Title
An architecture for network traffic anomaly detection system based on entropy analysis: doctoral dissertation
Creator
Ibrahim, Juma, 1965-
CONOR:
103209481
Copyright date
2022
Object Links
Select license
Bez licence - direktna primena zakona
License description
Ako ne izaberete neku od licenci, vaše zaštićeno delo može biti korišćeno samo u okviru opštih ograničenja autorskih prava. Na taj način ne dozvoljavate komercijalno ni nekomercijalno korišćenje, naročito reprodukciju, distribuciju, emitovanje, dostupnost i obradu dela. Izbor Creative Commons (CC) licence promoviše diseminaciju vašeg dela. Za više informacija: http://creativecommons.org.rs/licence
Language
English
Cobiss-ID
Theses Type
Doktorska disertacija
description
Datum odbrane: 15.12.2022.
Other responsibilities
Academic Expertise
Tehničko-tehnološke nauke
University
Univerzitet u Beogradu
Faculty
Elektrotehnički fakultet
Alternative title
Arhitektura sistema za prepoznavanje nepravilnosti u mrežnom saobraćaju zasnovano na analizi entropije
Publisher
[J. Ibrahim]
Format
83 str.
description
Electrical and Computer Engineering - Computer Engineering and Informatics
Abstract (en)
With the steady increase in reliance on computer networks in all aspects of life, computers and
other connected devices have become more vulnerable to attacks, which exposes them to many major
threats, especially in recent years. There are different systems to protect networks from these threats such
as firewalls, antivirus programs, and data encryption, but it is still hard to provide complete protection
for networks and their systems from the attacks, which are increasingly sophisticated with time. That is
why it is required to use intrusion detection systems (IDS) on a large scale to be the second line of defense
for computer and network systems along with other network security techniques. The main objective of
intrusion detection systems is used to monitor network traffic and detect internal and external attacks.
Intrusion detection systems represent an important focus of studies today, because most
protection systems, no matter how good they are, can fail due to the emergence of new
(unknown/predefined) types of intrusions. Most of the existing techniques detect network intrusions by
collecting information about known types of attacks, so-called signature-based IDS, using them to
recognize any attempt of attack on data or resources. The major problem of this approach is its inability
to detect previously unknown attacks, even if these attacks are derived slightly from the known ones (the
so-called zero-day attack). Also, it is powerless to detect encryption-related attacks. On the other hand,
detecting abnormalities concerning conventional behavior (anomaly-based IDS) exceeds the
abovementioned limitations. Many scientific studies have tended to build modern and smart systems to
detect both known and unknown intrusions. In this research, an architecture that applies a new technique
for IDS using an anomaly-based detection method based on entropy is introduced.
Network behavior analysis relies on the profiling of legitimate network behavior in order to
efficiently detect anomalous traffic deviations that indicate security threats. Entropy-based detection
techniques are attractive due to their simplicity and applicability in real-time network traffic, with no
need to train the system with labelled data. Besides the fact that the NetFlow protocol provides only a
basic set of information about network communications, it is very beneficial for identifying zero-day
attacks and suspicious behavior in traffic structure. Nevertheless, the challenge associated with limited
NetFlow information combined with the simplicity of the entropy-based approach is providing an
efficient and sensitive mechanism to detect a wide range of anomalies, including those of small intensity.
However, a recent study found of generic entropy-based anomaly detection reports its
vulnerability to deceit by introducing spoofed data to mask the abnormality. Furthermore, the majority
of approaches for further classification of anomalies rely on machine learning, which brings additional
complexity.
Previously highlighted shortcomings and limitations of these approaches open up a space for the
exploration of new techniques and methodologies for the detection of anomalies in network traffic in
order to isolate security threats, which will be the main subject of the research in this thesis.
Abstract
An architrvture for network traffic anomaly detection system based on entropy analysis
Page vii
This research addresses all these issues by providing a systematic methodology with the main
novelty in anomaly detection and classification based on the entropy of flow count and behavior features
extracted from the basic data obtained by the NetFlow protocol.
Two new approaches are proposed to solve these concerns. Firstly, an effective protection
mechanism against entropy deception derived from the study of changes in several entropy types, such
as Shannon, Rényi, and Tsallis entropies, as well as the measurement of the number of distinct elements
in a feature distribution as a new detection metric. The suggested method improves the reliability of
entropy approaches.
Secondly, an anomaly classification technique was introduced to the existing entropy-based
anomaly detection system. Entropy-based anomaly classification methods were presented and effectively
confirmed by tests based on a multivariate analysis of the entropy changes of several features as well as
aggregation by complicated feature combinations.
Through an analysis of the most prominent security attacks, generalized network traffic behavior
models were developed to describe various communication patterns. Based on a multivariate analysis of
the entropy changes by anomalies in each of the modelled classes, anomaly classification rules were
proposed and verified through the experiments. The concept of the behavior features is generalized, while
the proposed data partitioning provides greater efficiency in real-time anomaly detection. The practicality
of the proposed architecture for the implementation of effective anomaly detection and classification
system in a general real-world network environment is demonstrated using experimental data.
Authors Key words
Anomaly detection, Anomaly classification, Entropy, Entropy deception, Network
behavior analysis
Classification
621.39:004.7(043.3)
Type
Tekst
Abstract (en)
With the steady increase in reliance on computer networks in all aspects of life, computers and
other connected devices have become more vulnerable to attacks, which exposes them to many major
threats, especially in recent years. There are different systems to protect networks from these threats such
as firewalls, antivirus programs, and data encryption, but it is still hard to provide complete protection
for networks and their systems from the attacks, which are increasingly sophisticated with time. That is
why it is required to use intrusion detection systems (IDS) on a large scale to be the second line of defense
for computer and network systems along with other network security techniques. The main objective of
intrusion detection systems is used to monitor network traffic and detect internal and external attacks.
Intrusion detection systems represent an important focus of studies today, because most
protection systems, no matter how good they are, can fail due to the emergence of new
(unknown/predefined) types of intrusions. Most of the existing techniques detect network intrusions by
collecting information about known types of attacks, so-called signature-based IDS, using them to
recognize any attempt of attack on data or resources. The major problem of this approach is its inability
to detect previously unknown attacks, even if these attacks are derived slightly from the known ones (the
so-called zero-day attack). Also, it is powerless to detect encryption-related attacks. On the other hand,
detecting abnormalities concerning conventional behavior (anomaly-based IDS) exceeds the
abovementioned limitations. Many scientific studies have tended to build modern and smart systems to
detect both known and unknown intrusions. In this research, an architecture that applies a new technique
for IDS using an anomaly-based detection method based on entropy is introduced.
Network behavior analysis relies on the profiling of legitimate network behavior in order to
efficiently detect anomalous traffic deviations that indicate security threats. Entropy-based detection
techniques are attractive due to their simplicity and applicability in real-time network traffic, with no
need to train the system with labelled data. Besides the fact that the NetFlow protocol provides only a
basic set of information about network communications, it is very beneficial for identifying zero-day
attacks and suspicious behavior in traffic structure. Nevertheless, the challenge associated with limited
NetFlow information combined with the simplicity of the entropy-based approach is providing an
efficient and sensitive mechanism to detect a wide range of anomalies, including those of small intensity.
However, a recent study found of generic entropy-based anomaly detection reports its
vulnerability to deceit by introducing spoofed data to mask the abnormality. Furthermore, the majority
of approaches for further classification of anomalies rely on machine learning, which brings additional
complexity.
Previously highlighted shortcomings and limitations of these approaches open up a space for the
exploration of new techniques and methodologies for the detection of anomalies in network traffic in
order to isolate security threats, which will be the main subject of the research in this thesis.
Abstract
An architrvture for network traffic anomaly detection system based on entropy analysis
Page vii
This research addresses all these issues by providing a systematic methodology with the main
novelty in anomaly detection and classification based on the entropy of flow count and behavior features
extracted from the basic data obtained by the NetFlow protocol.
Two new approaches are proposed to solve these concerns. Firstly, an effective protection
mechanism against entropy deception derived from the study of changes in several entropy types, such
as Shannon, Rényi, and Tsallis entropies, as well as the measurement of the number of distinct elements
in a feature distribution as a new detection metric. The suggested method improves the reliability of
entropy approaches.
Secondly, an anomaly classification technique was introduced to the existing entropy-based
anomaly detection system. Entropy-based anomaly classification methods were presented and effectively
confirmed by tests based on a multivariate analysis of the entropy changes of several features as well as
aggregation by complicated feature combinations.
Through an analysis of the most prominent security attacks, generalized network traffic behavior
models were developed to describe various communication patterns. Based on a multivariate analysis of
the entropy changes by anomalies in each of the modelled classes, anomaly classification rules were
proposed and verified through the experiments. The concept of the behavior features is generalized, while
the proposed data partitioning provides greater efficiency in real-time anomaly detection. The practicality
of the proposed architecture for the implementation of effective anomaly detection and classification
system in a general real-world network environment is demonstrated using experimental data.
“Data exchange” service offers individual users metadata transfer in several different formats. Citation formats are offered for transfers in texts as for the transfer into internet pages. Citation formats include permanent links that guarantee access to cited sources. For use are commonly structured metadata schemes : Dublin Core xml and ETUB-MS xml, local adaptation of international ETD-MS scheme intended for use in academic documents.
