Qin Qia,Zhiwen Wang

DOI: https://doi.org/10.4304/jnw.7.5.863-868

2012-01-01

Abstract:Intrusion Detection System (IDS) typically generates a huge number of alerts with high false rate , especially in the large scale network, which result in a huge challenge on the efficiency and accuracy of the network attack detection . In this paper, an entropy-based method is proposed to analyze the numerous IDS alerts and detect real network attacks. We use Shannon entropy to examine the distribution of the source IP address, destination IP address, source threat and destination threat and datagram length of IDS alerts; employ Renyi cross entropy to fuse the Shannon entropy vector to detect network attack. In the experiment, we deploy the Snort to monitor part of Xi’an Jiaotong University (XJTU) campus network including 32 C-class network (more than 4000 users), and gather more than 40,000 alerts per hour on average. The entropy-based method is employed to analyze those alerts and detect network attacks. The experiment result shows that our method can detect 96% attacks with very low false alert rate.

T. Liu,Z. Wang,H. Wang,K. Lu

DOI: https://doi.org/10.15837/ijccc.2012.3.1391

IF: 2.635

2014-01-01

International Journal of Computers Communications & Control

Abstract:Intrusion Detection System (IDS) typically generates a huge number of alerts with high false rate, especially in the large scale network, which result in a huge challenge on the efficiency and accuracy of the network attack detection. In this paper, an entropy-based method is proposed to analyze the numerous IDS alerts and detect real network attacks. We use Shannon entropy to examine the distribution of the source IP address, destination IP address, source threat and destination threat and datagram length of IDS alerts; employ Renyi cross entropy to fuse the Shannon entropy vector to detect network attack. In the experiment, we deploy the Snort to monitor part of Xi’an Jiaotong University (XJTU) campus network including 32 C-class network (more than 4000 users), and gather more than 40,000 alerts per hour on average. The entropy-based method is employed to analyze those alerts and detect network attacks. The experiment result shows that our method can detect 96% attacks with very low false alert rate.

XIA Qin,WANG Zhiwen,LU Ke

DOI: https://doi.org/10.7652/xjtuxb201302003

2013-01-01

Abstract:A method to detect network attacks using entropy is proposed to solve the problem that the existing intrusion detection system(IDS) typically generates large amounts of alerts with high false rate.Rainey cross entropy is employed to fuse the Shannon entropy vector for five properties of alerts.These five properties are source IP address,destination IP address,source threat,target threat and datagram length.Then the fusing result is used to describe the network state,and is compared with the normal network state to identify the anomalies.The experimental results on actual network attacks data and synthetic attacks show that the proposed approach can detect network attacks with a hit rate more than 90% whereas the false rate is less 1%.Comparisons with the attack detection method based on the characteristics of the Shannon entropy show that the proposed method is more sensitive to attacks,and is easier to detect in the order Denial of Service(DoS) and hosts intrude attacks,and then the hosts scan and port scan attacks,however,is relatively difficult to worm attacks.The test results also show that the proposed method is better than the compared systems with higher hit rate and lower false positives.

Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Cong Fan,Nitheesh Murugan Kaliyamurthy,Shi Chen,He Jiang,Yiwen Zhou,Carlene Campbell

DOI: https://doi.org/10.3390/app12010370

2021-01-01

Applied Sciences

Abstract:Software Defined Networking (SDN) is one of the most commonly used network architectures in recent years. With the substantial increase in the number of Internet users, network security threats appear more frequently, which brings more concerns to SDN. Distributed denial of Service (DDoS) attacks are one of the most dangerous and frequent attacks in software defined networks. The traditional attack detection method using entropy has some defects such as slow attack detection and poor detection effect. In order to solve this problem, this paper proposed a method of fusion entropy, which detects attacks by measuring the randomness of network events. This method has the advantages of fast attack detection speed and obvious decrease in entropy value. The complementarity of information entropy and log energy entropy is effectively utilized. The experimental results show that the entropy value of the attack scenarios 91.25% lower than normal scenarios, which has greater advantages and significance compared with other attack detection methods.

颜若愚,郑庆华

2010-01-01

Abstract:A traffic anomaly detection and classification method based on cross entropy is proposed to identify network attack behaviors accurately.Both features of traffic flow header and traffic behavior are used to characterize three types of common attacks,such as DoS attacks,port scans and network scans.The cross entropy is used to measure traffic distribution changes for each traffic feature,and a behavior vector for each attack type is built.Then exponentially weighted moving average control chart method is applied to multiple cross entropy indicators for anomaly detection,and an anomaly vector is generated.The similarity between the anomaly vector and each behavior vector is computed to classify attacks.Experimental results and comparisons with the Shannon entropy measurement on Netflow traffic in a router show that under relatively weaker attacks,the true positive rate,average precision and accuracy of the cross entropy measurement in attack classification rise by 13%,15%,and 13%,respectively.

Zhu Jian-Qi,Fu Feng,Yin Ke-xin,Liu Yan-Heng

DOI: https://doi.org/10.1016/j.compeleceng.2013.05.003

IF: 4.152

2013-01-01

Computers & Electrical Engineering

Abstract:Denial of Service (DoS) attack poses a severe threat to the Internet. Entropy-based methods have been successfully used to detect specific types of malicious traffic. This paper presents a novel dynamic entropy-based model for the detection of DoS attack. Based on the theory of alive communication, the dynamic entropy model is constructed by combining the information entropy as well as the feature of netflow conversation correlation. This is the first application of the theory of alive communication in the network anomalies detection. To evaluate the performance of the dynamic entropy model, we compare it with the traditional information entropy model. The experiment results demonstrate the presence of traffic’s dynamic entropy and show that the dynamic entropy keeps stable under normal traffic. By contrast, it fluctuates significantly when the network subjects to DoS attacks. Moreover, the detection rate of dynamic entropy-based model is higher and can detect unknown DoS attacks effectively.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Wang Xintong,Liu Guqing,Yang Jungang,Ran Jinzhi

DOI: https://doi.org/10.2991/iiicec-15.2015.43

2015-01-01

Abstract:Put forward a DDoS (Distributed Deny of Service) attack detection algorithm based on IP entropy model. Through the establishment of destination IP Entropy model, setting flow and entropy threshold with membership function, checking conditions of DDoS attacks step by step. The experimental results show that the algorithm can accurately detect DDoS attacks, and it can accurately distinguish DDoS flow and unexpected traffic, which has improved the detection rate and detection efficiency.

Wentao Wang,Lingxia Wang,Ye Huang

DOI: https://doi.org/10.3969/j.issn.1672-4321.2017.03.027

2017-01-01

Abstract:At present, since the research of the L-DDoS attack is not too much, a method of detecting L-DDoS using Renyi entropy based on a software defined network ( SDN) was proposed. Firstly, PACKET_IN data packets were collected on controller, and then the Renyi entropy was calculated based on destination IP. Finally setting a threshold was used to detect abnormal traffic. The experimental results showed that compared with the Shannon entropy detection method, this method can detect the L-DDoS attack traffic and reduce the false alarm rate by adjusting the number of orders.

Jungang Yang,Xintong Wang,Guqing Liu

DOI: https://doi.org/10.3969/j.issn.1001-3695.2016.04.041

2016-01-01

Abstract:In-depth research on the low true positive rate and high false positive rate of existing DDoS attack,this paper ana-lyzed the characteristics of network traffic and IP entropy when DDoS attack occured,established the membership function of traffic and IP entropy.It obtained the lower limit parameter and utilization limit parameters of membership function by the real network environment simulation,and proposed a DDoS attack detection algorithm based on the characteristics of network traffic and IP entropy.The method first judged whether the network traffic was abnormal,and then judged whether the entropy was abnormal,then judged whether a DDoS attack was happened.The simulation results show that the separate flow or IP entropy can’t well detect the DDoS attack.The algorithm comprehensively consider of network traffic and IP entropy characteristics, has accurately detected the DDoS attack and decrease false positive rate and improved true positive rate.

LIU Yan-heng,FU Feng,ZHU Jian-qi,SUN Xin

DOI: https://doi.org/10.13229/j.cnki.jdxbgxb2011.04.012

2011-01-01

Abstract:An alive entropy model is proposed for detecting increasingly serious Denial of Service(DoS) attacks.The model is based on the theory of active communication that combines the information entropy and related sessions of network flow.The model detects DoS attacks through the analysis of the variation of the network flow's alive entropy.Experiment result show that the alive entropy is stable under normal network flow,and when attack occurs it fluctuates obviously.Compared with other methods based on the static entropy model,the proposed model is more accurate and more effective in detecting unknown DoS attack.

Jiewen Mao,Weijun Deng,Fuke Shen

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00045

2018-01-01

Abstract:Distributed Denial of Service (DDoS) attacks are still considered as severe threats to the Internet. Previous works have used information entropy to detect DDoS flooding attacks. However, these methods usually only used source address as the feature of packets, and ignored other features. Besides, the entropy with single variable also has restricts in abnormal detection. In this paper, we propose a new joint-entropy-based DDoS detection solution with multiple features of packets. We choose flow duration, packet length, source address and destination port as the key features to detect different types of DDoS flooding attacks. We carry out the experiments with simulated campus network based on Software-defined Networking (SDN) architecture. The results show that our proposed method can effectively detect attacks of both forged and non-forged source address, and outperforms the previous single-entropy methods in terms of accuracy and false positive rate.

Zhihong Tian,Bin Li,Hongli Zhang

DOI: https://doi.org/10.1109/ICCIAS.2006.294212

2006-01-01

Abstract:It is well-known that current Intrusion Detection Systems produce large numbers of false alerts. Those low quality alerts make it very hard for administrators to understand and take appropriate actions. To deal with false positive, in this paper, an attack-feedback-based approach is introduced to verify the success of attacks. This method processes each packet as soon as it is received. When a suspect packet is indicative of an attack on an existing network service, the effects of that packet on the host will be further tracked by following the causal dependencies. The experimental results have shown that the proposed technique is highly effective in reducing the alert volume and verifying the success of intrusion attempts.

Jingmin Zhou

2008-01-01

Abstract:Despite years of research and development efforts, intrusion detection is still facing significant challenges. A particular intriguing problem is that existing network intrusion detection systems report an excessive number of alerts, of which few are "interesting" from the point of view of security officers. Moreover, these alerts do not provide adequate details about the intrusions that can assist security officers to efficiently assess the security risks. In this dissertation, we propose methods to reduce the number of alerts and improve their quality. In our approach, we first identify and extract additional information from the intrusion alerts such as the result of an attack. Using this information, we are able to quickly filter out a majority of alerts that are generally not helpful in intrusion analysis. We also create a systematic approach to consistently and unambiguously model the extracted information, in particular the relations between different alerts. We demonstrate the scalability of this model by applying it to almost one thousand different network intrusion detection signatures. Using the model, we successfully construct high-level description of multi-stage intrusion strategies from low-level alerts, as well as compute the possible variations of multi-stage intrusions from a single intrusion instance. This not only reduces the number of total alerts, but also improves the alert quality. We conducted experiments with several real-world intrusion detection datasets, and the results showed the effectiveness of our approach.

Yan Hu,Hong Li,Tom H. Luan,An Yang,Limin Sun,Zhiliang Wang,Rui Wang

DOI: https://doi.org/10.1016/j.future.2018.07.027

IF: 7.307

2018-01-01

Future Generation Computer Systems

Abstract:The modern Industrial Control Systems (ICS) now exhibit an increasing connectivity to the corporate Internet Technology (IT) networks so as to make use of the rich resources in IT networks. The increasing interaction between ICS and the outside IT world, however, has made them an attractive target for a variety of cyber attacks, raising great need to secure the ICS. In ICS, skilled attackers can manipulate sensor readings or control signals until the system crashes, while still keeping the attack process hidden by closely following the expected behavior of the system. This kind of attacks is called stealthy attacks, which cannot be detected by traditional intrusion detection methods in which only the magnitudes of residuals are evaluated. In this paper, we show that the residuals generated during a stealthy attack present some sort of regularity besides the magnitudes. Based on this observation, we propose a novel permutation entropy-based approach to detect stealthy attacks on ICS. The permutation entropy can characterize the non-randomness contained in the residuals so as to distinguish the residuals during a stealthy attack from a random series effectively. A significant change of the permutation entropy indicates the occurrence of a stealthy attack. Finally, we conduct comprehensive experiments to verify the effectiveness of the proposed stealthy attack detection approach.

Jiang Shan,Chen Changai

DOI: https://doi.org/10.2991/isrme-15.2015.109

2015-01-01

Abstract:The security of software applications, from web-based applications to mobile services, is always at risk because of the open society of internet. With the increase in the number of network throughput and security threats, intrusion detection system has attracted much attention in recent years. In this paper, we undertake the research on the principle techniques for network intrusion detection based on data mining and analysis approach. We adopt the prior knowledge on Bayesian network which is a directed acyclic graph, each node represents a random variable and an edge said direct probabilistic dependencies between two connected nodes. Then, we use the traditional risk assessment model to measure the possibility of being hearted. The numeric analysis and experimental illustration indicates the effectiveness of our method compared with other popular adopted state-of-the-art methodologies. In the future, we plan to introduce the graph and complex network theory into our prototype system to enhance the performance.

Jie Lei,Zhi-Tang Li

DOI: https://doi.org/10.1109/chinacom.2007.4469413

2007-01-01

Abstract:An intrusion detection system (IDS) generates alerts indicating what malicious behaviors are going on against the protected network system. When comparing the real-time reported IDS alerts with the network attack graph which provides all possible sequences of exploits that an intruder may use to penetrate the system, some prediction on future attacks can be made. In this paper we proposed a novel approach to predicting future attacks. First an attack graph is generated through data mining and the predictability of every attack scenario which represents how probable there would be oncoming attacks following the attack scenario can be estimated. Then in real-time intrusion detection environment the IDS alerts are correlated into attack scenarios and ranked by their predictability scores. Finally the attack scenarios with high predictability are used as the evidence to make prediction on future attacks. The effectiveness of the approach has been validated with a honeynet system.

Rongrong Xi,Xiaochun Yun,Shuyuan Jin,Yongzheng Zhang

DOI: https://doi.org/10.1109/PDCAT.2011.57

2011-01-01

Abstract:In face of overwhelming alerts produced by firewalls or intrusion detection devices, it is difficult to assess network threats that we face. In this paper, we propose a threat assessment approach to estimate the impact of attacks on network. The approach employs the Common Vulnerability Scoring System to quantitatively assess network threats and further correlates alerts with contextual information to improve the accuracy of assessment. In the case studies, we demonstrate how the approach is applied in real networks. The experimental results show that the approach can make an accurate assessment of network threats.