An architecture for network traffic anomaly detection system based on entropy analysis: doctoral dissertation : doctoral dissertation
With the steady increase in reliance on computer networks in all aspects of life, computers andother connected devices have become more vulnerable to attacks, which exposes them to many majorthreats, especially in recent years. There are different systems to protect networks from these threats suchas firewalls, antivirus programs, and data encryption, but it is still hard to provide complete protectionfor networks and their systems from the attacks, which are increasingly sophisticated with time. That iswhy it is required to use intrusion detection systems (IDS) on a large scale to be the second line of defensefor computer and network systems along with other network security techniques. The main objective ofintrusion detection systems is used to monitor network traffic and detect internal and external attacks.Intrusion detection systems represent an important focus of studies today, because mostprotection systems, no matter how good they are, can fail due to the emergence of new(unknown/predefined) types of intrusions. Most of the existing techniques detect network intrusions bycollecting information about known types of attacks, so-called signature-based IDS, using them torecognize any attempt of attack on data or resources. The major problem of this approach is its inabilityto detect previously unknown attacks, even if these attacks are derived slightly from the known ones (theso-called zero-day attack). Also, it is powerless to detect encryption-related attacks. On the other hand,detecting abnormalities concerning conventional behavior (anomaly-based IDS) exceeds theabovementioned limitations. Many scientific studies have tended to build modern and smart systems todetect both known and unknown intrusions. In this research, an architecture that applies a new techniquefor IDS using an anomaly-based detection method based on entropy is introduced.Network behavior analysis relies on the profiling of legitimate network behavior in order toefficiently detect anomalous traffic deviations that indicate security threats. Entropy-based detectiontechniques are attractive due to their simplicity and applicability in real-time network traffic, with noneed to train the system with labelled data. Besides the fact that the NetFlow protocol provides only abasic set of information about network communications, it is very beneficial for identifying zero-dayattacks and suspicious behavior in traffic structure. Nevertheless, the challenge associated with limitedNetFlow information combined with the simplicity of the entropy-based approach is providing anefficient and sensitive mechanism to detect a wide range of anomalies, including those of small intensity.However, a recent study found of generic entropy-based anomaly detection reports itsvulnerability to deceit by introducing spoofed data to mask the abnormality. Furthermore, the majorityof approaches for further classification of anomalies rely on machine learning, which brings additionalcomplexity.Previously highlighted shortcomings and limitations of these approaches open up a space for theexploration of new techniques and methodologies for the detection of anomalies in network traffic inorder to isolate security threats, which will be the main subject of the research in this thesis.AbstractAn architrvture for network traffic anomaly detection system based on entropy analysisPage viiThis research addresses all these issues by providing a systematic methodology with the mainnovelty in anomaly detection and classification based on the entropy of flow count and behavior featuresextracted from the basic data obtained by the NetFlow protocol.Two new approaches are proposed to solve these concerns. Firstly, an effective protectionmechanism against entropy deception derived from the study of changes in several entropy types, suchas Shannon, Rényi, and Tsallis entropies, as well as the measurement of the number of distinct elementsin a feature distribution as a new detection metric. The suggested method improves the reliability ofentropy approaches.Secondly, an anomaly classification technique was introduced to the existing entropy-basedanomaly detection system. Entropy-based anomaly classification methods were presented and effectivelyconfirmed by tests based on a multivariate analysis of the entropy changes of several features as well asaggregation by complicated feature combinations.Through an analysis of the most prominent security attacks, generalized network traffic behaviormodels were developed to describe various communication patterns. Based on a multivariate analysis ofthe entropy changes by anomalies in each of the modelled classes, anomaly classification rules wereproposed and verified through the experiments. The concept of the behavior features is generalized, whilethe proposed data partitioning provides greater efficiency in real-time anomaly detection. The practicalityof the proposed architecture for the implementation of effective anomaly detection and classificationsystem in a general real-world network environment is demonstrated using experimental data.
Electrical and Computer Engineering - Computer Engineering and Informatics Datum odbrane: 15.12.2022.
English
2022
© All rights reserved
OSNO - Opšta sistematizacija naučnih oblasti, Telekomunikacije. Telegrafija. Telefonija
OSNO - Opšta sistematizacija naučnih oblasti, Računarske komunikacije. Računarske mreže
Anomaly detection, Anomaly classification, Entropy, Entropy deception, Network behavior analysis
OSNO - Opšta sistematizacija naučnih oblasti, Telekomunikacije. Telegrafija. Telefonija
OSNO - Opšta sistematizacija naučnih oblasti, Računarske komunikacije. Računarske mreže