A comparison between divergence measures for network anomaly detection

Author

Tajer, Jean ; Makke, Ali ; Salem, Osman ; Mehaoua, Ahmed

Author_Institution

Lab. d´´Inf. PAris DEscartes (LIPADE), France

fYear

2011

fDate

24-28 Oct. 2011

Firstpage

1

Lastpage

5

Abstract

This paper deals with the detection of flooding attacks which are the most common type of Denial of Service (DoS) attacks. We compare 2 divergence measures (Hellinger distance and Chi-square divergence) to analyze their detection accuracy. The performance of these statistical divergence measures are investigated in terms of true positive and false alarm ratio. A particular focus will be on how to use these measures over Sketch data structure, and which measure provides the best detection accuracy. We conduct performance analysis over publicly available real IP traces (MAWI) collected from the WIDE backbone network. Our experimental results show that Chi-square divergence outperforms Hellinger distance in network anomalies detection.

Keywords

data structures; security of data; statistical analysis; Chi-square divergence; Hellinger distance; IP traces; MAWI; WIDE backbone network; denial of service attacks; false alarm ratio; flooding attack detection; network anomalies detection; network anomaly detection; performance analysis; sketch data structure; statistical divergence measures; Accuracy; Data structures; High definition video; IP networks; Probability distribution; Radiation detectors; Time series analysis; Chi-Square Divergence; DDoS; Hellinger Distance; K-ary Sketch; TCP SYN Flooding;

fLanguage

English

Publisher

ieee

Conference_Titel

Network and Service Management (CNSM), 2011 7th International Conference on

Conference_Location

Paris

Print_ISBN

978-1-4577-1588-4

Electronic_ISBN

978-3-901882-44-9

Type

conf

Filename

6104013