ids survey on entropy

Survey on Intrusion Detection System based on

Entropy MEthods IEEE Papers

Raj KamalIIT Guwahati

June 8, 2012

Table 1: Entropy Based IEEE Papers

Tittle Author Year Abstract Theme

An Efficient andReliable DDoSAttack DetectionUsing a Fast En-tropy ComputationMethod

Giseop No†and IlkyeunRa. De-partment ofComputerScience andEngineering.Universityof ColoradoDenver USA.

2009 In this paper, we pro-pose a fast entropy schemethat can overcome the is-sue of false negatives andwill not increase the com-putational time. Our sim-ulation shows that thefast entropy computingmethod not only reducedcomputational time bymore than 90 % comparedto conventional entropy,but also increased thedetection accuracy com-pared to conventional andcompression entropy ap-proaches.

Uses fast entrpoy andmoving average to cal-cualte entropy.If networktraffic changes from nor-mal to abnormal statussuch as when the DDoSattacker sends a bulk ofpackets with the sameport number to saturate acertain port, the entropyof this port number will bedecreased. By contrast,under normal conditions,the entropy of the portnumber will be increased.This phenomenon can beapplied to various net-work information such assource IP address, desti-nation IP address, sourceport, destination port, to-tal number of packets, andeven in the data cluster-ing schemes. our FastEntropy scheme reducedcomputational time by 90/of conventional entropyscheme while maintainingdetection accuracy. FastEntropy is even fasterthan compression entropyscheme in computing en-tropy values with sameor better detection accu-racy. For our future work,we have been developingan adaptive fast entropyalgorithm that will fur-ther reduce the false posi-tives as well as false nega-tives without adding over-head by introducing dy-namic moving average anddetection threshold valuewith respect to behavior ofattacks.

1



Effective Discoveryof Attacks usingEntropy of PacketDynamics

Chan-Kyu HanHyoung-Kee ChoiSungkyunkwanUniversity

2009 This IDS is based on thenotion of packet dynam-ics, rather than packetcontent, as a way tocope with the increasingcomplexity of attacks.We employ a concept ofentropy to measure time-variant packet dynamicsand, further, to extrapo-late this entropy to detectnetwork attacks. Theentropy of network trafficshould vary abruptly oncethe distinct patterns ofpacket dynamics embed-ded in attacks appear.The proposed classifier isevaluated by comparingindependent statistics de-rived from five well-knownattacks. Our classifierdetects those five attackswith high accuracy1 anddoes so in a timely man-ner For instance, a Denialof Service (DoS) attackand flash crowds causedestination hosts to con-centrate the distributionof traffic on the victim.Network scanning has adispersed distribution fordestination hosts and abottleneck distribution fordestination services. Thisbottleneck distributionis concentrated on thevulnerable ports. Con-centration and dispersionare, respectively, two pat-terns of packet dynamicsfrequently perceived in aDoS attack and networkscanning. The key idea isthat once abnormal trafficcontaminates long-termbehavior, the entropyvalue of the system shouldimmediately reflect thiscontamination.This de-tection method takesadvantage of fluctua-tions in the entropyvalues of flow-relatedmetrics.Bogus requests donot generate immediateresponses in general be-cause of silent targets andblockages at the firewall.

We implemented theproposed algorithm usingperl and ran it on realtraffic traces available onthe Internet. We usedfour traces containing fivemalicious attacks: theyare Code Red Worm,Witty Worm, SlammerWorm, DoS and DDOSattacks.Here thermody-namic approach is usedwith moving average . Itfurther uses ROC curveto find out thershold.

2



Entropy-BasedProfiling of Net-work Traffic forDetection of Secu-rity Attack

Tsern-HueiLee , Jyun-De HeDepartmentof Com-municationEngineeringNationalChiao TungUniversity,Taiwan

2009 we present an entropy-based network trafficprofiling scheme for de-tecting security attacks.The proposed schemeconsists of two stages.The purpose of the firststage is to systematicallyconstruct the probabilitydistribution of RelativeUncertainty for normalnetwork traffic behavior.In the second stage,we use the Chi-SquareGoodness-of-Fit Test, acalculation that measuresthe level of difference oftwo probability distribu-tions, to detect abnormalnetwork activities. Theprobability distribution ofthe Relative Uncertaintyfor short-term networkbehavior is comparedwith that of the long-term profile constructedin the first stage. Wedemonstrate the perfor-mance of our proposedscheme for DoS attackswith the dataset derivedfrom KDD CUP 1999.Experimental resultsshow that our proposedscheme achieves highaccuracy if the featuresare selected appropriately.The top six featuresranked by the accuracyare srcbytes,dstbytes,srvdiffhos-trate,dsthostcount,dsthostsamesrcportrateand dsthostsrvdiffhos-trate.These features canbe used to detect DoSattacks effectively.

In this paper, we pro-posed a novel, two-stageapproach for detectingnetwork attacks. Inthe first stage, normalbehavior profiles areconstructed based onRelative Uncertainty. Inthe second stage, the Chi-Square Goodness-of-FitTest is performed for thedistributions obtainedfrom behavior profilingand network activitiescollected online. Wedemonstrated the effec-tiveness of our proposedscheme with the KDD1999 dataset for DoS at-tacks. Simulation resultsshow that our proposedscheme achieves lowercomplexity and higheraccuracy than previousschemes. Based on theexperimental results, webelieve that the proposedscheme could be a goodchoice for network behav-ior profiling and attackdetection.

3



Entropy-BasedCollaborative De-tection of DDOSAttacks on Com-munity Networks

Shui Yuand WanleiZhou Schoolof Engi-neering andInformationTechnol-ogy DeakinUniversity,Burwood,VIC 3125,Australia

2008 A community networkoften operates with thesame Internet ServiceProvider domain or thevirtual network of dif-ferent entities who arecooperating with eachother. In such a federatednetwork environment,routers can work closelyto raise early warningof DDoS attacks to voidcatastrophic damages.However, the attackerssimulate the normalnetwork behaviors, e.g.pumping the attackpackages as Poissondistribution, to disabledetection algorithms.We noticed that theattackers use the samemathematical functionsto control the speed ofattack package pumpingto the victim. Basedon this observation, thedifferent attack flows ofa DDoS attack share thesame regularities, whichis different from the realsurging accessing in ashort time period. Weapply information theoryparameter, entropy rate,to discriminate the DDoSattack from the surgelegitimate accessing. Weproved the effectivenessof our method in theory,Here number of packetsto different destinationsare used.

we focus on detection ofDDoS attacks in commu-nity networks. Our mo-tivation comes from dis-criminate the DDoS at-tacks from surge legiti-mate accessing, and iden-tify attacks at the earlystage, even before the at-tack packages reaching thetarget server. The en-tropy of flows at a router,router entropy, is calcu-lated, if the router entropyis less than a given thresh-old, then a attack alarmis raised; the routers onthe path of the suspectedflow will calculate the en-tropy rate of the suspectedflow. If the entropy ratesare the same or the differ-ence is less than a givenvalue, then we can confirmthat it is an attack, other-wise, it is a surge of legit-imate accessing.

4



Low-Rate DDoSAttacks Detectionand Traceback byUsing New Infor-mation Metrics

Yang Xiang,Member,IEEE, Ke Li,and WanleiZhou, SeniorMember,IEEE

2011 A low-rate distributed de-nial of service (DDoS) at-tack has significant abilityof concealing its traffic be-cause it is very much likenormal traffic. An infor-mation metric can quan-tify the differences of net-work traffic with variousprobability distributions.In this paper, we innova-tively propose using twonew information metricssuch as the generalized en-tropy metric and the in-formation distance metricto detect low-rate DDoSattacks by measuring thedifference between legit-imate traffic and attacktraffic. The proposedgeneralized entropy met-ric can detect attacks sev-eral hops earlier than thetraditional Shannon met-ric. The proposed in-formation distance met-ric outperforms the pop-ular Kullback–Leibler di-vergence approach as itcan clearly enlarge theadjudication distance andthen obtain the op- timaldetection sensitivity. Theexperimental results showthat the proposed infor-mation metrics can ef-fectively detect low-rateDDoS attacks and clearlyreduce the false positiverate. Furthermore, theproposed IP traceback al-gorithm can find all at-tacks as well as at- tackersfrom their own local areanetworks (LANs) and dis-card attack packet

we propose two new andeffective information met-rics for low-rate DDoS at-tacks detection: general-ized entropy and in-formation distance met-ric. The experimental re-sults show that these met-rics work effectively andstably. They out- per-form the traditional Shan-non entropy and Kull-back–Leibler distance ap-proaches, respectively, indetecting anomaly traffic.In particular, these met-rics can improve (or matchthe various re- quirementsof) the systems’ detectionsensitivity by effectivelyadjusting the value of or-der of the generalized en-tropy and information dis-tance metrics. As theproposed metrics can in-crease the information dis-tance (gap) between at-tack traffic and legitimatetraffic, they can effectivelydetect low-rate DDoS at-tacks early and reduce thefalse positive rate clearly.The proposed informa-tion distance metric over-comes the properties ofasymmetric of both Kull-back–Leibler and informa-tion diver- gences. Fur-thermore, the proposed IPtraceback scheme basedon information metricscan effectively trace allattacks until their ownLANs (zombies). Inconclusion, our proposedinfor- mation metrics cansubstantially improve theperformance of low-rateDDoS attacks detectionand IP traceback over thetraditional approaches.

5



Joint EntropyAnalysis Modelfor DDoS AttackDetection

HamzaRahmani,Nabil Sahli,FaroukKammounCRISTALLab., Na-tional Schoolfor Com-puter Sci-ences ofTunis Uni-versitycampusManoubaManouba,Tunisia

2009 Network traffic charac-terization with behaviourmodelling could be agood indication of attackdetection witch can beperformed via abnormalbehaviour identification.Moreover, it is hard todistinguish the differenceof an unusual high volumeof traffic which is causedby the attack or occurswhen a huge number ofusers occasionally ac-cess the target machineat the same time. Weobserve that the timeseries of IP-flow numberand aggregate traffic sizeare strongly statisticallydependant. The occur-rence of attack affects thisdependence and causesa rupture in time seriesof joint entropy values.Experiment results showthat this method couldlead to more accurateand effective DDoS de-tection.We propose ameasurement methodwhich focuses on quan-tifying the informationexpressed by the jointsystem of two randomvariables in traffic-basednetwork. By measuringthe degree of coherencebetween the number ofpackets and the numberof IP-flow first obtainedin regular traffic, thenin traffics presenting alarge variety of anoma-lies including mainlylegitimate anomalies, wecan differentiate trafficchanges caused by flashcrowd (FC) or by DoSattack. This methodallows reducing signifi-cantly the false positivesalarms. To study thenetwork characteristics bygenerating the histogramof the size of IP-flowduring a timeinterval T.Integrate the result in astatistical model measur-ing the joint density ofprobability between thenumber of IP-flow and theaggregate traffic size. Usejoint entropy to quantifythe degree coherence andsent alarm when the jointentropy value exceeds acertain threshold.

In this paper, we haveproposed statistical ap-proach for DDoS attacksdetection. Our experi-ences were made on a realtraffic flow issued froma “CAIDA data collec-tion” collected in 2007.Our proposed approach isbased on the evaluationof the degree of coherencebetween the received traf-fic volume and the num-ber of connections pertime interval with the aimof thresholding calculateddistances between a cur-rent observation windowand a given reference. Themain contribution of thispaper is that our proposalmodel allows us to identifyDDoS attacks regardlessof the traffic volume size.A legitimate augmenta-tion at large scale will notbe detected through thismethod which minimisingfalse alarms. In addition,our proposal does need toinspect few fields for eachpacket. This makes it sim-pler and more practical forreal-time implementation.

6



A NetworkAnomaly De-tection MethodBased on RelativeEntropy Theory

Ya-lingZhang,Zhao-guoHan, Jiao-xia RenSchool ofComputerScience andEngineeringXi’an Uni-versity ofTechnologyXi’an, China

2009 A new network anomalydetection method hasbeen proposed in thispaper. The main idea ofthe method is networktraffic is analyzed and es-timated by using RelativeEntropy Theory (RET),and a network anomalydetection model based onRET is designed as well.The numerical value ofrelative entropy is usedto alleviate the inherentcontradictions betweenimproving detection rateand reducing false alarmrate, which is more pre-cise and can effectivelyreduce the error of es-timation. On the 1999DARPA/Lincoln Labo-ratory IDS evaluationdata set, the detectionresults showed that themethod can reach ahigher detection rate atthe premise of low falsealarm rate.These mea-sures have three features:compose a full-probabilityevent and cover all gath-ered information;be ableto comprehensively reflecta variety of abnormalthat cause the abnor-mal network traffic;doesnot contain sensitiveinformation, such as IPaddress, port number orpacket content informa-tion. Packet Lengths aretaken into account tocalculate relative entropyand drawing conclusions.

The RETAD sets upSVLNM by training thenormal network traffic.The network anomalydetection system basedon RET is achieved bycomparing SVLD withSVLNM. The test resultsshow that the detectionrate of RETAD is higherthan the EMERALD,PHAD, ALAD, NETADand FAD. The RETADhas three advantages.Firstly, algorithm compu-tation is so easy that itcan be used to the highspeed network. Secondly,the method has a strongdetection capability, es-pecially for the detectionof intermittent anomalies.In addition, the RETADhas a good adaptability.Based on RET, the packetlength has been choseas measures to detectanomaly. Furthermore,the detection modelsusing other measures needto be further studied.

7



An Approach onDetecting NetworkAttack Based onEntropy

ZhiwenWang, QinXia De-partment ofComputerScience andTechnol-ogy Xi’anJiaotongUniversityXi’an, China

2011 In this paper we proposean approach on detectingnetwork attack based onentropy from millions ofalerts. Shannon entropyis developed firstly to ana-lyze the distribution char-acteristics of alert withfive key attributes includ-ing source IP address,destination IP address,source threat, destina-tion threat and datagramlength. Then, the Renyicross entropy is employedto fuse the Shannon en-tropy vector and detectthe anomalies. The IDSused in our experiment isSnort, and the experimen-tal results based on actualnetwork data show thatour approach can detectnetwork attack quicklyand accurately. In thispaper, Snort is used tomonitor the network andfive statistical features ofthe Snort alert are se-lected: source IP address,destination IP address,source threat, destina-tion threat and datagramlength. The Shannon en-tropy is used to analyzethe distribution character-istics of alert that reflectthe regularity of networkstatus. When the moni-tored network runs in nor-mal way, the entropy val-ues are relatively smooth.Otherwise, the entropyvalue of one or more fea-tures would change. TheRenyi cross entropy ofthese features is calculatedto measure the networkstatus and detect networkattacks. Time series is cal-culated based on shannonentropy and which is usedto calculate renny entropyand compared with previ-ous and alarm is generatedbased on thereshod.

The test data set withmore alerts is used to eval-uate our method. Thereare 166,326 alerts in thetest data. 9.83them aregenerated by 86 networkattack occurs within 430seconds. We successfullydetect all the attacks with2 false detections.In thispaper, we proposed a newnetwork attack detectionmethod base on entropy.Five features of IDS alertsare selected from tens ofSnort alert attributions.The Shannon entropy isused to analyze the alertsto measure the regularityof current network status.The Renyi cross entropyis employed to detect net-work attack. The Renyicross entropy value is near0 when the network runsin normal, otherwise thevalue will change abruptlywhen attack occurs. Theexperimental results un-der actual data show thatthe framework in our workcan detect network attackquickly and accurately. Innext step, more alertsfrom different time seg-ments will be collected totest our method and an at-tack classification methodwill be considered.

8



Detecting DDoSAttacks Using Con-ditional Entropy

Yun Liu,JierenCheng,JianpingYin,BoyunZhangSchool ofComputer,NationalUniversityof DefenseTechnologyChangsha,China

2010 After analyzing thecharacteristics of DDoSattacks and the existingapproaches to detectDDoS attacks, a noveldetection method basedon conditional entropyis proposed in this pa-per. First, a group ofstatistical features basedon conditional entropy isdefined, which is namedTraffic Feature Condi-tional Entropy (TFCE),to depict the basic charac-teristics of DDoS attacks,such as high traffic vol-ume and Multiple-to-onerelationships. Then, atrained support vectormachine (SVM) classifieris applied to identifythe DDoS attacks. Weexperiment with the MITData Set in order toevaluate our approach.The results show that theproposed method not onlycan distinguish betweenattack traffic and normaltraffic accurately, butalso is more robustness toresist disturbance of back-ground traffic comparedwith its counterparts. Sr-cIP,DestIP,DestPort aretaken into account.Thenuse three conditionalentropy and

H(sip

dip), H(

sip

dport)H(

dip

dport)

to characterize three kindsof multiple-to-one rela-tion in DDoS attacks,namely, called Traffic Fea-ture Conditional Entropy(TFCE).This measure thediversity of sip to dip,sipto dport, dport to dip,ortheir uncertainity. Afterwe include SVM into pic-ture ,train it with same setof factors and used it todetect real time anamoly.

The results demonstratethat TFCE is more ro-bust of the interference ofbackground traffic. Thereason lies in the factthat the corresponding re-lations between traffic fea-tures are considered here.TFCE compute the rele-tive distribution betweentraffic features and includethe information of jointprobilities of traffic fea-tures, so has stronger abil-ity to uncover the differ-ence of attack traffic andnormal traffic.

9



A New RelativeEntropy BasedApp-DDoS Detec-tion Method

JinWang,XiaolongYang KepingLong Re-searchCenter forOpticalInternetMobile In-fonnationNetwork,Universityof ElectronicScienceTechnologyof China,ChengduSichuan610056,China.NetworkCenter ofChengduUniversity,ChengduSichuan610106,China

2010 Distributed Denial of Ser-vice (abbreviated DDoS)attack is a serious problemto the network services.This paper analyzed somesolutions to the appli-cation layer DDoS (ab-breviated app-DDoS) at-tack, and proposed a rel-ative entropy based app-DDoS detection method.Our scheme includes twostages: learning stage anddetection stage. Firstly atthe learning stage, it ex-tracts main click featuresof web objects with thecluster methods. Thenat the detection stages, itcomputes the relative en-tropy for each session ac-cording to the learning re-sult. The greater the ses-sion’s relative entropy, themore suspicious the ses-sion is. At last, simula-tion results suggest thatthis method can differenti-ate the attack session withhigh detection rate andlow false alarm.

This paper analyzes theapplication layer DDoSand proposes a new rel-ative entropy based app-DDoS detection method.We validate our methodby simulation, and theresults suggest that ourmethod can be used todetect app-DDoS attacks.This paper validates theusefulness of the relativeentropy based app-DDoSdetection method. Ourfuture work will focus onhow to handle false detec-tion.

10



Entropy-basedInput-OutputTraffic Mode De-tection Scheme forDoS/DDoS Attacks

SuratoseTritilanunt,SuphanneeSivakorn,ChoochernJuengjin-charoen, Au-sanee Siri-pornpisanComputerEngineeringDepartment,Faculty ofEngineering,MahidolUniversity,Thailand25/25,Salaya,Phutta-monthol,Nakorn-pathom,Thailand,73170

2010 The most common type ofDoS attack occurs whenadversaries flood a largeamount of bogus datato interfere or disruptthe service on the server.By using a volume-based scheme ,packe-trate,bandwidth,packetsizeto detect such attacks,this technique would notbe able to inspect short-term denial-of- serviceattacks, as well as cannotdistinguish between heavyload from legitimate usersand huge number of bogusmessages from attackers.As a result, this paperprovides a detectionmechanism based on atechnique of entropy-based input-output trafficmode detection scheme.The experimental re-sults demonstrate thatour approach is able todetect several kinds ofdenial-of-service attacks,even small spike of suchattacks. This paper usesentropy of packet size todetect attacks.

In summary, an entropy-based technique providesmore accurately denial-of-service detection than avolume-based technique.Moreover, the detectingtime to discover bothlong- term and short-term denial-of-serviceattacks in our schemeis another key strengthover a feature-based de-tection approach. Thesetwo major advantagesare supported by theexperimental results asdemonstrated in this sec-tion.Short term and longterm attacks are detected.

11



Entropy BasedSYN FloodingDetection

Laleh Ar-shadi AmirHosseinJahangirComputerEngineeringDepartmentSharif Uni-versity ofIran Tehran,Iran

2011 In this paper we present anovel approach for detect-ing SYN flooding attacksby investigating the en-tropy of SYN packet inter-arrival times as a mea-sure of randomness. Weargue that normal SYNpackets are almost inde-pendent leading to highervalues of entropy whileSYN flooding attacks con-sist of a high volume ofrelated SYN packets andso the entropy of theirinter-arrival times wouldbe less than normal. Weapply this entropy-basedmethod on different datasets of network traffic bothin off-line and real-timemodes. In this paper weexamine the changes inthe entropy of inter-arrivaltimes of TCP SYN pack-ets to detect SYN flood-ing attacks. Our ex-periments are based uponthis argument that nor-mal SYN packets are al-most independent leadingto higher values of en-tropy while SYN floodingattacks consist of manyrelated SYN packets sentfrom either the same ori-gin to various destinationsor from multiple sourcesto a single destination andconsequently the entropyof their inter-arrival timeswould be less than normal.

The point is that asthe arrival rate decreasesthe packets become lessdependent and the en-tropy increases as a re-sult whereas an increasein the arrival rate re-sults in more dependencybetween the packets anda decrease in the en-tropy consequently. Thereare two major challengesfaced by the anomaly de-tection techniques. Firstis the problem of defin-ing a general rule forthe distinction of normaland anomalous traffic andthe second is the highvolume of the processingdata. We see that ourentropy based detectiontechnique can easily over-come both challenges byinvestigating the random-ness of TCP SYN packets’inter-arrival times. Whilederiving the SYN pack-ets, extracting their inter-arrival times and comput-ing the entropy is not com-putationally intensive andcan easily be performedin real-time As for fu-ture work it may be use-ful to observe the entropyof other flow inter-arrivaltimes, e.g. TCP-SYN-ACK, TCP- ACK, TCP-RST, UDP or ICMP pack-ets. In case the entropychanges as an anomaly oc-curs, it would be possibleto identify the anomalousportions of the traffic inthe same way we detectthe SYN flooding attacks

12