Comparison of Properties between Entropy and Chi-Square Based Anomaly Detection Method

As the typical anomaly detection methods using statistics, entropy and χ² based method has been researched and reported in terms of their properties for anomaly attacks. In this research, we compare the properties of both methods and discuss the accuracy of detection and the efficiency for different kinds of attacks. Our previous researches have clarified that the source IP address and destination port number are efficient statistical variables to view the anomaly packet property, which lead to detect correctly. In this paper, we propose EMMM method for entropy value and CSDM method of χ² value using multi statistical variables. The experiments to verify our proposed methods were conducted using source IP address, destination port number and arriving interval of packets. We could extract the following results. Firstly, EMMM method could decrease the value of False-Positive and False-Negative. Secondly, CSDM method could increase the F-metric, which is the evaluation standard for accurate detection. In the experiments using the same condition of parameters such as probability valuables and window width, CSDM method enlarges the F-metric compared to EMMM method.