Network backbone anomaly detection using double random forests based on non-extensive entropy feature extraction

This paper proposed an anomaly detection method that can be used in high speed network backbone. To adapt for the need of online cost-sensitive data processing, some of the attributes are extracted from the header of packets and recorded by sketching in a fixed time window. Based on non-extensive entropy with different parameters, the original distribution of the values of attributes is decomposed to high dimensional features to enlarge the characteristics of the small amount of anomaly data hidden in the large amount of normal data. Using these extracted detailed features, the detection model based on random forest is constructed. For the purpose of increasing detection accuracy and recall further, the second random forest detection model is constructed with the anomaly instances only. The experimental results suggest that proposed anomaly detection method can achieve competitive detection accuracy with a high recall.