Characterization of worm attacks using entropy, Mahalanobis distance and K-nearest neighbors

This paper presents an algorithm based on entropy and Mahalanobis distance to characterize the behavior of worms attack. For this, is built a matrix with estimates of entropy of different intrinsic features of the network traffic, of this matrix four parameters {μ, γ, λ, d²} are obtained. These values determine an ellipsoidal region that characterizes the behavior of the worm within the space defined by the traffic features. Tests were conducted with two types of traces, one obtained from a LAN network traffic containing real attacks Blaster, Sasser and Welchia, and the other one is a Smurf attack obtained from the MIT-DARPA dataset. Using K nearest neighbors in time was performed a classification of the slots that were outside the ellipsoidal regions defined previously.