Abstract
Network anomaly detection and classification is an important open issue in network security. Several approaches and systems based on different mathematical tools have been studied and developed, among them, the Anomaly-Network Intrusion Detection System (A-NIDS), which monitors network traffic and compares it against an established baseline of a “normal” traffic profile. Then, it is necessary to characterize the “normal” Internet traffic. This paper presents an approach for anomaly detection and classification based on Shannon, Rényi and Tsallis entropies of selected features, and the construction of regions from entropy data employing the Mahalanobis distance (MD), and One Class Support Vector Machine (OC-SVM) with different kernels (Radial Basis Function (RBF) and Mahalanobis Kernel (MK)) for “normal” and abnormal traffic. Regular and non-regular regions built from “normal” traffic profiles allow anomaly detection, while the classification is performed under the assumption that regions corresponding to the attack classes have been previously characterized. Although this approach allows the use of as many features as required, only four well-known significant features were selected in our case. In order to evaluate our approach, two different data sets were used: one set of real traffic obtained from an Academic Local Area Network (LAN), and the other a subset of the 1998 MIT-DARPA set. For these data sets, a True positive rate up to 99.35%, a True negative rate up to 99.83% and a False negative rate at about 0.16% were yielded. Experimental results show that certain q-values of the generalized entropies and the use of OC-SVM with RBF kernel improve the detection rate in the detection stage, while the novel inclusion of MK kernel in OC-SVM and k-temporal nearest neighbors improve accuracy in classification. In addition, the results show that using the Box-Cox transformation, the Mahalanobis distance yielded high detection rates with an efficient computation time, while OC-SVM achieved detection rates slightly higher, but is more computationally expensive.
Highlights
The detection and prevention of attacks and malicious activities have led to the development of technologies and devices designed to provide a certain degree of security
Network Intrusion DetectionSystems (NIDS) are classified into two groups: Signature-NIDS, which use a database with attack signatures, and Anomaly-NIDS, which use the principle of classifying the traffic into normal and abnormal in order to decide if an attack has occurred
The first is from an Academic Local Area Network (LAN) [27], and is composed of traffic data traces collected over seven days
Summary
The detection and prevention of attacks and malicious activities have led to the development of technologies and devices designed to provide a certain degree of security. A-NIDS, known in the literature as behavioral-based, make use of a model of normal inputs in order to detect security events. They try to establish what a “normal profile” or anomaly-free profile for system or network behavior is, using the network features or variables, e.g., destination and source IP. Entropy-based approaches for anomaly detection are appealing, since they provide more information about the structure of anomalies than traditional traffic volume analysis [2]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
