Journal of KIISE:Information Networking (한국정보과학회논문지:정보통신)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

An Anomalous Event Detection System based on Information Theory

엔트로피 기반의 이상징후 탐지 시스템

  • 한찬규 (성균관대학교 휴대폰학과) ;
  • 최형기 (성균관대학교 정보통신공학부)
  • Published : 2009.06.15
Download PDF
⟨ Previous Next ⟩

Abstract

We present a real-time monitoring system for detecting anomalous network events using the entropy. The entropy accounts for the effects of disorder in the system. When an abnormal factor arises to agitate the current system the entropy must show an abrupt change. In this paper we deliberately model the Internet to measure the entropy. Packets flowing between these two networks may incur to sustain the current value. In the proposed system we keep track of the value of entropy in time to pinpoint the sudden changes in the value. The time-series data of entropy are transformed into the two-dimensional domains to help visually inspect the activities on the network. We examine the system using network traffic traces containing notorious worms and DoS attacks on the testbed. Furthermore, we compare our proposed system of time series forecasting method, such as EWMA, holt-winters, and PCA in terms of sensitive. The result suggests that our approach be able to detect anomalies with the fairly high accuracy. Our contributions are two folds: (1) highly sensitive detection of anomalies and (2) visualization of network activities to alert anomalies.

본 논문에서는 엔트로피에 기반한 이상징후 탐지 시스템을 제안한다. 엔트로피는 시스템의 무질서정도를 측정하는 지표로써, 이상징후 출현 시 네트워크의 엔트로피는 급증한다. 네트워크를 IP와 포트번호를 기준으로 분류하여, 패킷별로 역학을 관찰하고 엔트로피를 각각 측정한다. 분산서비스거부공격이나 웜, 스캐닝 등의 네트워크 공격 출현 시 패킷 교환과정이 정상적일 때와는 다르므로 엔트로피를 통하여 기존기법 보다 높은 탐지율로 이상징후를 탐지할 수 있다. 본 논문에서는 다수의 원과 서비스거부공격을 포함한 데이터 셋을 수집하여 제안기법을 검증하였다. 또한 지수평활법, Holt-winters 등의 시계열예측 기법과 주성분분석을 이용한 이상징후 탐지 기법과 정확도 측면에서 비교한다. 본 논문에서 제안한 기법으로 웜, 서비스거부공격 등의 이상징후 탐지에 있어 오탐지율을 낮출 수 있다.

Keywords

References

  1. Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, "Internet Denial of Service: Attack and Defense Mechanisms," Prentice Hall, December 2005
  2. Jake D.Brutlag, "Aberrant Behavior Detection in Time Series for Network Monitoring," Proceedings of the 14th Systems Administration Conference (LISA), December 2000
  3. Anukool Lakhina, Mark Crovella and Christophe Diot, "Diagnosing Network-Wide Traffic Anomalies," ACM Special Interest Group on Data Communication (SIGCOMM), August 2004
  4. Yu Gu, Andrew McCallum and Don Towsley, "Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation," ACM Internet Measurement Conference (IMC), 2005
  5. Yin Zhang, Zihui Ge, Albert Greenberg and Matthew Roughan, "Network Anomography," ACM Internet Measurement Conference (IMC), October 2005
  6. Yerin Yoo, "Tutorial on Fourier Theory," March 2001
  7. Wenke Lee and Dong Xiang, "Information-Theoretic Measures for Anomaly Detection," IEEE Symposium on Security and Privacy, March 2001
  8. Arno Wagner and Bernhard Plattner, "Entropy based Worm and Anomaly Detection in Fast IP Networks," IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE), June 2005
  9. Anukool Lakhina, Mark Crovella and Christophe Diot, "Mining Anomalies Using Traffic Feature Distributions," ACM Special Interest Group on Data Communication (SIGCOMM), August 2005
  10. Kuai Xu, Zhi-Li Zhang, and Supratik Bhattacharyya, "Profiling Internet Backbone Traffic: Behavior Models and Applications," ACM Special Interest Group on Data COmmunication(SIGCOMM), August 2005
  11. George Nychis, Vyas Sekar, David G.Andersen, Hyong Kim and Hui Zhang, "An Empirical Evaluation of Entropy-based Traffic Anomaly Detection," ACM Internet Measurement Conference (IMC), October 2008
  12. Roberto Togneri, Christophe J.S.deSilva, "Fundamentals of Information Theory and Coding Design," CHAPMAN & HALL/CRC 2003
  13. MAWI Working Group Traffic Archive, available at http://tracer.csl.sony.co.jp/mawi/
  14. CAIDA - The Dataset on the Witty Worm, available at http://www.caidaorg/ cfata/passive/witty _worm_dataset.xml
  15. NLANR network traffic packet traces, available at http://pma.nlanr.net/Traces/Traces/long/cred/20010 810/
  16. lVUT Lincoln Laboratory DARPA Intrusion Detection Evaluation Data Sets, available at http.//www.ll. mit.edu/1ST /ideval/ data! data_index.html
  17. MIT Lincoln Laboratory - 1998 Training Data Attack Schedule, available at http://www.ll.mitedu/1ST/idevall docs/1998/ attacks.html
  18. Snort, auailable at http://www.snort.org/
  19. Bra Intrusion Detection System, available at http://www.bro-ids.org/
  20. Comprehensive Perl Archive Network ((PAN), available at http://www.cpan.org/
  21. Marco Carnut, Tim Potter, Bo Adler, Peter Lister, "Net::Pcap," available at http.//searchcpanorg/saper /Net-Pcap-0.14/Pcap.pm
  22. Tim Potter, Stephanie Wehner, "NetPacket," available at
  23. Tom Fawcett, "ROC Graphs: Notes and Practical Considerations for Researchers," March 2004
  24. R.Braden, D.Clark, S.shenker, "Integrated Services in the Internet Architecture: an Overview," RFC 1633, June 1994