Entropy-based network traffic anomaly detection techniques are attractive due
to their simplicity and applicability in a real-time network environment.
Even though flow data provide only a basic set of information about network
communications, they are suitable for efficient entropy-based anomaly
detection techniques. However, a recent work reported a serious weakness of
the general entropy-based anomaly detection related to its susceptibility to
deception by adding spoofed data that camouflage the anomaly. Moreover,
techniques for further classification of the anomalies mostly rely on
machine learning, which involves additional complexity. We address these
issues by providing two novel approaches. Firstly, we propose an efficient
protection mechanism against entropy deception, which is based on the
analysis of changes in different entropy types, namely Shannon, R?nyi, and
Tsallis entropies, and monitoring the number of distinct elements in a
feature distribution as a new detection metric. The proposed approach makes
the entropy techniques more reliable. Secondly, we have extended the
existing entropy-based anomaly detection approach with the anomaly
classification method. Based on a multivariate analysis of the entropy
changes of multiple features as well as aggregation by complex feature
combinations, entropy-based anomaly classification rules were proposed and
successfully verified through experiments. Experimental results are provided
to validate the feasibility of the proposed approach for practical
implementation of efficient anomaly detection and classification method in
the general real-life network environment.
The new ASRM müllerian anomaly classification: a picture is worth one thousand words
