Network anomaly detection using nonextensive entropy

Ziviani, Artur; Gomes, Antônio Tadeu A.; Monsores, M.L.; Rodrigues, Paulo S.

doi:10.1109/lcomm.2007.070761

Cited by 55 publications

(37 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In general, if the parameter denoted as α has a positive value, it exposes the main mass, if the value is negative -it refers to the tail. Ziviani et al [81] investigated Tsallis entropy in the context of the best value of α parameter in DoS attacks detection. They found that α-value around 0.9 is the best for detecting such attacks.…”

Section: Detection Via Feature Distributionsmentioning

confidence: 99%

An Entropy-Based Network Anomaly Detection Method

Bereziński

Jasiul

Szpyrka

2015

Entropy

157

View full text Add to dashboard Cite

Data mining is an interdisciplinary subfield of computer science involving methods at the intersection of artificial intelligence, machine learning and statistics. One of the data mining tasks is anomaly detection which is the analysis of large quantities of data to identify items, events or observations which do not conform to an expected pattern. Anomaly detection is applicable in a variety of domains, e.g., fraud detection, fault detection, system health monitoring but this article focuses on application of anomaly detection in the field of network intrusion detection.The main goal of the article is to prove that an entropy-based approach is suitable to detect modern botnet-like malware based on anomalous patterns in network. This aim is achieved by realization of the following points: (i) preparation of a concept of original entropy-based network anomaly detection method, (ii) implementation of the method, (iii) preparation of original dataset, (iv) evaluation of the method.

show abstract

Section: Detection Via Feature Distributionsmentioning

confidence: 99%

An Entropy-Based Network Anomaly Detection Method

Bereziński

Jasiul

Szpyrka

2015

Entropy

157

View full text Add to dashboard Cite

show abstract

“…It has been shown that measuring nonextensive entropy is an effective method to detect anomalies in network traffic within an Autonomous System [37]. Given the success shown here using compression ratios as an alternative measure to entropy, it would indicate that compression-based analysis may also prove similarly effective in other domains where entropy is a distinguishing feature.…”

Section: Compression Ratio Thresholdmentioning

confidence: 85%

Compression-based analysis of metamorphic malware

Lee

Austin

Stamp

2015

IJSN

View full text Add to dashboard Cite

Compression-based Analysis of Metamorphic Malware by Jared LeeRecent work has presented a technique based on structural entropy measurement as an effective way to detect metamorphic malware. The technique uses two steps, file segmentation and sequence comparison, to calculate file similarity. In another previous work, it was observed that similar malware have similar measures of Kolmogorov complexity. A proposed method of estimating Kolmogorov complexity was to calculate the compression ratio of a given malware which could then be used to cluster the malicious software. Malware detection has also been attempted through the use of adaptive data compression and showed promising results. In this paper, we attempt to combine these concepts and propose using compression ratios as an alternative measure of entropy with the purpose of segmenting files according to their structural characteristics. We then compare the segment-based sequences of two given files to determine file similarity. The idea is that even after malware is transformed using a metamorphic engine, the resulting variants still share identifiable structural similarities with the original. Using this proposed technique to identify metamorphic malware, we compare our results with previous work. ACKNOWLEDGMENTS

show abstract

“…Although it has been noted before that entropy is not all things to all applications, for example see [3,9,11], this is the first study we are aware of which provides a rigorous quantitative analysis and a systematic investigation. We believe that the insights are very valuable for more general settings and also that the techniques can be extended to analyse more realistic attack scenarios.…”

Section: Our Main Contributions: I)mentioning

confidence: 92%

Learning Entropy

Zhang

Veitch

2011

Networking 2011

View full text Add to dashboard Cite

Abstract. Entropy has been widely used for anomaly detection in various disciplines. One such is in network attack detection, where its role is to detect significant changes in underlying distribution shape due to anomalous behaviour such as attacks. In this paper, we point out that entropy has significant blind spots, which can be made use by adversaries to evade detection. To illustrate the potential pitfalls, we give an in-principle analysis of network attack detection, in which we design a camouflage technique and show analytically that it can perfectly mask attacks from entropy based detector with low costs in terms of the volume of traffic brought in for camouflage. Finally, we illustrate and apply our technique to both synthetic distributions and ones taken from real traffic traces, and show how attacks undermine the detector.

show abstract

Network anomaly detection using nonextensive entropy

Cited by 55 publications

References 15 publications

An Entropy-Based Network Anomaly Detection Method

An Entropy-Based Network Anomaly Detection Method

Compression-based analysis of metamorphic malware

Learning Entropy

Contact Info

Product

Resources

About