Characterizing Flow-Level Traffic Behavior with Entropy Spaces for Anomaly Detection

doi:10.1201/b14574-18

Chapter

Characterizing Flow-Level Traffic Behavior with Entropy Spaces for Anomaly Detection

ABSTRACT

Contents 11.1 Introduction ................................................................................................................... 284 11.2 Background .................................................................................................................... 284

11.2.1 Intrusion Detection Systems ............................................................................... 284 11.2.1.1 Data Preparation for Traffic Profiling ................................................... 286

11.2.2 Entropy ............................................................................................................... 286 11.2.3 Pattern Recognition ............................................................................................ 289 11.2.4 Principal Component Analysis ............................................................................ 290

11.3 Method of Entropy Spaces ............................................................................................. 291 11.3.1 Excess Point Method .......................................................................................... 295

11.4 Architecture for A-NIDS Based on MES ....................................................................... 300 11.4.1 Results of Tests ................................................................................................... 302 11.4.2 Excess Point Results ............................................................................................ 302

11.5 Experimental Platform, Data Set, and Tools .................................................................. 304 11.6 Conclusions .................................................................................................................... 305 11.7 Future Research ............................................................................................................. 305 Acknowledgments ................................................................................................................... 305 References ............................................................................................................................... 306

11.1 Introduction Cyber-attacks carried out directly against networking infrastructure are becoming more and more prevalent. Both the number and the complexity of attacks have increased dramatically in the last years. At the same time, the surges of network security threats have the potential to significantly impede productivity, disrupt business and operations, and result in information and economic losses.