Title :
Information-theoretic measures for anomaly detection
Author :
Lee, Wenke ; Xiang, Dong
Author_Institution :
Dept. of Comput. Sci., North Carolina State Univ., Raleigh, NC, USA
Abstract :
Anomaly detection is an essential component of protection mechanisms against novel attacks. We propose to use several information-theoretic measures, namely, entropy, conditional entropy, relative conditional entropy, information gain, and information cost for anomaly detection. These measures can be used to describe the characteristics of an audit data set, suggest the appropriate anomaly detection model(s) to be built, and explain the performance of the model(s). We use case studies on Unix system call data, BSM data, and network tcpdump data to illustrate the utilities of these measures
Keywords :
Unix; computer network management; information theory; network operating systems; security of data; BSM data; Unix system; anomaly detection; audit data set; call data; case studies; conditional entropy; defense-in-depth; entropy; information cost; information gain; information-theoretic measures; layered network security; network activity data; network tcpdump data; protection mechanisms; relative conditional entropy; Computer science; Costs; Data analysis; Data security; Detectors; Entropy; Information analysis; Information security; Intrusion detection; Pattern matching;
Conference_Titel :
Security and Privacy, 2001. S&P 2001. Proceedings. 2001 IEEE Symposium on
Conference_Location :
Oakland, CA
Print_ISBN :
0-7695-1046-9
DOI :
10.1109/SECPRI.2001.924294
