Technical Report Number
Monitoring the empirical Shannon entropy of a feature in a network packet stream has previously been shown to be useful in detecting anomalies in the network traffic. Entropy is an information-theoretic statistic that measures the variability of the feature under consideration. Anomalous activity in network traffic can be captured by detecting changes in this variability. There are several challenges, however, in monitoring this statistic. Computing the statistic efficiently is non-trivial. Further, when monitoring multiple features, the streaming algorithms proposed previously would likely fail to keep up with the ever-increasing channel bandwidth of network traffic streams. There is also the concern that an adversary could attempt to mask the effect of his attacks on variability by a mimicry attack disguising his traffic to mimic the distribution of normal traffic in the network, thus avoiding detection by an entropy monitoring sensor. Also, the high rate of false positives is a big problem with Intrusion Detection Systems, and the case of entropy monitoring is no different. In this work we propose a way to address the above challenges. First, we leverage recent progress in sketching algorithms to develop a distributed approach for computing entropic statistics accurately, at reasonable memory costs. Secondly, we propose monitoring not only regular entropy, but the related statistic of conditional entropy, as a more reliable measure in detecting anomalies. Lastly, we implement our approach and evaluate it with real data collected at the link layer of an 802.11 wireless network. To our knowledge, this is the first time entropy-based approaches have been considered for this kind of traffic.
Dartmouth Digital Commons Citation
Arackaparambil, Chrisil; Bratus, Sergey; Brody, Joshua; and Shubina, Anna, "Distributed Monitoring of Conditional Entropy for Network Anomaly Detection" (2009). Computer Science Technical Report TR2009-653. https://digitalcommons.dartmouth.edu/cs_tr/327