A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Data streaming algorithms for efficient and accurate estimation of flow size distribution
Proceedings of the joint international conference on Measurement and modeling of computer systems
Queue - Surviving Network Attacks
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Detecting malicious network traffic using inverse distributions of packet contents
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Entropy Based Worm and Anomaly Detection in Fast IP Networks
WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise
Data streaming algorithms for estimating entropy of network traffic
SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems
Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Effective discovery of attacks using entropy of packet dynamics
IEEE Network: The Magazine of Global Internetworking
URCA: pulling out anomalies by their root causes
INFOCOM'10 Proceedings of the 29th conference on Information communications
ASTUTE: detecting a different class of traffic anomalies
Proceedings of the ACM SIGCOMM 2010 conference
International Journal of Network Management
Temporally oblivious anomaly detection on large networks using functional peers
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Network prefix-level traffic profiling: Characterizing, modeling, and evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking
Proceedings of the 6th International COnference
Dynamic feature analysis and measurement for large-scale network traffic monitoring
IEEE Transactions on Information Forensics and Security
The role of KL divergence in anomaly detection
Proceedings of the ACM SIGMETRICS joint international conference on Measurement and modeling of computer systems
Space-efficient tracking of persistent items in a massive data stream
Proceedings of the 5th ACM international conference on Distributed event-based system
The role of KL divergence in anomaly detection
ACM SIGMETRICS Performance Evaluation Review - Performance evaluation review
NETWORKING'11 Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I
Monitoring abnormal network traffic based on blind source separation approach
Journal of Network and Computer Applications
TVi: a visual querying system for network monitoring and anomaly detection
Proceedings of the 8th International Symposium on Visualization for Cyber Security
Accurate network anomaly classification with generalized entropy metrics
Computer Networks: The International Journal of Computer and Telecommunications Networking
Parametric methods for anomaly detection in aggregate traffic
IEEE/ACM Transactions on Networking (TON)
On detecting abrupt changes in network entropy time series
CMS'11 Proceedings of the 12th IFIP TC 6/TC 11 international conference on Communications and multimedia security
Wiki-Watchdog: Anomaly Detection in Wikipedia Through a Distributional Lens
WI-IAT '11 Proceedings of the 2011 IEEE/WIC/ACM International Conferences on Web Intelligence and Intelligent Agent Technology - Volume 01
An entropy based approach for DDoS attack detection in IEEE 802.16 based networks
IWSEC'11 Proceedings of the 6th International conference on Advances in information and computer security
A comparison between divergence measures for network anomaly detection
Proceedings of the 7th International Conference on Network and Services Management
Improving an SVD-based combination strategy of anomaly detectors for traffic labelling
Proceedings of the Asian Internet Engineeering Conference
ADMIRE: Anomaly detection method using entropy-based PCA with three-step sketches
Computer Communications
Locating emergencies in a campus using wi-fi access point association data
Proceedings of the 2013 ACM conference on Pervasive and ubiquitous computing adjunct publication
Dynamic entropy based DoS attack detection method
Computers and Electrical Engineering
| Hi-index | 0.00 |
Entropy-based approaches for anomaly detection are appealing since they provide more fine-grained insights than traditional traffic volume analysis. While previous work has demonstrated the benefits of entropy-based anomaly detection, there has been little effort to comprehensively understand the detection power of using entropy-based analysis of multiple traffic distributions in conjunction with each other. We consider two classes of distributions: flow-header features (IP addresses, ports, and flow-sizes), and behavioral features (degree distributions measuring the number of distinct destination/source IPs that each host communicates with). We observe that the timeseries of entropy values of the address and port distributions are strongly correlated with each other and provide very similar anomaly detection capabilities. The behavioral and flow size distributions are less correlated and detect incidents that do not show up as anomalies in the port and address distributions. Further analysis using synthetically generated anomalies also suggests that the port and address distributions have limited utility in detecting scan and bandwidth flood anomalies. Based on our analysis, we discuss important implications for entropy-based anomaly detection.