Abstract
Thanks to its ability to face unknown attacks, anomaly-based intrusion detection is a key research topic in network security. In this paper anomalies are addressed from an Information theory perspective: in a nutshell, it is assumed that attacks determine a significant change in the distribution of relevant traffic descriptors and this change is measured in terms of Shannon entropy. In more detail, the traffic is first aggregated by means of random data structures (namely three-dimensional reversible sketches) and then the entropy associated to different traffic descriptors (for sake of brevity, we focus on the numbers of flows and bytes) is computed by using two alternative constructions of the corresponding empirical distributions, one based on the flows destination address and the other on their volume. The experimental results obtained over the MAWILab dataset validate the system and demonstrate the relevance of the way in which the histogram is built.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Callegari, C., Gazzarrini, L., Giordano, S., Pagano, M., Pepe, T.: When randomness improves the anomaly detection performance. In: Proceedings of 3rd International Symposium on Applied Sciences in Biomedical and Communication Technologies (ISABEL) (2010)
Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast IP networks. In: 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE 2005), pp. 172–177, June 2005
Callegari, C., Giordano, S., Pagano, M.: On the use of compression algorithms for network anomaly detection. In: 2009 IEEE International Conference on Communications, pp. 1–5, June 2009
Navaz, A.S.S., Sangeetha, V., Prabhadevi, C.: Entropy based anomaly detection system to prevent ddos attacks in cloud. CoRR abs/1308.6745 (2013)
Ghaffari, F., Abadi, M.: Droidmalhunter: a novel entropy-based anomaly detection system to detect malicious android applications. In: 2015 5th International Conference on Computer and Knowledge Engineering (ICCKE), pp. 301–306, October 2015
Marchetti, M., Stabili, D., Guido, A., Colajanni, M.: Evaluation of anomaly detection for in-vehicle networks through information-theoretic algorithms. In: IEEE 2nd International Forum on Research and Technologies for Society and Industry (RTSI 2016) (2016)
Lakhina, A.: Diagnosing network-wide traffic anomalies. In: ACM SIGCOMM, pp. 219–230 (2004)
Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, SP 2001. IEEE Computer Society, Washington, DC (2001)
Callegari, C., Giordano, S., Pagano, M.: Entropy-based network anomaly detection. In: IEEE International Conference on Computing, Networking and Communication (ICNC) (2017)
Zhang, L., Veitch, D.: Learning entropy. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011. LNCS, vol. 6640, pp. 15–27. Springer, Heidelberg (2011). doi:10.1007/978-3-642-20757-0_2
Subhabrata, B.K., Krishnamurthy, E., Sen, S., Zhang, Y., Chen, Y.: Sketch-based change detection: methods, evaluation, and applications. In: Internet Measurement Conference, pp. 234–247(2003)
Cormode, G., Muthukrishnan, S.: An improved data stream summary: the count-min sketch and its applications. J. Algorithms 55(1), 58–75 (2005)
Schweller, R., Gupta, A., Parsons, E., Chen, Y.: Reversible sketches for efficient and accurate change detection over network data streams. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, IMC 2004, pp. 207–212. ACM, New York (2004)
Shannon, C.E., Weaver, W.: The Mathematical Theory of Communication. University of Illinois Press, Illinois (1949)
pcap (format). http://imdc.datcat.org/format/1-002W-D=pcap. Accessed 11 Jan 2017
Claise, B.: Cisco Systems NetFlow services export version 9. RFC 3954 (Informational), October 2004
Flow-Tools Home Page. http://www.ietf.org/rfc/rfc3954.txt
Thorup, M., Zhang, Y.: Tabulation based 4-universal hashing with applications to second moment estimation. In: SODA 2004: Proceedings of the Fifteenth Annual ACM-SIAM Symposium on Discrete Algorithms, Philadelphia, PA, USA, pp. 615–624. Society for Industrial and Applied Mathematics (2004)
Callegari, C., Casella, A., Giordano, S., Pagano, M., Pepe, T.: Sketch-based multidimensional IDS: a new approach for network anomaly detection. In: IEEE Conference on Communications and Network Security, CNS 2013, National Harbor, MD, USA, 14–16 October 2013, pp. 350–358 (2013)
MAWILab http://www.fukuda-lab.org/mawilab/. Accessed Apr 2016
Acknowledgment
This work was partially supported by Multitech SeCurity system for intercOnnected space control groUnd staTions (SCOUT), a research project supported by the FP7 programme of the European Community.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Callegari, C., Giordano, S., Pagano, M. (2017). Impact of Histogram Construction Techniques on Information - Theoretic Anomaly Detection. In: Gaj, P., Kwiecień, A., Sawicki, M. (eds) Computer Networks. CN 2017. Communications in Computer and Information Science, vol 718. Springer, Cham. https://doi.org/10.1007/978-3-319-59767-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-59767-6_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59766-9
Online ISBN: 978-3-319-59767-6
eBook Packages: Computer ScienceComputer Science (R0)