]  Jean-Yves Le Boudec,et al.  A Two-Layered Anomaly Detection Technique Based on Multi-modal Flow Behavior Models , 2008, PAM.

[33]  Chih-Jen Lin,et al.  A Practical Guide to Support Vector Classication , 2008 .

[34]  Vern Paxson,et al.  A brief history of scanning , 2007, IMC '07.