A flow-based anomaly detection method using entropy and multiple traffic features

Network traffic anomaly detection is an important component in network security and management domains which can help to improve availability and reliability of networks. This paper proposes a flow-based anomaly detection method with the help of entropy. Using IPFIX, flow records containing multiple traffic features are collected in each time window. With entropy, joint probability space for multiple traffic features is constructed which is the basis of the proposed scheme. The anomaly detection method is composed of two stages. The first stage is to systematically construct the probability distribution of traffic features in normal traffic pattern. In the second stage, to detect abnormal network activities, the improved Kullback-Leibler distance between the observed probability distribution for the multiple traffic features and the forecast distribution which can be achieved by Holt-Winters technique is calculated. The improved Kullback-Leibler distance is a calculation that measures the level of difference of two probability distributions. When the distance exceeds a pre-set threshold, alerts will be generated. Finally, the scheme is demonstrated by experiment and the result shows that this method has high accuracy and low complexity.