Rui-jie WANG,yan FENG,Xiao-fei LONG

DOI: https://doi.org/10.3969/j.issn.1671-7147.2007.03.005

2007-01-01

Abstract:The paper presents a payloadbased anomaly detector model describing the normal pakcet payload of network traffic in a fully automatic,unsupervised and very effecient fashion,for intrusion detection.We firstly compute during a training phase a profile byte frequency distribution and their standard deviation of the application payload flowing to a single host and port.then,Mahalanobis distance during the detection phase is used to calculate the similarity of new data against the precomputed profile.The detector compares this measure against a threshold and generates an alert when the distance of the new input exceeds this threshold.The surprising effectiveness of the method is demonstrated for the 1999 DARPA IDS dataset.In one case nearly 100% accuracy is achieved with 0.1% false positive rate for port 80 traffic.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Yu Fei,Zhu Miao-liang,Chen Yu-feng,Li Ren-fa,Xu Cheng

DOI: https://doi.org/10.1007/bf02828642

2005-01-01

Abstract:Intrusion detection system can make effective alarm for illegality of network users, which is absolutely necessarily and important to build security environment of communication base service. According to the principle that the number of network traffic can affect the degree of self-similar traffic, the paper investigates the variety of self-similarity resulted from unconventional network traffic. A network traffic model based on normal behaviors of user is proposed and the Hurst parameter of this model can be calculated. By comparing the Hurst parameter of normal traffic and the self-similar parameter, we can judge whether the network is normal or not and alarm in time.

Zhiwen Wang,Qin Xia

DOI: https://doi.org/10.1109/cyber.2011.6011795

2011-01-01

Abstract:There are a large amounts of alerts with high false rate in typical Intrusion Detection System (IDS). The problem about how to identify network attack effectively from huge volume of alerts is becoming a challenging task for security administrators. It gets worse with larger scale of network being monitored by IDS. In this paper we propose an approach on detecting network attack based on entropy from millions of alerts. Shannon entropy is developed firstly to analyze the distribution characteristics of alert with five key attributes including source IP address, destination IP address, source threat, destination threat and datagram length. Then, the Renyi cross entropy is employed to fuse the Shannon entropy vector and detect the anomalies. The IDS used in our experiment is Snort, and the experimental results based on actual network data show that our approach can detect network attack quickly and accurately.

XIA Qin,WANG Zhiwen,LU Ke

DOI: https://doi.org/10.7652/xjtuxb201302003

2013-01-01

Abstract:A method to detect network attacks using entropy is proposed to solve the problem that the existing intrusion detection system(IDS) typically generates large amounts of alerts with high false rate.Rainey cross entropy is employed to fuse the Shannon entropy vector for five properties of alerts.These five properties are source IP address,destination IP address,source threat,target threat and datagram length.Then the fusing result is used to describe the network state,and is compared with the normal network state to identify the anomalies.The experimental results on actual network attacks data and synthetic attacks show that the proposed approach can detect network attacks with a hit rate more than 90% whereas the false rate is less 1%.Comparisons with the attack detection method based on the characteristics of the Shannon entropy show that the proposed method is more sensitive to attacks,and is easier to detect in the order Denial of Service(DoS) and hosts intrude attacks,and then the hosts scan and port scan attacks,however,is relatively difficult to worm attacks.The test results also show that the proposed method is better than the compared systems with higher hit rate and lower false positives.

颜若愚,郑庆华

2010-01-01

Abstract:A traffic anomaly detection and classification method based on cross entropy is proposed to identify network attack behaviors accurately.Both features of traffic flow header and traffic behavior are used to characterize three types of common attacks,such as DoS attacks,port scans and network scans.The cross entropy is used to measure traffic distribution changes for each traffic feature,and a behavior vector for each attack type is built.Then exponentially weighted moving average control chart method is applied to multiple cross entropy indicators for anomaly detection,and an anomaly vector is generated.The similarity between the anomaly vector and each behavior vector is computed to classify attacks.Experimental results and comparisons with the Shannon entropy measurement on Netflow traffic in a router show that under relatively weaker attacks,the true positive rate,average precision and accuracy of the cross entropy measurement in attack classification rise by 13%,15%,and 13%,respectively.

Geng Tian,Zhiliang Wang,Xia Yin,Zimu Li,Xingang Shi,Ziyi Lu,Chao Zhou,Yingya Guo

DOI: https://doi.org/10.1109/infcomw.2015.7179342

2015-01-01

Abstract:Traditional information entropy has been proved to be an effective metric on network traffic anomaly detection. However, such a metric shows some limitations in large scale networks with constantly changing flow numbers, and it makes the traditional entropy inefficient for traffic anomaly detection. To address this problem, we propose Adjustable Piecewise Entropy to improve traditional entropy for traffic anomaly detection.

Xiaofei Qu,Lin Yang,Kai Guo,Zhisong Pan,Tao Feng,Shuangyin Ren,Meng Sun

DOI: https://doi.org/10.1109/access.2021.3064200

IF: 3.9

2021-01-01

IEEE Access

Abstract:This paper proposes a network anomaly detection model of direct batch growing hierarchical self-organizing mapping based on entropy, which facilitates clear topology representation for the asymmetrically-distributed data. Since the entropy-defined parameters dynamically vary with the incident dataset, that is, follow a data-adaptive manner, the proposed model is naturally valid in all cases with various data types. For fine-grained data distinguishing, a resemble entropy parameter is proposed for the first time to our best knowledge. The experimental results validate that the proposed model achieves a more efficient network anomaly detection than the conventional models, especially for real-world applications with unexpected anomaly data updating.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jiang Zhong,Xiongbing Deng,Luosheng Wen,Yong Feng

DOI: https://doi.org/10.1109/icicta.2009.324

2009-01-01

Abstract:In this paper, an novel unsupervised intrusion detection method is presented, in which the anomalies was specified by choosing a reference measure mu which determines a density and a level value rho. in order to reveal the relationship between the distribution of connection feature data sets and the reference measure mu, we proposed a new method to design SVM classifier based on RBF core, and apply this algorithm to estimate density level set for the data set, through which the anomaly network connections have been detected. Experimental results on the real network data set showed that the new method is competitive with others in that the false alarm rate is kept low without many missed detections.

Ziyu Wang,Jiahai Yang,Fuliang Li

DOI: https://doi.org/10.1109/TrustCom.2014.16

2014-01-01

Abstract:Anomaly detection has been a hot topic in recent years due to its capability of detecting zero day attacks. In this paper, we propose a new metric called Entropy-Ratio. We validate that the Entropy-Ratio is stationary. Making use of this observation, we combine the Least Mean Square algorithm and the Forward Linear Predictor to propose a new on-line detector called LMS-FLP detector. Using the two synthetic data sets - CEGI-6IX synthetic data and CERNET2 synthetic data, we validate that the LMS-FLP detector is very effective in detecting both anomalies involving many small IP flows and anomalies involving a few large IP flows.

Chen Yang

DOI: https://doi.org/10.1007/s10586-018-1755-5

2018-01-16

Cluster Computing

Abstract:In recent years, there are more and more abnormal activities in the network, which greatly threaten network security. Hence, it is of great importance to collect the data which indicate the running statement of the network, and distinguish the anomaly phenomena of the network in time. In this paper, we propose a novel anomaly network traffic detection algorithm under the cloud computing environment. Firstly, the framework of the anomaly network traffic detection system is illustrated, and six type of network traffic features are consider in this work, that is, (1) number of source IP address, (2) number of source port number, (3) number of destination IP address, (4) number of destination port number, (5) Number of packet type, and (6) number of network packets. Secondly, we propose a novel hybrid information entropy and SVM model to tackle the proposed problem by normalizing values of network features and exploiting SVM detect anomaly network behaviors. Finally, experimental results demonstrate that the proposed algorithm can detect anomaly network traffic with high accuracy and it can also be used in the large scale dataset.

ZM Cai,XH Guan,P Shao,QK Peng,GJ Sun

DOI: https://doi.org/10.1111/1468-0394.00249

IF: 3.3

2003-01-01

Expert Systems

Abstract:Abstract: Intrusion detection is important in the defense‐in‐depth network security framework. This paper presents an effective method for anomaly intrusion detection with low overhead and high efficiency. The method is based on rough set theory to extract a set of detection rules with a minimal size as the normal behavior model from the system call sequences generated during the normal execution of a process. It is capable of detecting the abnormal operating status of a process and thus reporting a possible intrusion. Compared with other methods, the method requires a smaller size of training data set and less effort to collect training data and is more suitable for real‐time detection. Empirical results show that the method is promising in terms of detection accuracy, required training data set and efficiency.

Huang Kai,Zhengwei Qi,Liu Bo

DOI: https://doi.org/10.1109/WAINA.2009.58

2009-01-01

Abstract:Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. We adapt the EM algorism to estimate the distribution parameter of Gaussian mixture distribution model. If only there is a statistical signature of unusual fluctuation or change in the network traffic an alarm will be triggered. We adapt the time series analysis of the statistical analysis result. Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some think like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly.

Xiejun Ni,Daojing He,Sammy Chan,Farooq Ahmad

DOI: https://doi.org/10.1007/978-3-319-39555-5_12

2016-01-01

Abstract:Intrusion detection systems (IDSs) play a significant role to effectively defend our crucial computer systems or networks against attackers on the Internet. Anomaly detection is an effective way to detect intrusion, which can discover patterns that do not conform to expected behavior. The mainstream approaches of ADS (anomaly detection system) are using data mining technology to automatically extract normal pattern and abnormal ones from a large set of network data and distinguish them from each other. However, supervised or semi-supervised approaches in data mining rely on data label information. This is not practical when the network data is large-scale. In this paper, we propose a two-stage approach, unsupervised feature selection and density peak clustering to tackle label lacking situations. First, the density-peak based clustering approach is introduced for network anomaly detection, which considers both distance and density nature of data. Second, to achieve better performance of clustering process, we use maximal information coefficient and feature clustering to remove redundant and irrelevant features. Experimental results show that our method can get rid of useless features of high-dimensional data and achieves high detection accuracy and efficiency in the meanwhile.

Renyu Liu,Qingsheng Zhu

DOI: https://doi.org/10.1109/ijcnn.2018.8489336

2018-01-01

Abstract:As a kind of network security protection technology, intrusion detection technology has become one of the hot topics in the field of network security. In order to solve the problem that the methods of network anomaly detection have a high requirement on the purity of the normal data-set, and that the existing methods based on outlier detection need to set an anomaly threshold manually. Combining with the idea of Natural Neighborhood Graph, a network anomaly detection method (NAD-NNG) is proposed. In order to eliminate noise points or mislabel points and reduce the time complexity of anomalies detection, the algorithm uses the Natural Neighborhood Graph to cluster the normal data-set. Also, the algorithm can adaptively obtain a percentage value β for setting the anomaly threshold. Experiments on KDDCUP99 show that compared with the other two algorithms, the proposed method can achieve a higher detection rate based on a tolerable false alarm rate.

LIU Jun,CHENG Guang

DOI: https://doi.org/10.3969/j.issn.1001-7445.2011.z1.032

2011-01-01

Abstract:Entropy is widely used in traffic anomaly detection,such as measurement of the discrete level of a traffic feature distribution.Entropy-based traffic anomaly detection always face the problem of the threshold selection which is used to determine whether a real traffic contains anomalies when its entropy of a traffic feature compares to the entropy of the baseline distribution of the same feature.In this paper,we provide references for threshold selection through analyzing the sensitivity of the entropy used in anomalies detection.

Qin Qia,Zhiwen Wang

DOI: https://doi.org/10.4304/jnw.7.5.863-868

2012-01-01

Abstract:Intrusion Detection System (IDS) typically generates a huge number of alerts with high false rate , especially in the large scale network, which result in a huge challenge on the efficiency and accuracy of the network attack detection . In this paper, an entropy-based method is proposed to analyze the numerous IDS alerts and detect real network attacks. We use Shannon entropy to examine the distribution of the source IP address, destination IP address, source threat and destination threat and datagram length of IDS alerts; employ Renyi cross entropy to fuse the Shannon entropy vector to detect network attack. In the experiment, we deploy the Snort to monitor part of Xi’an Jiaotong University (XJTU) campus network including 32 C-class network (more than 4000 users), and gather more than 40,000 alerts per hour on average. The entropy-based method is employed to analyze those alerts and detect network attacks. The experiment result shows that our method can detect 96% attacks with very low false alert rate.

Xiejun Ni,Daojing He,Farooq Ahmad

DOI: https://doi.org/10.21015/vtse.v9i2.403

2016-01-01

VFAST Transactions on Software Engineering

Abstract:Revised July 2015 ABSTRACT. Network anomaly detection is an effective way to detect intrusions which defends our computer systems or network from attackers on the Internet. In this paper, we introduce the current research works in network anomaly detection and consider several pratical solutions for this issue. Different from signature-based method, data mining techniques can automatically extract normal pattern from a large set of network data and distinguish them from each other. However, those data mining techniques, such as classification, clustering, association rules and feature selection, can not be applied into this problem directly due to the characteristic of network data and technique themselves. We analyze those unfitness and propose some adaptation to detect anomaly timely and accurately.

Cai Long-zheng,Yu Shmg-sheng,Wang Xiao-feng,Zhou Jing-li

DOI: https://doi.org/10.1007/s11741-006-0083-9

2006-01-01

Abstract:Anomaly detection is a key element of intrusion detection systems and a necessary complement of widely used misuse intrusion detection systems. Data sources used by network intrusion detection, like network packets or connections, often contain both numeric and nominal features. Both of these features contain important information for intrusion detection. These two features, on the other hand, have different characteristics. This paper presents a new network based anomaly intrusion detection approach that works well by building profiles for numeric and nominal features in different ways. During training, for each numeric feature, a normal profile is build through statistical distribution inference and parameter estimation, while for each nominal feature, a normal profile is setup through statistical method. These profiles are used as detection models during testing to judge whether a data being tested is benign or malicious. Experiments with the data set of 1999 DARPA (defense advanced research project agency) intrusion detection evaluation show that this approach can detect attacks effectively.

Jiang Zhong,Xiongbing Deng,Luosheng Wen,Yong Feng

DOI: https://doi.org/10.1109/aici.2009.450

2009-01-01

Abstract:Data mining techniques have been successfully applied in intrusion detection because they can detect both misuse and anomaly. One of the unsupervised ways to define anomalies is by saying that anomalies are not concentrated, which depend on the density of data set. In this paper, the anomalies can be specified by choosing a reference measure μ which determines a density and a level value r. In order to reveal the relationship between the distribution of connection feature data sets and the reference measure μ, we proposed a new method to design RBF classifier based on multiple granularities immune network, and apply this algorithm to estimate density level set for the data set, through which the anomaly network connections have been detected. Experimental results on the real network data set showed that the new method is competitive with others in that the false alarm rate is kept low without many missed detections.