Entropy based worm and anomaly detection in fast IP networks

Author

Wagner, Arno ; Plattner, Bernhard

Author_Institution

Swiss Fed. Inst. of Technol., Zurich, Switzerland

fYear

2005

fDate

13-15 June 2005

Firstpage

172

Lastpage

177

Abstract

Detecting massive network events like worm outbreaks in fast IP networks such as Internet backbones, is hard. One problem is that the amount of traffic data does not allow real-time analysis of details. Another problem is that the specific characteristics of these events are not known in advance. There is a need for analysis methods that are real-time capable and can handle large amounts of traffic data. We have developed an entropy-based approach that determines and reports entropy contents of traffic parameters such as IP addresses. Changes in the entropy content indicate a massive network event. We give analyses on two Internet worms as proof-of-concept. While our primary focus is detection of fast worms, our approach should also be able to detect other network events. We discuss implementation alternatives and give benchmark results. We also show that our approach scales very well.

Keywords

IP networks; invasive software; real-time systems; telecommunication traffic; IP addresses; IP networks; Internet worms; anomaly detection; entropy contents; fast worm detection; massive network event; real time analysis; traffic parameters; worm outbreaks; Communication system traffic; Data compression; Entropy; Event detection; IP networks; Intelligent networks; Internet; Laboratories; Spine; Telecommunication traffic;

fLanguage

English

Publisher

ieee

Conference_Titel

Enabling Technologies: Infrastructure for Collaborative Enterprise, 2005. 14th IEEE International Workshops on

ISSN

1524-4547

Print_ISBN

0-7695-2362-5

Type

conf

DOI

10.1109/WETICE.2005.35

Filename

1566205