Thanks to its ability to face unknown attacks, anomaly-based intrusion detection is a key research topic in network security. In this paper anomalies are addressed from an Information theory perspective: in a nutshell, it is assumed that attacks determine a significant change in the distribution of relevant traffic descriptors and this change is measured in terms of Shannon entropy. In more detail, the traffic is first aggregated by means of random data structures (namely three-dimensional reversible sketches) and then the entropy associated to different traffic descriptors (for sake of brevity, we focus on the numbers of flows and bytes) is computed by using two alternative constructions of the corresponding empirical distributions, one based on the flows destination address and the other on their volume. The experimental results obtained over the MAWILab dataset validate the system and demonstrate the relevance of the way in which the histogram is built.
|Titolo:||Impact of histogram construction techniques on information - Theoretic anomaly detection|
|Anno del prodotto:||2017|
|Appare nelle tipologie:||4.1 Contributo in Atti di convegno|