Entropy-Based Characterization of Internet Background Radiation
Network security requires real-time monitoring of network traffic in order to detect new and unexpected attacks. Attack detection methods based on deep packet inspection are time consuming and costly, due to their high computational demands. This paper proposes a fast, lightweight method to distingu...
Main Authors: | , |
---|---|
Format: | Article |
Language: | English |
Published: |
MDPI AG
2014-12-01
|
Series: | Entropy |
Subjects: | |
Online Access: | http://www.mdpi.com/1099-4300/17/1/74 |
_version_ | 1811303897961070592 |
---|---|
author | Félix Iglesias Tanja Zseby |
author_facet | Félix Iglesias Tanja Zseby |
author_sort | Félix Iglesias |
collection | DOAJ |
description | Network security requires real-time monitoring of network traffic in order to detect new and unexpected attacks. Attack detection methods based on deep packet inspection are time consuming and costly, due to their high computational demands. This paper proposes a fast, lightweight method to distinguish different attack types observed in an IP darkspace monitor. The method is based on entropy measures of traffic-flow features and machine learning techniques. The explored data belongs to a portion of the Internet background radiation from a large IP darkspace, i.e., real traffic captures that exclusively contain unsolicited traffic, ongoing attacks, attack preparation activities and attack aftermaths. Results from an in-depth traffic analysis based on packet headers and content are used as a reference to label data and to evaluate the quality of the entropy-based classification. Full IP darkspace traffic captures from a three-week observation period in April, 2012, are used to compare the entropy-based classification with the in-depth traffic analysis. Results show that several traffic types present a high correlation to the respective traffic-flow entropy signals and can even fit polynomial regression models. Therefore, sudden changes in traffic types caused by new attacks or attack preparation activities can be identified based on entropy variations. |
first_indexed | 2024-04-13T07:56:24Z |
format | Article |
id | doaj.art-f0a0a70732e84ae385857eb095c1ebcf |
institution | Directory Open Access Journal |
issn | 1099-4300 |
language | English |
last_indexed | 2024-04-13T07:56:24Z |
publishDate | 2014-12-01 |
publisher | MDPI AG |
record_format | Article |
series | Entropy |
spelling | doaj.art-f0a0a70732e84ae385857eb095c1ebcf2022-12-22T02:55:24ZengMDPI AGEntropy1099-43002014-12-011717410110.3390/e17010074e17010074Entropy-Based Characterization of Internet Background RadiationFélix Iglesias0Tanja Zseby1Institute of Telecommunications, Vienna University of Technology, Gußhausstraße 25 / E389, 1040 Vienna, AustriaInstitute of Telecommunications, Vienna University of Technology, Gußhausstraße 25 / E389, 1040 Vienna, AustriaNetwork security requires real-time monitoring of network traffic in order to detect new and unexpected attacks. Attack detection methods based on deep packet inspection are time consuming and costly, due to their high computational demands. This paper proposes a fast, lightweight method to distinguish different attack types observed in an IP darkspace monitor. The method is based on entropy measures of traffic-flow features and machine learning techniques. The explored data belongs to a portion of the Internet background radiation from a large IP darkspace, i.e., real traffic captures that exclusively contain unsolicited traffic, ongoing attacks, attack preparation activities and attack aftermaths. Results from an in-depth traffic analysis based on packet headers and content are used as a reference to label data and to evaluate the quality of the entropy-based classification. Full IP darkspace traffic captures from a three-week observation period in April, 2012, are used to compare the entropy-based classification with the in-depth traffic analysis. Results show that several traffic types present a high correlation to the respective traffic-flow entropy signals and can even fit polynomial regression models. Therefore, sudden changes in traffic types caused by new attacks or attack preparation activities can be identified based on entropy variations.http://www.mdpi.com/1099-4300/17/1/74network securityinformation entropytime series analysissupervised classificationsignal modeling |
spellingShingle | Félix Iglesias Tanja Zseby Entropy-Based Characterization of Internet Background Radiation Entropy network security information entropy time series analysis supervised classification signal modeling |
title | Entropy-Based Characterization of Internet Background Radiation |
title_full | Entropy-Based Characterization of Internet Background Radiation |
title_fullStr | Entropy-Based Characterization of Internet Background Radiation |
title_full_unstemmed | Entropy-Based Characterization of Internet Background Radiation |
title_short | Entropy-Based Characterization of Internet Background Radiation |
title_sort | entropy based characterization of internet background radiation |
topic | network security information entropy time series analysis supervised classification signal modeling |
url | http://www.mdpi.com/1099-4300/17/1/74 |
work_keys_str_mv | AT felixiglesias entropybasedcharacterizationofinternetbackgroundradiation AT tanjazseby entropybasedcharacterizationofinternetbackgroundradiation |