Title :
Characterization of worm attacks using entropy, Mahalanobis distance and K-nearest neighbors
Author :
Santiago-Paz, Jayro ; Torres-Roman, D.
Author_Institution :
Dept. of Electr. Eng. & Comput. Sci. Telecommun., CINVESTAV IPN, Guadalajara, Mexico
Abstract :
This paper presents an algorithm based on entropy and Mahalanobis distance to characterize the behavior of worms attack. For this, is built a matrix with estimates of entropy of different intrinsic features of the network traffic, of this matrix four parameters {μ, γ, λ, d2} are obtained. These values determine an ellipsoidal region that characterizes the behavior of the worm within the space defined by the traffic features. Tests were conducted with two types of traces, one obtained from a LAN network traffic containing real attacks Blaster, Sasser and Welchia, and the other one is a Smurf attack obtained from the MIT-DARPA dataset. Using K nearest neighbors in time was performed a classification of the slots that were outside the ellipsoidal regions defined previously.
Keywords :
entropy; invasive software; pattern classification; Blaster; K nearest neighbors; K-nearest neighbors; LAN network traffic; MIT-DARPA dataset; Mahalanobis distance; Sasser; Smurf attack; Welchia; entropy; worm attack characterization; Covariance matrices; Entropy; Grippers; IP networks; Measurement; Ports (Computers); Vectors;
Conference_Titel :
Electronics, Communications and Computers (CONIELECOMP), 2014 International Conference on
Conference_Location :
Cholula
Print_ISBN :
978-1-4799-3468-3
DOI :
10.1109/CONIELECOMP.2014.6808591
