| | |
Summary: An Empirical Evaluation of Entropy-based
Traffic Anomaly Detection
George Nychis, Vyas Sekar, David G. Andersen, Hyong Kim, Hui Zhang
Carnegie Mellon University
ABSTRACT
Entropy-based approaches for anomaly detection are appeal-
ing since they provide more fine-grained insights than tra-
ditional traffic volume analysis. While previous work has
demonstrated the benefits of entropy-based anomaly detec-
tion, there has been little effort to comprehensively under-
stand the detection power of using entropy-based analysis of
multiple traffic distributions in conjunction with each other.
We consider two classes of distributions: flow-header fea-
tures (IP addresses, ports, and flow-sizes), and behavioral
features (degree distributions measuring the number of dis-
tinct destination/source IPs that each host communicates
with). We observe that the timeseries of entropy values of
the address and port distributions are strongly correlated
with each other and provide very similar anomaly detec-
tion capabilities. The behavioral and flow size distributions
|
