Title :
Detecting anomalies in network traffic using Entropy and Mahalanobis distance
Author :
Santiago-Paz, J. ; Torres-Román, D. ; Velarde-Alvarado, P.
Author_Institution :
Dept. of Electr. Eng. & Comput. Sci., IPN, Guadalajara, Mexico
Abstract :
This paper proposes an Entropy-Mahalanobis-based methodology to detect certain anomalies in IP traffic. The balanced estimator II is used to model the normal behavior of two intrinsic traffic features: source and destination IP addresses. Mahalanobis distance allows to describe an ellipse that characterizes the network entropy, which allows to determine whether a given actual traffic-slot is normal or anomalous. Experimental tests were conducted to evaluate the performance detection of portscan and worm attacks deployed in a campus network, showing that the methodology is effective in timely and accurate detection of these attacks.
Keywords :
IP networks; computer network performance evaluation; computer network security; entropy; invasive software; telecommunication traffic; IP traffic; Mahalanobis distance; anomaly detection; balanced estimator II; campus network; destination IP address; entropy-Mahalanobis-based methodology; network entropy; performance detection; portscan; source IP address; traffic slot; worm attacks; Covariance matrix; Entropy; IP networks; Local area networks; Training; Training data; Vectors;
Conference_Titel :
Electrical Communications and Computers (CONIELECOMP), 2012 22nd International Conference on
Conference_Location :
Cholula, Puebla
Print_ISBN :
978-1-4577-1326-2
DOI :
10.1109/CONIELECOMP.2012.6189887
