Browse > Article

Mutual Information Applied to Anomaly Detection  

Kopylova, Yuliya (University of South Carolina)
Buell, Duncan A. (University of South Carolina)
Huang, Chin-Tser (University of South Carolina)
Janies, Jeff (University of South Carolina)
Publication Information
Journal of Communications and Networks / v.10, no.1, 2008 , pp. 89-97 More about this Journal
Abstract
Anomaly detection systems playa significant role in protection mechanism against attacks launched on a network. The greatest challenge in designing systems detecting anomalous exploits is defining what to measure. Effective yet simple, Shannon entropy metrics have been successfully used to detect specific types of malicious traffic in a number of commercially available IDS's. We believe that Renyi entropy measures can also adequately describe the characteristics of a network as a whole as well as detect abnormal traces in the observed traffic. In addition, Renyi entropy metrics might boost sensitivity of the methods when disambiguating certain anomalous patterns. In this paper we describe our efforts to understand how Renyi mutual information can be applied to anomaly detection as an offline computation. An initial analysis has been performed to determine how well fast spreading worms (Slammer, Code Red, and Welchia) can be detected using our technique. We use both synthetic and real data audits to illustrate the potentials of our method and provide a tentative explanation of the results.
Keywords
Fast spreading worms; network anomaly detection; Renyi mutual information;
Citations & Related Records

Times Cited By Web Of Science : 0  (Related Records In Web of Science)
Times Cited By SCOPUS : 0
연도 인용수 순위
  • Reference
1 D. A. Buell, 'Calibrating entropy functions applied to computer networks,' in Proc. the Third International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security, St. Petersburg, Russia, 2005
2 A. Golan and J. Perloff, 'Comparison of maximum entropy and higherorder entropy estimator,' Journal of Econometrics, vol. 107, no. 1, pp. 195-211, 2002   DOI   ScienceOn
3 V. Gudkov and S. Nussinov, 'Graph equivalence and characterization via a continuous evolution of a physical analog,' eprint arXiv:condmat/ 0209112, 2002
4 M. Liljenstam, D. Nicol, V. Berk, and R. Gray, 'Simulating realistic network worm traffic for worm warning system design and testing,' in Proc. 2003 ACM workshop on Rapid Malcode (WORM'03), Washington DC, USA, Oct. 2003
5 G. Helmer, J. Wong, V. Honavar, and L. Miller, 'Automated discovery of concise predictive rules for intrusion detection,' Technical Report 99-01, Iowa State Univ., Ames, USA, 2000
6 I. Kojadinovic, 'On the use of mutual information in data analysis: An overview,' in Proc. Conference International Symposium on Applied Stochastic Models and Data Analysis, Brest, France, May 2005
7 W. Lee and D. Xiang, 'Information-theoretic measures for anomaly detection,' in Proc. 2001 IEEE Symp. Security and Privacy, Oakland, CA, 2001, pp. 130-143
8 H.Manilla, H. Toivonen and A. Verkamo, 'Discovery of frequent episodes in event sequences,' Data Mining and Knowledge Discovery., Netherlands, vol. 1, pp. 259-289, 1997
9 T. Brugger, 'Data mining methods for network intrusion detection,' Ph.D. Dissertation, University of California, Davis, USA, June 2004
10 J. Kurose and K. Ross, Computer Networking: A Top-Down Approach Featuring the Internet, 3rd Ed. PearsonEducation, Inc., 2005
11 V. Gudkov, S. Nussinov and Z. Nussinov, 'A novel approach applied to the largest clique problem,' eprint arXiv:cond-mat/0209419, 2002
12 K. Zyczkowski, 'Rényi Extrapolation of Shannon Entropy,' Open Syst. Inf. Dyn., Netherlands, vol. 10, pp. 297-310, 2003   DOI   ScienceOn
13 J. Allen, A. Christie, W. Fithen, J. McHugh, J. Pickel, and E. Stoner, 'State of the practice of intrusion detection technologies,' Technical Report CMU/SEI-99-TR-028, Software Engineering Institute, Carnegie Mellon, USA, 2000
14 S. Axelsson, 'A preliminary attempt to apply detection and estimation theory to intrusion detection,' Technical Report 00-4, Chalmers Univ. of Technology, Goteborg, Sweden, 2000
15 W. Lee, 'A data mining framework for constructing features and models for intrusion detection systems, ' Ph.D. Thesis, Columbia Univ., New York, USA, 1999