An Entropy-based Method for Attack Detection in Large Scale Network

Authors

  • Ting Liu SKLMS Lab and MOE KLNNIS Lab, Xi’an Jiaotong University Xi’an, Shaanxi, 710049, P.R.China
  • Zhiwen Wang MOE KLNNIS Lab, Xi’an Jiaotong University Xi’an, Shaanxi, 710049, P.R.China
  • Haijun Wang MOE KLNNIS Lab, Xi’an Jiaotong University Xi’an, Shaanxi, 710049, P.R.China
  • Ke Lu MOE KLNNIS Lab, Xi’an Jiaotong University Xi’an, Shaanxi, 710049, P.R.China

Keywords:

Network Security, Entropy-based, IDS, Shannon Entropy, Renyi Cross Entropy

Abstract

Intrusion Detection System (IDS) typically generates a huge number of alerts with high false rate, especially in the large scale network, which result in a huge challenge on the efficiency and accuracy of the network attack detection. In this paper, an entropy-based method is proposed to analyze the numerous IDS alerts and detect real network attacks. We use Shannon entropy to examine the distribution of the source IP address, destination IP address, source threat and destination threat and datagram length of IDS alerts; employ Renyi cross entropy to fuse the Shannon entropy vector to detect network attack. In the experiment, we deploy the Snort to monitor part of Xi’an Jiaotong University (XJTU) campus network including 32 C-class network (more than 4000 users), and gather more than 40,000 alerts per hour on average. The entropy-based method is employed to analyze those alerts and detect network attacks. The experiment result shows that our method can detect 96% attacks with very low false alert rate.

References

A. Gostev, "Kaspersky Security Bulletin. Malware Evolution 2010," Kaspersky, 2011.

M. Fossi, G. Egan, K. Haley, E. Hohnson, T. Mack and A. Et, "Symantec Global Internet Security Threat Report Trends for 2010," Symantec, 2011.

P. Cisar, S. Bosnjak and S. M. Cisar, "EWMA Algorithm in Network Practice," International Journal of Computers, Communications & Control, vol.5, pp. 160-170, 2010.

G. C. Tjhai, M. Papadaki, S. M. Furnell and N. L. Clarke, in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Turin, Italy, 2008, pp. 139-150.

T. Pietraszek, "Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection- Recent Advances in Intrusion Detection," vol.3224, pp. 102-124, 2004.

J. Mina and C. Verde, "Fault detection for large scale systems using Dynamic Principal Components Analysis with adaptation," International Journal of Computers, Communications & Control, vol.2, pp. 185-194, 2007.

G. P. Spathoulas and S. K. Katsikas, in 2009 16th International Conference on Systems, Signals and Image Processing, IWSSIP 2009, Chalkida, Greece, 2009.

A. Lakhina, M. Crovella and C. Diot, in Computer Communication Review, New York, United States, 2005, pp. 217-228.

D. Brauckhoff, B. Tellenbach, A. Wagner, M. May and A. Lakhina, in Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, Rio de Janeriro, Brazil, 2006, pp. 159-164.

A. Wagner and B. Plattner, in Proceedings of the Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, WET ICE, Linkoeping, Sweden, 2005, pp. 172-177.

R. Yan and Q. Zheng, "Using Renyi cross entropy to analyze traffic matrix and detect DDoS attacks," Information Technology Journal, vol.8, pp. 1180-1188, 2009. http://dx.doi.org/10.3923/itj.2009.1180.1188

Y. Gu, A. McCallum and D. Towsley, "Detecting anomalies in network traffic using maximum entropy estimation," in Proc. 2005 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, pp. 32. http://dx.doi.org/10.1145/1330107.1330148

C. E. Shannon, "A mathematical theory of communication," SIGMOBILE Mob. Comput. Commun. Rev., vol.5, pp. 3-55, 2001. http://dx.doi.org/10.1145/584091.584093

C. E. Pfister and W. G. Sullivan, "Renyi entropy, guesswork moments, and large deviations," IEEE Transactions on Information Theory, vol.50, pp. 2794-2800, 2004. http://dx.doi.org/10.1109/TIT.2004.836665

A. P. Bradley, "The use of the area under the ROC curve in the evaluation of machine learning algorithms," Pattern Recognition, vol.30, pp. 1145-1159, 1997. http://dx.doi.org/10.1016/S0031-3203(96)00142-2

Published

2014-09-18

Issue

Vol. 7 No. 3 (2012): International Journal of Computers Communications & Control (September)

Section

Articles

License

ONLINE OPEN ACCES: Acces to full text of each article and each issue are allowed for free in respect of Attribution-NonCommercial 4.0 International (CC BY-NC 4.0.

You are free to:

-Share: copy and redistribute the material in any medium or format;

-Adapt: remix, transform, and build upon the material.

The licensor cannot revoke these freedoms as long as you follow the license terms.

 

DISCLAIMER: The author(s) of each article appearing in International Journal of Computers Communications & Control is/are solely responsible for the content thereof; the publication of an article shall not constitute or be deemed to constitute any representation by the Editors or Agora University Press that the data presented therein are original, correct or sufficient to support the conclusions reached or that the experiment design or methodology is adequate.

Most read articles by the same author(s)

Obs.: This plugin requires at least one statistics/report plugin to be enabled. If your statistics plugins provide more than one metric then please also select a main metric on the admin's site settings page and/or on the journal manager's settings pages.