A comparison between divergence measures for network anomaly detection

This paper deals with the detection of flooding attacks which are the most common type of Denial of Service (DoS) attacks. We compare 2 divergence measures (Hellinger distance and Chi-square divergence) to analyze their detection accuracy. The performance of these statistical divergence measures are investigated in terms of true positive and false alarm ratio. A particular focus will be on how to use these measures over Sketch data structure, and which measure provides the best detection accuracy. We conduct performance analysis over publicly available real IP traces (MAWI) collected from the WIDE backbone network. Our experimental results show that Chi-square divergence outperforms Hellinger distance in network anomalies detection.

[1]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[2]  Michel Broniatowski,et al.  An estimation method for the Neyman chi-square divergence with application to test of hypotheses , 2006 .

[3]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[4]  Wipawee Hattagam,et al.  Anomaly detection using self-organizing map and wavelets in wireless sensor networks , 2010 .

[5]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[6]  Jake D. Brutlag,et al.  Aberrant Behavior Detection in Time Series for Network Monitoring , 2000, LISA.

[7]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[8]  Osman Salem,et al.  A Novel Approach for Anomaly Detection over High-Speed Networks , 2008 .

[9]  Sushil Jajodia,et al.  Detecting VoIP Floods Using the Hellinger Distance , 2008, IEEE Transactions on Parallel and Distributed Systems.

[10]  Chi Zhou,et al.  Sketch-Based SIP Flooding Detection Using Hellinger Distance , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[11]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[12]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.