Multi-scale entropy and renyi cross entropy based traffic anomaly detection

The idea of using entropy measurement to detect anomalies is not a novelty in the research community. But all these entropy-based approaches are single-scale based ¿complexity¿ methods, and don¿t consider temporal and spatial correlation in network traffic. In this paper, multi-scale entropy (MSE) and Renyi cross entropy are introduced to solve these problems. First, a kind of Port-to-Port traffic termed IF-flow in router is defined. Internal traffic matrix can be constructed by IF-flows. Then a new scheme based on MSE and Renyi cross entropy is proposed to detect traffic anomaly existed in IF-flow matrix. MSE is used to detect IF-flow traces in time scales. Renyi cross entropy is used to detect anomaly existed in IF-flow matrix in space and small scale time, and pinpoint IF-flow(s) responsible for entropy change. An improved method to calculate Renyi cross entropy is proposed to reduce false alarm and identify anomaly duration. The experimental results indicate the scheme can detect anomaly accurately in time and space.