Advanced Search

Browse by Discipline

Scientific Societies

E-print Alerts

Add E-prints

E-print Network

  Advanced Search  

An Empirical Evaluation of Entropy-based Traffic Anomaly Detection

Summary: An Empirical Evaluation of Entropy-based
Traffic Anomaly Detection
George Nychis, Vyas Sekar, David G. Andersen, Hyong Kim, Hui Zhang
Carnegie Mellon University
Entropy-based approaches for anomaly detection are appeal-
ing since they provide more fine-grained insights than tra-
ditional traffic volume analysis. While previous work has
demonstrated the benefits of entropy-based anomaly detec-
tion, there has been little effort to comprehensively under-
stand the detection power of using entropy-based analysis of
multiple traffic distributions in conjunction with each other.
We consider two classes of distributions: flow-header fea-
tures (IP addresses, ports, and flow-sizes), and behavioral
features (degree distributions measuring the number of dis-
tinct destination/source IPs that each host communicates
with). We observe that the timeseries of entropy values of
the address and port distributions are strongly correlated
with each other and provide very similar anomaly detec-
tion capabilities. The behavioral and flow size distributions


Source: Andersen, Dave - School of Computer Science, Carnegie Mellon University


Collections: Computer Technologies and Information Sciences