An approach on detecting network attack based on entropy

Author

Wang, Zhiwen ; Xia, Qin

Author_Institution

Dept. of Comput. Sci. & Technol., Xi´´an Jiaotong Univ., Xi´´an, China

fYear

2011

fDate

20-23 March 2011

Firstpage

210

Lastpage

214

Abstract

There are a large amounts of alerts with high false rate in typical Intrusion Detection System (IDS). The problem about how to identify network attack effectively from huge volume of alerts is becoming a challenging task for security administrators. It gets worse with larger scale of network being monitored by IDS. In this paper we propose an approach on detecting network attack based on entropy from millions of alerts. Shannon entropy is developed firstly to analyze the distribution characteristics of alert with five key attributes including source IP address, destination IP address, source threat, destination threat and datagram length. Then, the Renyi cross entropy is employed to fuse the Shannon entropy vector and detect the anomalies. The IDS used in our experiment is Snort, and the experimental results based on actual network data show that our approach can detect network attack quickly and accurately.

Keywords

IP networks; computer network security; entropy; Renyi cross entropy; Shannon entropy vector; Snort; alert distribution characteristics; anomaly detection; datagram length; destination IP address; destination threat; intrusion detection system; network attack detection; network monitoring; security administration; source IP address; source threat; Entropy; IP networks; Intrusion detection; Monitoring; Training; Training data; IDS; network securiy; renyi entropy; shannon entropy;

fLanguage

English

Publisher

ieee

Conference_Titel

Cyber Technology in Automation, Control, and Intelligent Systems (CYBER), 2011 IEEE International Conference on

Conference_Location

Kunming

Print_ISBN

978-1-61284-910-2

Type

conf

DOI

10.1109/CYBER.2011.6011795

Filename

6011795