Detecting anomalies in network traffic using Entropy and Mahalanobis distance

Author

Santiago-Paz, J. ; Torres-Román, D. ; Velarde-Alvarado, P.

Author_Institution

Dept. of Electr. Eng. & Comput. Sci., IPN, Guadalajara, Mexico

fYear

2012

fDate

27-29 Feb. 2012

Firstpage

86

Lastpage

91

Abstract

This paper proposes an Entropy-Mahalanobis-based methodology to detect certain anomalies in IP traffic. The balanced estimator II is used to model the normal behavior of two intrinsic traffic features: source and destination IP addresses. Mahalanobis distance allows to describe an ellipse that characterizes the network entropy, which allows to determine whether a given actual traffic-slot is normal or anomalous. Experimental tests were conducted to evaluate the performance detection of portscan and worm attacks deployed in a campus network, showing that the methodology is effective in timely and accurate detection of these attacks.

Keywords

IP networks; computer network performance evaluation; computer network security; entropy; invasive software; telecommunication traffic; IP traffic; Mahalanobis distance; anomaly detection; balanced estimator II; campus network; destination IP address; entropy-Mahalanobis-based methodology; network entropy; performance detection; portscan; source IP address; traffic slot; worm attacks; Covariance matrix; Entropy; IP networks; Local area networks; Training; Training data; Vectors;

fLanguage

English

Publisher

ieee

Conference_Titel

Electrical Communications and Computers (CONIELECOMP), 2012 22nd International Conference on

Conference_Location

Cholula, Puebla

Print_ISBN

978-1-4577-1326-2

Type

conf

DOI

10.1109/CONIELECOMP.2012.6189887

Filename

6189887