Journal of Communications and Networks

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지

Mutual Information Applied to Anomaly Detection

  • Published : 2008.03.31
Download PDF
⟨ Previous Next ⟩

Abstract

Anomaly detection systems playa significant role in protection mechanism against attacks launched on a network. The greatest challenge in designing systems detecting anomalous exploits is defining what to measure. Effective yet simple, Shannon entropy metrics have been successfully used to detect specific types of malicious traffic in a number of commercially available IDS's. We believe that Renyi entropy measures can also adequately describe the characteristics of a network as a whole as well as detect abnormal traces in the observed traffic. In addition, Renyi entropy metrics might boost sensitivity of the methods when disambiguating certain anomalous patterns. In this paper we describe our efforts to understand how Renyi mutual information can be applied to anomaly detection as an offline computation. An initial analysis has been performed to determine how well fast spreading worms (Slammer, Code Red, and Welchia) can be detected using our technique. We use both synthetic and real data audits to illustrate the potentials of our method and provide a tentative explanation of the results.

Keywords

References

  1. J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner, 'State of the practice of intrusion detection technologies,' Technical Report CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon, USA, 2000
  2. S. Axelsson, 'A preliminary attempt to apply detection and estimation theory to intrusion detection,' Technical Report 00-4, Chalmers Univ. of Technology, Goteborg, Sweden, 2000
  3. T. Brugger, 'Data mining methods for network intrusion detection,' Ph.D. Dissertation, University of California, Davis, USA, June 2004
  4. D. A. Buell, 'Calibrating entropy functions applied to computer networks,' in Proc. the Third International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security, St. Petersburg, Russia, 2005
  5. A. Golan and J. Perloff, 'Comparison of maximum entropy and higherorder entropy estimator,' Journal of Econometrics, vol. 107, no. 1, pp. 195-211, 2002 https://doi.org/10.1016/S0304-4076(01)00120-8
  6. V. Gudkov and S. Nussinov, 'Graph equivalence and characterization via a continuous evolution of a physical analog,' eprint arXiv:condmat/ 0209112, 2002
  7. V. Gudkov, S. Nussinov and Z. Nussinov, 'A novel approach applied to the largest clique problem,' eprint arXiv:cond-mat/0209419, 2002
  8. G. Helmer, J. Wong, V. Honavar, and L. Miller, 'Automated discovery of concise predictive rules for intrusion detection,' Technical Report 99-01, Iowa State Univ., Ames, USA, 2000
  9. I. Kojadinovic, 'On the use of mutual information in data analysis: An overview,' in Proc. Conference International Symposium on Applied Stochastic Models and Data Analysis, Brest, France, May 2005
  10. J. Kurose and K. Ross, Computer Networking: A Top-Down Approach Featuring the Internet, 3rd Ed. PearsonEducation, Inc., 2005
  11. W. Lee, 'A data mining framework for constructing features and models for intrusion detection systems, ' Ph.D. Thesis, Columbia Univ., New York, USA, 1999
  12. W. Lee and D. Xiang, 'Information-theoretic measures for anomaly detection,' in Proc. 2001 IEEE Symp. Security and Privacy, Oakland, CA, 2001, pp. 130-143
  13. M. Liljenstam, D. Nicol, V. Berk, and R. Gray, 'Simulating realistic network worm traffic for worm warning system design and testing,' in Proc. 2003 ACM workshop on Rapid Malcode (WORM'03), Washington DC, USA, Oct. 2003
  14. H.Manilla, H. Toivonen and A. Verkamo, 'Discovery of frequent episodes in event sequences,' Data Mining and Knowledge Discovery., Netherlands, vol. 1, pp. 259-289, 1997
  15. K. Zyczkowski, 'Rényi Extrapolation of Shannon Entropy,' Open Syst. Inf. Dyn., Netherlands, vol. 10, pp. 297-310, 2003 https://doi.org/10.1023/A:1025128024427