An Entropy-based Method for Attack Detection in Large Scale Network


  • Ting Liu SKLMS Lab and MOE KLNNIS Lab, Xi’an Jiaotong University Xi’an, Shaanxi, 710049, P.R.China
  • Zhiwen Wang MOE KLNNIS Lab, Xi’an Jiaotong University Xi’an, Shaanxi, 710049, P.R.China
  • Haijun Wang MOE KLNNIS Lab, Xi’an Jiaotong University Xi’an, Shaanxi, 710049, P.R.China
  • Ke Lu MOE KLNNIS Lab, Xi’an Jiaotong University Xi’an, Shaanxi, 710049, P.R.China


Network Security, Entropy-based, IDS, Shannon Entropy, Renyi Cross Entropy


Intrusion Detection System (IDS) typically generates a huge number of alerts with high false rate, especially in the large scale network, which result in a huge challenge on the efficiency and accuracy of the network attack detection. In this paper, an entropy-based method is proposed to analyze the numerous IDS alerts and detect real network attacks. We use Shannon entropy to examine the distribution of the source IP address, destination IP address, source threat and destination threat and datagram length of IDS alerts; employ Renyi cross entropy to fuse the Shannon entropy vector to detect network attack. In the experiment, we deploy the Snort to monitor part of Xi’an Jiaotong University (XJTU) campus network including 32 C-class network (more than 4000 users), and gather more than 40,000 alerts per hour on average. The entropy-based method is employed to analyze those alerts and detect network attacks. The experiment result shows that our method can detect 96% attacks with very low false alert rate.


A. Gostev, "Kaspersky Security Bulletin. Malware Evolution 2010," Kaspersky, 2011.

M. Fossi, G. Egan, K. Haley, E. Hohnson, T. Mack and A. Et, "Symantec Global Internet Security Threat Report Trends for 2010," Symantec, 2011.

P. Cisar, S. Bosnjak and S. M. Cisar, "EWMA Algorithm in Network Practice," International Journal of Computers, Communications & Control, vol.5, pp. 160-170, 2010.

G. C. Tjhai, M. Papadaki, S. M. Furnell and N. L. Clarke, in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Turin, Italy, 2008, pp. 139-150.

T. Pietraszek, "Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection- Recent Advances in Intrusion Detection," vol.3224, pp. 102-124, 2004.

J. Mina and C. Verde, "Fault detection for large scale systems using Dynamic Principal Components Analysis with adaptation," International Journal of Computers, Communications & Control, vol.2, pp. 185-194, 2007.

G. P. Spathoulas and S. K. Katsikas, in 2009 16th International Conference on Systems, Signals and Image Processing, IWSSIP 2009, Chalkida, Greece, 2009.

A. Lakhina, M. Crovella and C. Diot, in Computer Communication Review, New York, United States, 2005, pp. 217-228.

D. Brauckhoff, B. Tellenbach, A. Wagner, M. May and A. Lakhina, in Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, Rio de Janeriro, Brazil, 2006, pp. 159-164.

A. Wagner and B. Plattner, in Proceedings of the Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises, WET ICE, Linkoeping, Sweden, 2005, pp. 172-177.

R. Yan and Q. Zheng, "Using Renyi cross entropy to analyze traffic matrix and detect DDoS attacks," Information Technology Journal, vol.8, pp. 1180-1188, 2009.

Y. Gu, A. McCallum and D. Towsley, "Detecting anomalies in network traffic using maximum entropy estimation," in Proc. 2005 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, pp. 32.

C. E. Shannon, "A mathematical theory of communication," SIGMOBILE Mob. Comput. Commun. Rev., vol.5, pp. 3-55, 2001.

C. E. Pfister and W. G. Sullivan, "Renyi entropy, guesswork moments, and large deviations," IEEE Transactions on Information Theory, vol.50, pp. 2794-2800, 2004.

A. P. Bradley, "The use of the area under the ROC curve in the evaluation of machine learning algorithms," Pattern Recognition, vol.30, pp. 1145-1159, 1997.



Most read articles by the same author(s)

Obs.: This plugin requires at least one statistics/report plugin to be enabled. If your statistics plugins provide more than one metric then please also select a main metric on the admin's site settings page and/or on the journal manager's settings pages.