Anomaly Detection Method Using Entropy of Network Traffic Distributions


The KIPS Transactions:PartC, Vol. 13, No. 3, pp. 283-294, Jun. 2006
10.3745/KIPSTC.2006.13.3.283,   PDF Download:

Abstract

Hostile network traffic is often different from normal traffic in ways that can be distinguished without knowing the exact nature of the attack. In this paper, we propose a new anomaly detection method using inbound network traffic distributions. For this purpose, we first characterize the traffic of a real campus network by the distributions of IP protocols, packet length, destination IP/port addresses, TTL value, TCP SYN packet, and fragment packet. And then we introduce the concept of entropy to transform the obtained baseline traffic distributions into manageable values. Finally, we can detect the anomalies by the difference of entropies between the current and baseline distributions. In particular, we apply the well-known denial-of-service attacks to a real campus network and show the experimental results.


Statistics
Show / Hide Statistics

Statistics (Cumulative Counts from September 1st, 2017)
Multiple requests among the same browser session are counted as one view.
If you mouse over a chart, the values of data points will be shown.


Cite this article
[IEEE Style]
K. H. Kang, J. T. Oh, J. S. Jang, "Anomaly Detection Method Using Entropy of Network Traffic Distributions," The KIPS Transactions:PartC, vol. 13, no. 3, pp. 283-294, 2006. DOI: 10.3745/KIPSTC.2006.13.3.283.

[ACM Style]
Koo Hong Kang, Jin Tae Oh, and Jong Soo Jang. 2006. Anomaly Detection Method Using Entropy of Network Traffic Distributions. The KIPS Transactions:PartC, 13, 3, (2006), 283-294. DOI: 10.3745/KIPSTC.2006.13.3.283.