Entropy-Based Anomaly Detection in a Network

Abstract

Every computer on the Internet these days is a potential target for a new attack at any moment. In this paper we propose a method to enhance network security using entropy based anomaly detection. Intrusion detection system Snort is used for collecting the complete network traffic. Snort alert is then processed for selecting the attributes. Then Shannon entropies are calculated to analyze source IP address, source port address, destination IP address, destination port address, source IP threat, source port threat, destination IP threat, destination port threat and datagram length. Renyi cross entropy method is applied on Shannon entropy vector to detect network attack. After detecting attack in network, list of source IP address, source port address, destination IP address, destination port address with respective number of attack are generated for the advance protection of the network. This facilitates the network administrator to block/unblock IP addresses and ports where is attacks were detected. In this method about 90% attacks are detected. The rest 10% network traffic could not be detected. Since some low priority network traffic being treated as genuine traffic.