on entropy in network traffic anomaly detection
play

On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, - PowerPoint PPT Presentation

Dec 30, 2022 •444 likes •690 views

Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman. Cinvestav, Campus Guadalajara, Mexico November 2015

  1. Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman. Cinvestav, Campus Guadalajara, Mexico November 2015 Jayro Santiago-Paz, Deni Torres-Roman. 1/19 On Entropy in Network Traffic Anomaly Detection

  2. Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues Outline Introduction 1 Databases Feature Extraction 2 Windowing in Network Traffic Entropy Calculation 3 Kullback-Leibler divergence Mutual information Entropy calculation Anomaly detection 4 Classification 5 The Classifier Metrics Open Issues 6 Jayro Santiago-Paz, Deni Torres-Roman. 2/19 On Entropy in Network Traffic Anomaly Detection

  3. Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues Outline Introduction 1 Databases Feature Extraction 2 Windowing in Network Traffic Entropy Calculation 3 Kullback-Leibler divergence Mutual information Entropy calculation Anomaly detection 4 Classification 5 The Classifier Metrics Open Issues 6 Jayro Santiago-Paz, Deni Torres-Roman. 2/19 On Entropy in Network Traffic Anomaly Detection

  4. Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues Outline Introduction 1 Databases Feature Extraction 2 Windowing in Network Traffic Entropy Calculation 3 Kullback-Leibler divergence Mutual information Entropy calculation Anomaly detection 4 Classification 5 The Classifier Metrics Open Issues 6 Jayro Santiago-Paz, Deni Torres-Roman. 2/19 On Entropy in Network Traffic Anomaly Detection

  5. Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues Outline Introduction 1 Databases Feature Extraction 2 Windowing in Network Traffic Entropy Calculation 3 Kullback-Leibler divergence Mutual information Entropy calculation Anomaly detection 4 Classification 5 The Classifier Metrics Open Issues 6 Jayro Santiago-Paz, Deni Torres-Roman. 2/19 On Entropy in Network Traffic Anomaly Detection

  6. Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues Outline Introduction 1 Databases Feature Extraction 2 Windowing in Network Traffic Entropy Calculation 3 Kullback-Leibler divergence Mutual information Entropy calculation Anomaly detection 4 Classification 5 The Classifier Metrics Open Issues 6 Jayro Santiago-Paz, Deni Torres-Roman. 2/19 On Entropy in Network Traffic Anomaly Detection

  7. Introduction Feature Extraction Entropy Calculation Anomaly detection Classification Open Issues Outline Introduction 1 Databases Feature Extraction 2 Windowing in Network Traffic Entropy Calculation 3 Kullback-Leibler divergence Mutual information Entropy calculation Anomaly detection 4 Classification 5 The Classifier Metrics Open Issues 6 Jayro Santiago-Paz, Deni Torres-Roman. 2/19 On Entropy in Network Traffic Anomaly Detection

  8. Introduction Feature Extraction Entropy Calculation Databases Anomaly detection Classification Open Issues Chandola et al. (2009) states that the term anomaly-based intrusion detection in networks refers to the problem of finding exceptional pat- terns in network traffic that do not conform to the expected normal behavior. Given a traffic network and its set of the selected traffic features X = { X 1 , X 2 , . . . , X p } , and N time instances of X , the normal and abnor- mal behaviors of the instances can be studied. The space of all in- stances of X builds the feature space which can be mapped to another space by employing a function such as entropy. In the literature, Shan- non and generalized Rényi and Tsallis entropy estimators, as well as probability estimators (Balanced, Balanced II), are used. Jayro Santiago-Paz, Deni Torres-Roman. 3/19 On Entropy in Network Traffic Anomaly Detection

  9. Introduction Feature Extraction Entropy Calculation Databases Anomaly detection Classification Open Issues The A-NIDS usually consists of two stages: training and testing stage. In the training stage using a database of “normal” or free-anomaly network traffic, the feature extraction, windowing and entropy calculation modules, a “normal” profile is found. In the testing stage, using the feature extraction, windowing and entropy calculation modules, anomalies in the current network traffic are detected and classified. Figure 1: General architecture of entropy-based A-NIDS. Jayro Santiago-Paz, Deni Torres-Roman. 4/19 On Entropy in Network Traffic Anomaly Detection

  10. Introduction Feature Extraction Entropy Calculation Databases Anomaly detection Classification Open Issues Synthetic The synthetic databases are generated artificially, e.g., the MIT-DARPA 1998 , 1999 , 2000 databases a , which include five major categories: Denial of Service Attacks (DoS), User to Root Attacks (U2R), Remote to User Attacks (R2U) and probes. a http://www.ll.mit.edu/ideval/index.html Real Some real public databases are: CAIDA a , which contains anonymized passive traffic traces from high-speed Internet backbone links, and the traffic data repository, main- tained by the MAWI b Working Group of the WIDE Project. Other researchers have cre- ated their own databases in different universities, e.g., Carnegie Mellon University, Xi’an Jiaotong University, and Clemson University (GENI), or traffic collected from backbone in SWITCH, Abilene, and Géant. a https://www.caida.org/data/passive/passive_2012_dataset.xml b http://mawi.wide.ad.jp/mawi/ Jayro Santiago-Paz, Deni Torres-Roman. 5/19 On Entropy in Network Traffic Anomaly Detection

  11. Introduction Feature Extraction Entropy Calculation Windowing in Network Traffic Anomaly detection Classification Open Issues Motoda H. and Liu H. (2002) Feature selection is a process that chooses a subset of M fea- tures from the original set of N features M ≤ N so that the feature space is optimally reduced according to a certain crite- rion. Feature extraction is a process that extracts a set of new features from the original features through some func- tional mapping. Assuming that there are features N Z 1 , Z 2 , . . . , Z N after feature extraction, another set of new fea- tures X 1 , X 2 , . . . , X M ( M < N ) is obtained via the mapping func- tions F i , i.e. X i = F i ( Z 1 , Z 2 , . . . , Z N ) . Jayro Santiago-Paz, Deni Torres-Roman. 6/19 On Entropy in Network Traffic Anomaly Detection

  12. Introduction Feature Extraction Entropy Calculation Windowing in Network Traffic Anomaly detection Classification Open Issues Among the algorithms used to reduce the number of features in network traffic anomaly detection are: PCA, Mutual Information and linear correlation, decision tree, and maxi- mum entropy. In network traffic, the most commonly employed features are: source and destination IP addresses and source and destination port numbers. Other features extracted from headers are: protocol field, number of bytes, service, flag, and country code. Zhang et al. (2009) divided the size of packets into seven types and Gu et al. (2005) defined 587 packet classes based on the port number. At flow a level the features selected were: flow duration, flow size distribution (FSD), and average packet size per flow. For KDD Cup 99, 41 features or a subset were employed. On the other hand, Tellenbach et al. (2011) used source port, country code and others, constructing the TES as input data. a An IP flow corresponds to an IP port-to-port traffic exchanged between two IP addresses during a period of time T. Jayro Santiago-Paz, Deni Torres-Roman. 7/19 On Entropy in Network Traffic Anomaly Detection

  13. Introduction Feature Extraction Entropy Calculation Windowing in Network Traffic Anomaly detection Classification Open Issues Window-based methods group consecutive packets or flows based on a sliding window. The i th window of size L packets is represented as W i ( L, τ ) = { pack k , pack k +1 , . . . , pack k + L } , with k = iL − iτ, where τ is the overlapping and τ ∈ { 0 , 1 , . . . , L − 1 } . When the window size is given by time, L can be different in each window. Windowing is performed in two ways: overlapping ( τ � = 0 ) and non overlapping ( τ = 0 ) windows. The window sizes most commonly used are: 5 min, 30 min, 1 min, 100 sec, 5 sec and 0 . 5 sec. Some researchers use windows with a fixed length L = 4096 , 1000 , and 32 packets. Jayro Santiago-Paz, Deni Torres-Roman. 8/19 On Entropy in Network Traffic Anomaly Detection

  14. Introduction Feature Extraction Kullback-Leibler divergence Entropy Calculation Mutual information Anomaly detection Entropy calculation Classification Open Issues Let X be a random variable which takes values of the set { x 1 , x 2 , ..., x M } , p i := P ( X = x i ) the probability of occurrence of x i , and M the cardinality of the finite set; hence, the Shannon entropy is: M H S ( X ) = − � (1) p i log ( p i ) . i =1 The Rényi entropy is defined as: � M � 1 H R ( X, q ) = � p q (2) 1 − q log i i =1 and the Tsallis entropy is � M � 1 H T ( X, q ) = � p q (3) 1 − , i q − 1 i =1 when q → 1 the generalized entropies are reduced to Shannon entropy. In order to compare the changes of entropy at different times, the entropy is normalized, i.e., H ( X ) ¯ (4) H ( X ) = H max ( X ) . Jayro Santiago-Paz, Deni Torres-Roman. 9/19 On Entropy in Network Traffic Anomaly Detection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1 , Augustin Soule 2 , Jennifer Rexford 1 , Christophe Diot 2 1 Princeton University, 2 Thomson Research Outline Context

598 views • 15 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Tra ffi c anomaly detection using a distributed measurement network Razvan Oprea Supervisor:

Tra ffi c anomaly detection using a distributed measurement network Razvan Oprea Supervisor:

Tra ffi c anomaly detection using a distributed measurement network Razvan Oprea Supervisor: Emile Aben (RIPE NCC) System and Network Engineering February 8, 2012 Razvan Oprea Tra ffi c anomaly detection - distributed measurement network

698 views • 20 slides
Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr.

Anomaly Detection Algorithms for Malware Traffic Analysis using Tamper Resistant Features Dr. Patrick McDaniel Berkay Celik Fall 2015 Introduction Motivation Related Work Data Approach Experimental Results Comparison

391 views • 25 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative

Anomaly Detection Jia-Bin Huang Virginia Tech Spring 2019 ECE-5424G / CS-5824 Administrative Anomaly Detection Motivation Developing an anomaly detection system Anomaly detection vs. supervised learning Choosing what features

514 views • 34 slides
Practical Anomaly Detection based on Classifying Frequent Traffic Patterns Ignasi Paredes-Oliva 1

Practical Anomaly Detection based on Classifying Frequent Traffic Patterns Ignasi Paredes-Oliva 1

Practical Anomaly Detection based on Classifying Frequent Traffic Patterns Ignasi Paredes-Oliva 1 Ismael Castell-Uroz 1 Pere Barlet-Ros 1 Xenofontas Dimitropoulos 2 Josep Sol-Pareta 1 1 UPC BarcelonaTech, Spain

616 views • 36 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

905 views • 74 slides
Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier

Data Mining II Anomaly Detection Heiko Paulheim Anomaly Detection Also known as Outlier Detection Automatically identify data points that are somehow different from the rest Working assumption: There are considerably

984 views • 72 slides
PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS

PANACEA: AUTOMATING ATTACK CLASSIFICATION FOR ANOMALY-BASED NETWORK INTRUSION DETECTION SYSTEMS DAMIANO BOLZONI, SANDRO ETALLE AND PIETER HARTEL DISTRIBUTED AND EMBEDDED SECURITY GROUP TWENTE SECURITY LAB 10+ YEARS OF RESEARCH OVER ANOMALY

160 views • 14 slides
Conformal anomaly, entanglement entropy and boundaries Sergey N. Solodukhin University of Tours

Conformal anomaly, entanglement entropy and boundaries Sergey N. Solodukhin University of Tours

Conformal anomaly, entanglement entropy and boundaries Sergey N. Solodukhin University of Tours Talk at Oxford Holography Seminar February 9, 2016 Plan of the talk: 1. Brief review: local Weyl anomaly, entangle- ment entropy 2. Integral

812 views • 35 slides
Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control

Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control

Network Anomaly Detection in Modbus TCP Industrial Control Systems RP1 #52: Industrial Control Systems Research Philipp Mieden &amp; Rutger Beltman, 2020 Supervisor: Bartosz Czaszynski, Deloitte Industrial Network VS Corporate Network 2

379 views • 35 slides
Earnings Conference Call Second Quarter 2011 July 27, 2011 Cautionary Statements And Risk

Earnings Conference Call Second Quarter 2011 July 27, 2011 Cautionary Statements And Risk

Earnings Conference Call Second Quarter 2011 July 27, 2011 Cautionary Statements And Risk Factors That May Affect Future Results Any statements made herein about future operating and/or financial results and/or other future events are

753 views • 43 slides
The CMS GEM Project Install triple-GEM detectors (double stations) in 1.5&lt;| |&lt;2.2 endcap

The CMS GEM Project Install triple-GEM detectors (double stations) in 1.5&lt;| |&lt;2.2 endcap

The CMS GEM Project Install triple-GEM detectors (double stations) in 1.5&lt;| |&lt;2.2 endcap region: Restore redundancy in muon system for robust tracking and triggering Improve L1 and HLT muon momentum resolution to reduce or

742 views • 29 slides
Borrego Valley Groundwater Basin Borrego Springs Subbasin Summary of Draft Groundwater

Borrego Valley Groundwater Basin Borrego Springs Subbasin Summary of Draft Groundwater

G S P P U B L I C R E V I E W Borrego Valley Groundwater Basin Borrego Springs Subbasin Summary of Draft Groundwater Sustainability Plan (GSP) Key Concept Slides U p d a t e d M a r c h 2 2 , 2 0 1 9 2 D R A F T Public Review Process W

298 views • 26 slides
Earnings Results Second Quarter 2018 August 2, 2018 Cautionary Language Risk Factors. This

Earnings Results Second Quarter 2018 August 2, 2018 Cautionary Language Risk Factors. This

Earnings Results Second Quarter 2018 August 2, 2018 Cautionary Language Risk Factors. This presentation, including the oral statements made in connection herewith, contains forward-looking statements, estimates and projections within the meaning

223 views • 18 slides
Engineering Analysis Dan Wenman DUNE PDR: APA Review March 27, 2019 Contents Charge

Engineering Analysis Dan Wenman DUNE PDR: APA Review March 27, 2019 Contents Charge

Engineering Analysis Dan Wenman DUNE PDR: APA Review March 27, 2019 Contents Charge question Introduction Nomenclature Design codes APA frame analysis - Loading and Load Cases - FEA Model - Analysis of Welded

750 views • 48 slides
NPRM: Safety of Gas Transm ission &amp; Gathering Pipelines (Docket: PMHSA-2011-0023) Published

NPRM: Safety of Gas Transm ission &amp; Gathering Pipelines (Docket: PMHSA-2011-0023) Published

NPRM: Safety of Gas Transm ission &amp; Gathering Pipelines (Docket: PMHSA-2011-0023) Published - April 8, 2016 Comment period ends - July 7, 2016 June 2016 1 Tim eline Advance Notice of Proposed Rulemaking (ANPRM) published on August

752 views • 34 slides
2004 Mw=9.0 earthquake on India's eastern plate margin Roger Bilham and Kali Wallace CIRES and

2004 Mw=9.0 earthquake on India's eastern plate margin Roger Bilham and Kali Wallace CIRES and

http://www.geo.tv/quake/eq_himalaya_implications.asp Future Mw&gt;8 earthquakes in the Himalaya: implications from the 26 Dec 2004 Mw=9.0 earthquake on India's eastern plate margin Roger Bilham and Kali Wallace CIRES and Geological Sciences,

375 views • 15 slides
Dilatational bands in rubber-toughened polymers A. LAZZ E R I Materials Engineering Centre,

Dilatational bands in rubber-toughened polymers A. LAZZ E R I Materials Engineering Centre,

JOURNAL OF MATERIALS SCIENCE 28 (1993) 6799-6808 Dilatational bands in rubber-toughened polymers A. LAZZ E R I Materials Engineering Centre, University of Pisa, Via Diotisalvi 2, 56100 Pisa, Italy C. B. BUCKNALL SIMS, Cranfield Institute of

588 views • 10 slides

More recommend