A Flow-Based Entropy Characterization of a NATed Network and Its Application on Intrusion Detection
作者: J. Crichigno , E. Kfoury , E. Bou-Harb , N. Ghani , Y. Prieto
关键词: Network address translation 、 Entropy (order and disorder) 、 Entropy (information theory) 、 Port (computer networking) 、 Intrusion detection system 、 Tuple 、 Campus network 、 Computer science 、 Entropy (classical thermodynamics) 、 Entropy (energy dispersal) 、 Topology 、 Entropy (arrow of time) 、 Uniform distribution (continuous) 、 Entropy (statistical thermodynamics) 、 Nat
摘要: This paper presents a flow-based entropy characterization of small/medium-sized campus network that uses address translation (NAT). Although most networks follow this configuration, their has not been previously studied. Measurements from production show the entropies flow elements (external IP address, external port, port) and tuples have particular characteristics. Findings include: i) may widely vary in course day. For example, typical weekday, ports below 0.2 to above 0.8 (in normalized scale 0–1). A similar observation applies address; ii) building granular individual can help detect anomalies. Data shows certain attacks produce deviate expected patterns; iii) 3-tuple {external IP, port} is high consistent over time, resembling uniform distribution's variable. deviation pattern an encouraging anomaly indicator; iv) strong negative positive correlations exist between some time-series elements.
sci-hub.se 参考文章(16)
Benoit Claise, Cisco Systems NetFlow Services Export Version 9 RFC. ,vol. 3954, pp. 1- 33 ,(2004)
Tanja Zseby, Nevil Brownlee, Alistair King, kc claffy, Nightlights: Entropy-Based Metrics for Classifying Darkspace Traffic Patterns passive and active network measurement. pp. 275- 277 ,(2014) , 10.1007/978-3-319-04918-2_30
Yasemin Gokcen, Vahid Aghaei Foroushani, A. Nur Zincir Heywood, Can We Identify NAT Behavior by Analyzing Traffic Flows ieee symposium on security and privacy. pp. 132- 139 ,(2014) , 10.1109/SPW.2014.28
Fabio Farina, Peter Szegedi, Jerry Sobieski, GÉANT world testbed facility: Federated and distributed testbeds as a service facility of GÉANT international teletraffic congress. pp. 1- 6 ,(2014) , 10.1109/ITC.2014.6932972
Rick Hofstede, Pavel Celeda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto, Aiko Pras, Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX IEEE Communications Surveys and Tutorials. ,vol. 16, pp. 2037- 2064 ,(2014) , 10.1109/COMST.2014.2321898
Thomas M. Cover, Joy A. Thomas, Elements of information theory ,(1991)
Arno Wagner, Bernhard Plattner, Entropy Based Worm and Anomaly Detection in Fast IP Networks 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05). pp. 172- 177 ,(2005) , 10.1109/WETICE.2005.35
Przemysław Bereziński, Bartosz Jasiul, Marcin Szpyrka, An Entropy-Based Network Anomaly Detection Method Entropy. ,vol. 17, pp. 2367- 2408 ,(2015) , 10.3390/E17042367
Mario Golling, Rick Hofstede, Robert Koch, Towards multi-layered intrusion detection in high-speed networks international conference on cyber conflict. pp. 191- 206 ,(2014) , 10.1109/CYCON.2014.6916403
George Nychis, Vyas Sekar, David G. Andersen, Hyong Kim, Hui Zhang, An empirical evaluation of entropy-based traffic anomaly detection Proceedings of the 8th ACM SIGCOMM conference on Internet measurement conference - IMC '08. pp. 151- 156 ,(2008) , 10.1145/1452520.1452539