An Entropy-Based Network Anomaly Detection Method

Przemysław Bereziński,Bartosz Jasiul,Marcin Szpyrka

doi:10.3390/e17042367

Przemysław Bereziński, Bartosz Jasiul + Show 1 more

Open Access

https://doi.org/10.3390/e17042367

Copy DOI

Journal: Entropy	Publication Date: Apr 20, 2015
Citations: 233	License type: CC BY 4.0

Affiliation: Military Communication Institute, AGH University of Krakow

Abstract

Data mining is an interdisciplinary subfield of computer science involving methods at the intersection of artificial intelligence, machine learning and statistics. One of the data mining tasks is anomaly detection which is the analysis of large quantities of data to identify items, events or observations which do not conform to an expected pattern. Anomaly detection is applicable in a variety of domains, e.g., fraud detection, fault detection, system health monitoring but this article focuses on application of anomaly detection in the field of network intrusion detection.The main goal of the article is to prove that an entropy-based approach is suitable to detect modern botnet-like malware based on anomalous patterns in network. This aim is achieved by realization of the following points: (i) preparation of a concept of original entropy-based network anomaly detection method, (ii) implementation of the method, (iii) preparation of original dataset, (iv) evaluation of the method.

Highlights

The first anomaly detection method for intrusion detection was proposed almost 40 years ago [1].Today, network anomaly detection is a very broad and heavily explored subject but the problem of Entropy 2015, 17 finding a generic method for a wide range of network anomalies is still unsolved
It is crucial to check if entropy-based approach is efficient in detection of anomalous network activities caused by modern botnet-like malware [12]
Botnet is a group of infected hosts controlled by Command and Cotrol (C&C) servers operated by cyber-criminals

Summary

Introduction

The first anomaly detection method for intrusion detection was proposed almost 40 years ago [1].Today, network anomaly detection is a very broad and heavily explored subject but the problem of Entropy 2015, 17 finding a generic method for a wide range of network anomalies is still unsolved. Used intrusion detection systems are ineffective against a modern malicious software (malware). Such systems mostly make use of common signature-based (or misuse-based) technique. It is crucial to check if entropy-based approach is efficient in detection of anomalous network activities caused by modern botnet-like malware [12]. Botnet is a group of infected hosts (bots) controlled by Command and Cotrol (C&C) servers operated by cyber-criminals. The number of such a malware as well as the level of its sophistication increases each year [13]. Damage from this type of malware can take many serious forms including loss of important data, reputation or money

Objectives

Results

Conclusion