SlideShare una empresa de Scribd logo

IDS Survey on Entropy

Raj Kamal
Raj Kamal

This contains little description of entropy techniques used in Intrusion Detection System.It contains list of IEEE journels based on it.

Tecnología
1 de 13
Descargar para leer sin conexión
Survey on Intrusion Detection System based on Entropy MEthods IEEE Papers Raj Kamal IIT Guwahati June 8, 2012
Table 1: Entropy Based IEEE Papers Tittle Author Year Abstract Theme An Efficient and Giseop No† 2009 In this paper, we pro- Uses fast entrpoy and Reliable DDoS and Ilkyeun pose a fast entropy scheme moving average to cal- Attack Detection Ra. De- that can overcome the is- cualte entropy.If network Using a Fast En- partment of sue of false negatives and traffic changes from nor- tropy Computation Computer will not increase the com- mal to abnormal status Method Science and putational time. Our sim- such as when the DDoS Engineering. ulation shows that the attacker sends a bulk of University fast entropy computing packets with the same of Colorado method not only reduced port number to saturate a Denver USA. computational time by certain port, the entropy more than 90 % compared of this port number will be to conventional entropy, decreased. By contrast, but also increased the under normal conditions, detection accuracy com- the entropy of the port pared to conventional and number will be increased. compression entropy ap- This phenomenon can be proaches. applied to various net- work information such as source IP address, desti- nation IP address, source port, destination port, to- tal number of packets, and even in the data cluster- ing schemes. our Fast Entropy scheme reduced computational time by 90 /of conventional entropy scheme while maintaining detection accuracy. Fast Entropy is even faster than compression entropy scheme in computing en- tropy values with same or better detection accu- racy. For our future work, we have been developing an adaptive fast entropy algorithm that will fur- ther reduce the false posi- tives as well as false nega- tives without adding over- head by introducing dy- namic moving average and detection threshold value with respect to behavior of attacks. 1
Table 2: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Effective Discovery Chan- 2009 This IDS is based on the We implemented the of Attacks using Kyu Han notion of packet dynam- proposed algorithm using Entropy of Packet Hyoung- ics, rather than packet perl and ran it on real Dynamics Kee Choi content, as a way to traffic traces available on Sungkyunkwan cope with the increasing the Internet. We used University complexity of attacks. four traces containing five We employ a concept of malicious attacks: they entropy to measure time- are Code Red Worm, variant packet dynamics Witty Worm, Slammer and, further, to extrapo- Worm, DoS and DDOS late this entropy to detect attacks.Here thermody- network attacks. The namic approach is used entropy of network traffic with moving average . It should vary abruptly once further uses ROC curve the distinct patterns of to find out thershold. packet dynamics embed- ded in attacks appear. The proposed classifier is evaluated by comparing independent statistics de- rived from five well-known attacks. Our classifier detects those five attacks with high accuracy1 and does so in a timely man- ner For instance, a Denial of Service (DoS) attack and flash crowds cause destination hosts to con- centrate the distribution of traffic on the victim. Network scanning has a dispersed distribution for destination hosts and a bottleneck distribution for destination services. This bottleneck distribution is concentrated on the vulnerable ports. Con- centration and dispersion are, respectively, two pat- terns of packet dynamics frequently perceived in a DoS attack and network scanning. The key idea is that once abnormal traffic contaminates long-term behavior, the entropy value of the system should 2 immediately reflect this contamination.This de- tection method takes advantage of fluctua- tions in the entropy values of flow-related metrics.Bogus requests do not generate immediate
Table 3: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Entropy-Based Tsern-Huei 2009 we present an entropy- In this paper, we pro- Profiling of Net- Lee , Jyun- based network traffic posed a novel, two-stage work Traffic for De He profiling scheme for de- approach for detecting Detection of Secu- Department tecting security attacks. network attacks. In rity Attack of Com- The proposed scheme the first stage, normal munication consists of two stages. behavior profiles are Engineering The purpose of the first constructed based on National stage is to systematically Relative Uncertainty. In Chiao Tung construct the probability the second stage, the Chi- University distribution of Relative Square Goodness-of-Fit ,Taiwan Uncertainty for normal Test is performed for the network traffic behavior. distributions obtained In the second stage, from behavior profiling we use the Chi-Square and network activities Goodness-of-Fit Test, a collected online. We calculation that measures demonstrated the effec- the level of difference of tiveness of our proposed two probability distribu- scheme with the KDD tions, to detect abnormal 1999 dataset for DoS at- network activities. The tacks. Simulation results probability distribution of show that our proposed the Relative Uncertainty scheme achieves lower for short-term network complexity and higher behavior is compared accuracy than previous with that of the long- schemes. Based on the term profile constructed experimental results, we in the first stage. We believe that the proposed demonstrate the perfor- scheme could be a good mance of our proposed choice for network behav- scheme for DoS attacks ior profiling and attack with the dataset derived detection. from KDD CUP 1999. Experimental results show that our proposed scheme achieves high accuracy if the features are selected appropriately. The top six features ranked by the accuracy are srcbytes,dstbytes, srvdiffhos- trate,dsthostcount,dsthostsamesrcportrate and dsthostsrvdiffhos- trate.These features can be used to detect DoS attacks effectively. 3
Table 4: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Entropy-Based Shui Yu 2008 A community network we focus on detection of Collaborative De- and Wanlei often operates with the DDoS attacks in commu- tection of DDOS Zhou School same Internet Service nity networks. Our mo- Attacks on Com- of Engi- Provider domain or the tivation comes from dis- munity Networks neering and virtual network of dif- criminate the DDoS at- Information ferent entities who are tacks from surge legiti- Technol- cooperating with each mate accessing, and iden- ogy Deakin other. In such a federated tify attacks at the early University, network environment, stage, even before the at- Burwood, routers can work closely tack packages reaching the VIC 3125, to raise early warning target server. The en- Australia of DDoS attacks to void tropy of flows at a router, catastrophic damages. router entropy, is calcu- However, the attackers lated, if the router entropy simulate the normal is less than a given thresh- network behaviors, e.g. old, then a attack alarm pumping the attack is raised; the routers on packages as Poisson the path of the suspected distribution, to disable flow will calculate the en- detection algorithms. tropy rate of the suspected We noticed that the flow. If the entropy rates attackers use the same are the same or the differ- mathematical functions ence is less than a given to control the speed of value, then we can confirm attack package pumping that it is an attack, other- to the victim. Based wise, it is a surge of legit- on this observation, the imate accessing. different attack flows of a DDoS attack share the same regularities, which is different from the real surging accessing in a short time period. We apply information theory parameter, entropy rate, to discriminate the DDoS attack from the surge legitimate accessing. We proved the effectiveness of our method in theory, Here number of packets to different destinations are used. 4
Table 5: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Low-Rate DDoS Yang Xiang, 2011 A low-rate distributed de- we propose two new and Attacks Detection Member, nial of service (DDoS) at- effective information met- and Traceback by IEEE, Ke Li, tack has significant ability rics for low-rate DDoS at- Using New Infor- and Wanlei of concealing its traffic be- tacks detection: general- mation Metrics Zhou, Senior cause it is very much like ized en- tropy and in- Member, normal traffic. An infor- formation distance met- IEEE mation metric can quan- ric. The experimental re- tify the differences of net- sults show that these met- work traffic with various rics work effectively and probability distributions. stably. They out- per- In this paper, we innova- form the traditional Shan- tively propose using two non entropy and Kull- new information metrics back–Leibler distance ap- such as the generalized en- proaches, respectively, in tropy metric and the in- detecting anomaly traffic. formation distance metric In particular, these met- to detect low-rate DDoS rics can improve (or match attacks by measuring the the various re- quirements difference between legit- of) the systems’ detection imate traffic and attack sensitivity by effectively traffic. The proposed adjusting the value of or- generalized entropy met- der of the generalized en- ric can detect attacks sev- tropy and information dis- eral hops earlier than the tance metrics. As the traditional Shannon met- proposed metrics can in- ric. The proposed in- crease the information dis- formation distance met- tance (gap) between at- ric outperforms the pop- tack traffic and legitimate ular Kullback–Leibler di- traffic, they can effectively vergence approach as it detect low-rate DDoS at- can clearly enlarge the tacks early and reduce the adjudication distance and false positive rate clearly. then obtain the op- timal The pro- posed informa- detection sensitivity. The tion distance metric over- experimental results show comes the properties of that the proposed infor- asymmetric of both Kull- mation metrics can ef- back–Leibler and informa- fectively detect low-rate tion diver- gences. Fur- DDoS attacks and clearly thermore, the proposed IP reduce the false positive traceback scheme based rate. Furthermore, the on information metrics proposed IP traceback al- can effectively trace all gorithm can find all at- attacks until their own tacks as well as at- tackers LANs (zombies). In from their own local area conclusion, our proposed networks (LANs) and dis- infor- mation metrics can card attack packet substantially improve the performance of low-rate DDoS attacks detection 5 and IP traceback over the tra- ditional approaches.
Table 6: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Joint Entropy Hamza 2009 Network traffic charac- In this paper, we have Analysis Model Rahmani, terization with behaviour proposed statistical ap- for DDoS Attack Nabil Sahli, modelling could be a proach for DDoS attacks Detection Farouk good indication of attack detection. Our experi- Kammoun detection witch can be ences were made on a real CRISTAL performed via abnormal traffic flow issued from Lab., Na- behaviour identification. a “CAIDA data collec- tional School Moreover, it is hard to tion” collected in 2007. for Com- distinguish the difference Our proposed approach is puter Sci- of an unusual high volume based on the evaluation ences of of traffic which is caused of the degree of coherence Tunis Uni- by the attack or occurs between the received traf- versity when a huge number of fic volume and the num- campus users occasionally ac- ber of connections per Manouba cess the target machine time interval with the aim Manouba, at the same time. We of thresholding calculated Tunisia observe that the time distances between a cur- series of IP-flow number rent observation window and aggregate traffic size and a given reference. The are strongly statistically main contribution of this dependant. The occur- paper is that our proposal rence of attack affects this model allows us to identify dependence and causes DDoS attacks regardless a rupture in time series of the traffic volume size. of joint entropy values. A legitimate augmenta- Experiment results show tion at large scale will not that this method could be detected through this lead to more accurate method which minimising and effective DDoS de- false alarms. In addition, tection.We propose a our proposal does need to measurement method inspect few fields for each which focuses on quan- packet. This makes it sim- tifying the information pler and more practical for expressed by the joint real-time implementation. system of two random variables in traffic-based network. By measuring the degree of coherence between the number of packets and the number of IP-flow first obtained in regular traffic, then in traffics presenting a large variety of anoma- lies including mainly legitimate anomalies, we can differentiate traffic changes caused by flash crowd (FC) or by DoS 6 attack. This method allows reducing signifi- cantly the false positives alarms. To study the network characteristics by generating the histogram of the size of IP-flow during a timeinterval T.
Table 7: Entropy Based IEEE Papers Tittle Author Year Abstract Theme A Network Ya-ling 2009 A new network anomaly The RETAD sets up Anomaly De- Zhang, detection method has SVLNM by training the tection Method Zhao-guo been proposed in this normal network traffic. Based on Relative Han, Jiao- paper. The main idea of The network anomaly Entropy Theory xia Ren the method is network detection system based School of traffic is analyzed and es- on RET is achieved by Computer timated by using Relative comparing SVLD with Science and Entropy Theory (RET), SVLNM. The test results Engineering and a network anomaly show that the detection Xi’an Uni- detection model based on rate of RETAD is higher versity of RET is designed as well. than the EMERALD, Technology The numerical value of PHAD, ALAD, NETAD Xi’an, China relative entropy is used and FAD. The RETAD to alleviate the inherent has three advantages. contradictions between Firstly, algorithm compu- improving detection rate tation is so easy that it and reducing false alarm can be used to the high rate, which is more pre- speed network. Secondly, cise and can effectively the method has a strong reduce the error of es- detection capability, es- timation. On the 1999 pecially for the detection DARPA/Lincoln Labo- of intermittent anomalies. ratory IDS evaluation In addition, the RETAD data set, the detection has a good adaptability. results showed that the Based on RET, the packet method can reach a length has been chose higher detection rate at as measures to detect the premise of low false anomaly. Furthermore, alarm rate.These mea- the detection models sures have three features: using other measures need compose a full-probability to be further studied. event and cover all gath- ered information;be able to comprehensively reflect a variety of abnormal that cause the abnor- mal network traffic;does not contain sensitive information, such as IP address, port number or packet content informa- tion. Packet Lengths are taken into account to calculate relative entropy and drawing conclusions. 7
Table 8: Entropy Based IEEE Papers Tittle Author Year Abstract Theme An Approach on Zhiwen 2011 In this paper we propose The test data set with Detecting Network Wang, Qin an approach on detecting more alerts is used to eval- Attack Based on Xia De- network attack based on uate our method. There Entropy partment of entropy from millions of are 166,326 alerts in the Computer alerts. Shannon entropy test data. 9.83them are Science and is developed firstly to ana- generated by 86 network Technol- lyze the distribution char- attack occurs within 430 ogy Xi’an acteristics of alert with seconds. We successfully Jiaotong five key attributes includ- detect all the attacks with University ing source IP address, 2 false detections.In this Xi’an, China destination IP address, paper, we proposed a new source threat, destina- network attack detection tion threat and datagram method base on entropy. length. Then, the Renyi Five features of IDS alerts cross entropy is employed are selected from tens of to fuse the Shannon en- Snort alert attributions. tropy vector and detect The Shannon entropy is the anomalies. The IDS used to analyze the alerts used in our experiment is to measure the regularity Snort, and the experimen- of current network status. tal results based on actual The Renyi cross entropy network data show that is employed to detect net- our approach can detect work attack. The Renyi network attack quickly cross entropy value is near and accurately. In this 0 when the network runs paper, Snort is used to in normal, otherwise the monitor the network and value will change abruptly five statistical features of when attack occurs. The the Snort alert are se- experimental results un- lected: source IP address, der actual data show that destination IP address, the framework in our work source threat, destina- can detect network attack tion threat and datagram quickly and accurately. In length. The Shannon en- next step, more alerts tropy is used to analyze from different time seg- the distribution character- ments will be collected to istics of alert that reflect test our method and an at- the regularity of network tack classification method status. When the moni- will be considered. tored network runs in nor- mal way, the entropy val- ues are relatively smooth. Otherwise, the entropy value of one or more fea- tures would change. The Renyi cross entropy of these features is calculated to measure the network status and detect network 8 attacks. Time series is cal- culated based on shannon entropy and which is used to calculate renny entropy and compared with previ- ous and alarm is generated based on thereshod.
Table 9: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Detecting DDoS Yun Liu 2010 After analyzing the The results demonstrate Attacks Using Con- ,Jieren characteristics of DDoS that TFCE is more ro- ditional Entropy Cheng,Jianping attacks and the existing bust of the interference of Yin,Boyun approaches to detect background traffic. The Zhang DDoS attacks, a novel reason lies in the fact School of detection method based that the corresponding re- Computer, on conditional entropy lations between traffic fea- National is proposed in this pa- tures are considered here. University per. First, a group of TFCE compute the rele- of Defense statistical features based tive distribution between Technology on conditional entropy is traffic features and include Changsha, defined, which is named the information of joint China Traffic Feature Condi- probilities of traffic fea- tional Entropy (TFCE), tures, so has stronger abil- to depict the basic charac- ity to uncover the differ- teristics of DDoS attacks, ence of attack traffic and such as high traffic vol- normal traffic. ume and Multiple-to-one relationships. Then, a trained support vector machine (SVM) classifier is applied to identify the DDoS attacks. We experiment with the MIT Data Set in order to evaluate our approach. The results show that the proposed method not only can distinguish between attack traffic and normal traffic accurately, but also is more robustness to resist disturbance of back- ground traffic compared with its counterparts. Sr- cIP,DestIP,DestPort are taken into account.Then use three conditional entropy and sip sip dip H( ), H( )H( ) dip dport dport to characterize three kinds of multiple-to-one rela- tion in DDoS attacks, namely, called Traffic Fea- ture Conditional Entropy (TFCE).This measure the 9 diversity of sip to dip,sip to dport, dport to dip,or their uncertainity. After we include SVM into pic- ture ,train it with same set of factors and used it to detect real time anamoly.
Table 10: Entropy Based IEEE Papers Tittle Author Year Abstract Theme A New Relative Jin 2010 Distributed Denial of Ser- This paper analyzes the Entropy Based Wang,Xiaolong vice (abbreviated DDoS) application layer DDoS App-DDoS Detec- Yang Keping attack is a serious problem and proposes a new rel- tion Method Long Re- to the network services. ative entropy based app- search This paper analyzed some DDoS detection method. Center for solutions to the appli- We validate our method Optical cation layer DDoS (ab- by simulation, and the Internet breviated app-DDoS) at- results suggest that our Mobile In- tack, and proposed a rel- method can be used to fonnation ative entropy based app- detect app-DDoS attacks. Network, DDoS detection method. This paper validates the University Our scheme includes two usefulness of the relative of Electronic stages: learning stage and entropy based app-DDoS Science detection stage. Firstly at detection method. Our Technology the learning stage, it ex- future work will focus on of China, tracts main click features how to handle false detec- Chengdu of web objects with the tion. Sichuan cluster methods. Then 610056,China. at the detection stages, it Network computes the relative en- Center of tropy for each session ac- Chengdu cording to the learning re- University, sult. The greater the ses- Chengdu sion’s relative entropy, the Sichuan more suspicious the ses- 610106, sion is. At last, simula- China tion results suggest that this method can differenti- ate the attack session with high detection rate and low false alarm. 10
Table 11: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Entropy-based Suratose 2010 The most common type of In summary, an entropy- Input-Output Tritilanunt, DoS attack occurs when based technique provides Traffic Mode De- Suphannee adversaries flood a large more accurately denial-of- tection Scheme for Sivakorn, amount of bogus data service detection than a DoS/DDoS Attacks Choochern to interfere or disrupt volume-based technique. Juengjin- the service on the server. Moreover, the detecting charoen, Au- By using a volume- time to discover both sanee Siri- based scheme ,packe- long- term and short- pornpisan trate,bandwidth,packetsize term denial-of-service Computer to detect such attacks, attacks in our scheme Engineering this technique would not is another key strength Department, be able to inspect short- over a feature-based de- Faculty of term denial-of- service tection approach. These Engineering, attacks, as well as cannot two major advantages Mahidol distinguish between heavy are supported by the University, load from legitimate users experimental results as Thailand and huge number of bogus demonstrated in this sec- 25/25, messages from attackers. tion.Short term and long Salaya, As a result, this paper term attacks are detected. Phutta- provides a detection monthol, mechanism based on a Nakorn- technique of entropy- pathom, based input-output traffic Thailand, mode detection scheme. 73170 The experimental re- sults demonstrate that our approach is able to detect several kinds of denial-of-service attacks, even small spike of such attacks. This paper uses entropy of packet size to detect attacks. 11
Table 12: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Entropy Based Laleh Ar- 2011 In this paper we present a The point is that as SYN Flooding shadi Amir novel approach for detect- the arrival rate decreases Detection Hossein ing SYN flooding attacks the packets become less Jahangir by investigating the en- dependent and the en- Computer tropy of SYN packet inter- tropy increases as a re- Engineering arrival times as a mea- sult whereas an increase Department sure of randomness. We in the arrival rate re- Sharif Uni- argue that normal SYN sults in more dependency versity of packets are almost inde- between the packets and Iran Tehran, pendent leading to higher a decrease in the en- Iran values of entropy while tropy consequently. There SYN flooding attacks con- are two major challenges sist of a high volume of faced by the anomaly de- related SYN packets and tection techniques. First so the entropy of their is the problem of defin- inter-arrival times would ing a general rule for be less than normal. We the distinction of normal apply this entropy-based and anomalous traffic and method on different data the second is the high sets of network traffic both volume of the processing in off-line and real-time data. We see that our modes. In this paper we entropy based detection examine the changes in technique can easily over- the entropy of inter-arrival come both challenges by times of TCP SYN pack- investigating the random- ets to detect SYN flood- ness of TCP SYN packets’ ing attacks. Our ex- inter-arrival times. While periments are based upon deriving the SYN pack- this argument that nor- ets, extracting their inter- mal SYN packets are al- arrival times and comput- most independent leading ing the entropy is not com- to higher values of en- putationally intensive and tropy while SYN flooding can easily be performed attacks consist of many in real-time As for fu- related SYN packets sent ture work it may be use- from either the same ori- ful to observe the entropy gin to various destinations of other flow inter-arrival or from multiple sources times, e.g. TCP-SYN- to a single destination and ACK, TCP- ACK, TCP- consequently the entropy RST, UDP or ICMP pack- of their inter-arrival times ets. In case the entropy would be less than normal. changes as an anomaly oc- curs, it would be possible to identify the anomalous portions of the traffic in the same way we detect the SYN flooding attacks 12

Recomendados

1103.0305
1103.03051103.0305
1103.0305nk179
 
Cancellation of Noise from Speech Signal using Voice Activity Detection Metho...
Cancellation of Noise from Speech Signal using Voice Activity Detection Metho...Cancellation of Noise from Speech Signal using Voice Activity Detection Metho...
Cancellation of Noise from Speech Signal using Voice Activity Detection Metho...ijsrd.com
 
Contribution of Non-Scrambled Chroma Information in Privacy-Protected Face Im...
Contribution of Non-Scrambled Chroma Information in Privacy-Protected Face Im...Contribution of Non-Scrambled Chroma Information in Privacy-Protected Face Im...
Contribution of Non-Scrambled Chroma Information in Privacy-Protected Face Im...Wesley De Neve
 
Psychoacoustic Approaches to Audio Steganography Report
Psychoacoustic Approaches to Audio Steganography Report Psychoacoustic Approaches to Audio Steganography Report
Psychoacoustic Approaches to Audio Steganography Report Cody Ray
 
44 i9 advanced-speaker-recognition
44 i9 advanced-speaker-recognition44 i9 advanced-speaker-recognition
44 i9 advanced-speaker-recognitionsunnysyed
 
Quality and Distortion Evaluation of Audio Signal by Spectrum
Quality and Distortion Evaluation of Audio Signal by SpectrumQuality and Distortion Evaluation of Audio Signal by Spectrum
Quality and Distortion Evaluation of Audio Signal by SpectrumCSCJournals
 
Hr3114661470
Hr3114661470Hr3114661470
Hr3114661470IJERA Editor
 
YSChen: Dissertation Defense
YSChen: Dissertation DefenseYSChen: Dissertation Defense
YSChen: Dissertation DefenseNational Taiwan University (NTU), Taipei, Taiwan
 

Recomendados

1103.0305
1103.03051103.0305
1103.0305nk179
 
Cancellation of Noise from Speech Signal using Voice Activity Detection Metho...
Cancellation of Noise from Speech Signal using Voice Activity Detection Metho...Cancellation of Noise from Speech Signal using Voice Activity Detection Metho...
Cancellation of Noise from Speech Signal using Voice Activity Detection Metho...ijsrd.com
 
Contribution of Non-Scrambled Chroma Information in Privacy-Protected Face Im...
Contribution of Non-Scrambled Chroma Information in Privacy-Protected Face Im...Contribution of Non-Scrambled Chroma Information in Privacy-Protected Face Im...
Contribution of Non-Scrambled Chroma Information in Privacy-Protected Face Im...Wesley De Neve
 
Psychoacoustic Approaches to Audio Steganography Report
Psychoacoustic Approaches to Audio Steganography Report Psychoacoustic Approaches to Audio Steganography Report
Psychoacoustic Approaches to Audio Steganography Report Cody Ray
 
44 i9 advanced-speaker-recognition
44 i9 advanced-speaker-recognition44 i9 advanced-speaker-recognition
44 i9 advanced-speaker-recognitionsunnysyed
 
Quality and Distortion Evaluation of Audio Signal by Spectrum
Quality and Distortion Evaluation of Audio Signal by SpectrumQuality and Distortion Evaluation of Audio Signal by Spectrum
Quality and Distortion Evaluation of Audio Signal by SpectrumCSCJournals
 
Hr3114661470
Hr3114661470Hr3114661470
Hr3114661470IJERA Editor
 
YSChen: Dissertation Defense
YSChen: Dissertation DefenseYSChen: Dissertation Defense
YSChen: Dissertation DefenseNational Taiwan University (NTU), Taipei, Taiwan
 
Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
Financial management ....the millieum financial management
Financial management ....the millieum financial managementFinancial management ....the millieum financial management
Financial management ....the millieum financial managementraufik tajuddin
 
Backtrack 3 USB
Backtrack 3 USBBacktrack 3 USB
Backtrack 3 USBMichael Smith
 
Compass Fi Treasury Pp July2008
Compass Fi Treasury Pp July2008Compass Fi Treasury Pp July2008
Compass Fi Treasury Pp July2008ntrung
 
Types and Styles of music videos
Types and Styles of music videosTypes and Styles of music videos
Types and Styles of music videosramshaimran9
 
CAMPUSMATE
CAMPUSMATECAMPUSMATE
CAMPUSMATENiyas Ahamed
 
ROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeIgal Assaf
 
Stanford/Arrillaga El Camino Menlo Park Plan
Stanford/Arrillaga El Camino Menlo Park PlanStanford/Arrillaga El Camino Menlo Park Plan
Stanford/Arrillaga El Camino Menlo Park PlanPerla Ni
 
On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...
On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...
On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...MD. SAJJADUL KARIM BHUIYAN
 
Orange Sparkle Ball: Who We Are and What We Do
Orange Sparkle Ball: Who We Are and What We DoOrange Sparkle Ball: Who We Are and What We Do
Orange Sparkle Ball: Who We Are and What We DoOrange Sparkle Ball, Inc.
 
In A Clean City, A Healthy Life Project
In A Clean City, A Healthy Life ProjectIn A Clean City, A Healthy Life Project
In A Clean City, A Healthy Life ProjectOlga Morozan
 
Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)
Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)
Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)Sayogyo Rahman Doko
 
Report..costing..
Report..costing..Report..costing..
Report..costing..Nur Dalila Zamri
 
Inside Sina Weibo
Inside Sina WeiboInside Sina Weibo
Inside Sina Weiborhohit
 
Where can tell me who I am?
Where can tell me who I am?Where can tell me who I am?
Where can tell me who I am?seltzoid
 
Gutell 091.imb.2004.13.495
Gutell 091.imb.2004.13.495Gutell 091.imb.2004.13.495
Gutell 091.imb.2004.13.495Robin Gutell
 
Beijing2011
Beijing2011Beijing2011
Beijing2011shanghaithunderbirds
 
Fast and Effective Worm Fingerprinting via Machine Learning
Fast and Effective Worm Fingerprinting via Machine LearningFast and Effective Worm Fingerprinting via Machine Learning
Fast and Effective Worm Fingerprinting via Machine Learningbutest
 
370 374
370 374370 374
370 374Editor IJARCET
 
Chaotic cryptography and multimedia security
Chaotic cryptography and multimedia securityChaotic cryptography and multimedia security
Chaotic cryptography and multimedia securityFatima Azeez
 
Neural network
Neural networkNeural network
Neural networkSaddam Hussain
 
SIP Flooding Attack Detection Using Hybrid Detection Algorithm
SIP Flooding Attack Detection Using Hybrid Detection AlgorithmSIP Flooding Attack Detection Using Hybrid Detection Algorithm
SIP Flooding Attack Detection Using Hybrid Detection AlgorithmEditor IJMTER
 

Más contenido relacionado

Destacado

Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attackschris zlatis
 
Financial management ....the millieum financial management
Financial management ....the millieum financial managementFinancial management ....the millieum financial management
Financial management ....the millieum financial managementraufik tajuddin
 
Compass Fi Treasury Pp July2008
Compass Fi Treasury Pp July2008Compass Fi Treasury Pp July2008
Compass Fi Treasury Pp July2008ntrung
 
Types and Styles of music videos
Types and Styles of music videosTypes and Styles of music videos
Types and Styles of music videosramshaimran9
 
ROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeIgal Assaf
 
Stanford/Arrillaga El Camino Menlo Park Plan
Stanford/Arrillaga El Camino Menlo Park PlanStanford/Arrillaga El Camino Menlo Park Plan
Stanford/Arrillaga El Camino Menlo Park PlanPerla Ni
 
On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...
On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...
On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...MD. SAJJADUL KARIM BHUIYAN
 
Orange Sparkle Ball: Who We Are and What We Do
Orange Sparkle Ball: Who We Are and What We DoOrange Sparkle Ball: Who We Are and What We Do
Orange Sparkle Ball: Who We Are and What We DoOrange Sparkle Ball, Inc.
 
In A Clean City, A Healthy Life Project
In A Clean City, A Healthy Life ProjectIn A Clean City, A Healthy Life Project
In A Clean City, A Healthy Life ProjectOlga Morozan
 
Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)
Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)
Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)Sayogyo Rahman Doko
 
Inside Sina Weibo
Inside Sina WeiboInside Sina Weibo
Inside Sina Weiborhohit
 
Where can tell me who I am?
Where can tell me who I am?Where can tell me who I am?
Where can tell me who I am?seltzoid
 
Gutell 091.imb.2004.13.495
Gutell 091.imb.2004.13.495Gutell 091.imb.2004.13.495
Gutell 091.imb.2004.13.495Robin Gutell
 

Destacado (17)

Entropy and denial of service attacks
Entropy and denial of service attacksEntropy and denial of service attacks
Entropy and denial of service attacks
 
Financial management ....the millieum financial management
Financial management ....the millieum financial managementFinancial management ....the millieum financial management
Financial management ....the millieum financial management
 
Backtrack 3 USB
Backtrack 3 USBBacktrack 3 USB
Backtrack 3 USB
 
Compass Fi Treasury Pp July2008
Compass Fi Treasury Pp July2008Compass Fi Treasury Pp July2008
Compass Fi Treasury Pp July2008
 
Types and Styles of music videos
Types and Styles of music videosTypes and Styles of music videos
Types and Styles of music videos
 
CAMPUSMATE
CAMPUSMATECAMPUSMATE
CAMPUSMATE
 
ROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neigeROR -Igal Assaf Paris sous la neige
ROR -Igal Assaf Paris sous la neige
 
Stanford/Arrillaga El Camino Menlo Park Plan
Stanford/Arrillaga El Camino Menlo Park PlanStanford/Arrillaga El Camino Menlo Park Plan
Stanford/Arrillaga El Camino Menlo Park Plan
 
On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...
On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...
On needle settings of tuck stitch fully fashioned,22rib diamond design fully-...
 
Orange Sparkle Ball: Who We Are and What We Do
Orange Sparkle Ball: Who We Are and What We DoOrange Sparkle Ball: Who We Are and What We Do
Orange Sparkle Ball: Who We Are and What We Do
 
In A Clean City, A Healthy Life Project
In A Clean City, A Healthy Life ProjectIn A Clean City, A Healthy Life Project
In A Clean City, A Healthy Life Project
 
Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)
Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)
Ushul Firaq wal Adyaan wal Madzaahib Al Fikriyah (Ar)
 
Report..costing..
Report..costing..Report..costing..
Report..costing..
 
Inside Sina Weibo
Inside Sina WeiboInside Sina Weibo
Inside Sina Weibo
 
Where can tell me who I am?
Where can tell me who I am?Where can tell me who I am?
Where can tell me who I am?
 
Gutell 091.imb.2004.13.495
Gutell 091.imb.2004.13.495Gutell 091.imb.2004.13.495
Gutell 091.imb.2004.13.495
 
Beijing2011
Beijing2011Beijing2011
Beijing2011
 

Similar a IDS Survey on Entropy

Fast and Effective Worm Fingerprinting via Machine Learning
Fast and Effective Worm Fingerprinting via Machine LearningFast and Effective Worm Fingerprinting via Machine Learning
Fast and Effective Worm Fingerprinting via Machine Learningbutest
 
Chaotic cryptography and multimedia security
Chaotic cryptography and multimedia securityChaotic cryptography and multimedia security
Chaotic cryptography and multimedia securityFatima Azeez
 
SIP Flooding Attack Detection Using Hybrid Detection Algorithm
SIP Flooding Attack Detection Using Hybrid Detection AlgorithmSIP Flooding Attack Detection Using Hybrid Detection Algorithm
SIP Flooding Attack Detection Using Hybrid Detection AlgorithmEditor IJMTER
 
Energy Aware performance evaluation of WSNs.
Energy Aware performance evaluation of WSNs.Energy Aware performance evaluation of WSNs.
Energy Aware performance evaluation of WSNs.ikrrish
 
Presentation l`aquila new
Presentation l`aquila newPresentation l`aquila new
Presentation l`aquila newikrrish
 
Modeling and automated containment of worms (synopsis)
Modeling and automated containment of worms (synopsis)Modeling and automated containment of worms (synopsis)
Modeling and automated containment of worms (synopsis)Mumbai Academisc
 
Anomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionAnomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionUltraUploader
 
Backpropagation
BackpropagationBackpropagation
Backpropagationariffast
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniquesiosrjce
 
Hierarchical Temporal Memory for Real-time Anomaly Detection
Hierarchical Temporal Memory for Real-time Anomaly DetectionHierarchical Temporal Memory for Real-time Anomaly Detection
Hierarchical Temporal Memory for Real-time Anomaly DetectionIhor Bobak
 
Self Attested Images for Secured Transactions using Superior SOM
Self Attested Images for Secured Transactions using Superior SOMSelf Attested Images for Secured Transactions using Superior SOM
Self Attested Images for Secured Transactions using Superior SOMIDES Editor
 
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANIJNSA Journal
 

Similar a IDS Survey on Entropy (20)

Fast and Effective Worm Fingerprinting via Machine Learning
Fast and Effective Worm Fingerprinting via Machine LearningFast and Effective Worm Fingerprinting via Machine Learning
Fast and Effective Worm Fingerprinting via Machine Learning
 
370 374
370 374370 374
370 374
 
Chaotic cryptography and multimedia security
Chaotic cryptography and multimedia securityChaotic cryptography and multimedia security
Chaotic cryptography and multimedia security
 
Neural network
Neural networkNeural network
Neural network
 
SIP Flooding Attack Detection Using Hybrid Detection Algorithm
SIP Flooding Attack Detection Using Hybrid Detection AlgorithmSIP Flooding Attack Detection Using Hybrid Detection Algorithm
SIP Flooding Attack Detection Using Hybrid Detection Algorithm
 
Fv2510671071
Fv2510671071Fv2510671071
Fv2510671071
 
Energy Aware performance evaluation of WSNs.
Energy Aware performance evaluation of WSNs.Energy Aware performance evaluation of WSNs.
Energy Aware performance evaluation of WSNs.
 
Presentation l`aquila new
Presentation l`aquila newPresentation l`aquila new
Presentation l`aquila new
 
Aa04404164169
Aa04404164169Aa04404164169
Aa04404164169
 
New
NewNew
New
 
31
3131
31
 
Modeling and automated containment of worms (synopsis)
Modeling and automated containment of worms (synopsis)Modeling and automated containment of worms (synopsis)
Modeling and automated containment of worms (synopsis)
 
Anomalous payload based network intrusion detection
Anomalous payload based network intrusion detectionAnomalous payload based network intrusion detection
Anomalous payload based network intrusion detection
 
Backpropagation
BackpropagationBackpropagation
Backpropagation
 
L017317681
L017317681L017317681
L017317681
 
Internet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining TechniquesInternet Worm Classification and Detection using Data Mining Techniques
Internet Worm Classification and Detection using Data Mining Techniques
 
3ppt
3ppt3ppt
3ppt
 
Hierarchical Temporal Memory for Real-time Anomaly Detection
Hierarchical Temporal Memory for Real-time Anomaly DetectionHierarchical Temporal Memory for Real-time Anomaly Detection
Hierarchical Temporal Memory for Real-time Anomaly Detection
 
Self Attested Images for Secured Transactions using Superior SOM
Self Attested Images for Secured Transactions using Superior SOMSelf Attested Images for Secured Transactions using Superior SOM
Self Attested Images for Secured Transactions using Superior SOM
 
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCANADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
ADRISYA: A FLOW BASED ANOMALY DETECTION SYSTEM FOR SLOW AND FAST SCAN
 

Último

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 

IDS Survey on Entropy

  • 1. Survey on Intrusion Detection System based on Entropy MEthods IEEE Papers Raj Kamal IIT Guwahati June 8, 2012
  • 2. Table 1: Entropy Based IEEE Papers Tittle Author Year Abstract Theme An Efficient and Giseop No† 2009 In this paper, we pro- Uses fast entrpoy and Reliable DDoS and Ilkyeun pose a fast entropy scheme moving average to cal- Attack Detection Ra. De- that can overcome the is- cualte entropy.If network Using a Fast En- partment of sue of false negatives and traffic changes from nor- tropy Computation Computer will not increase the com- mal to abnormal status Method Science and putational time. Our sim- such as when the DDoS Engineering. ulation shows that the attacker sends a bulk of University fast entropy computing packets with the same of Colorado method not only reduced port number to saturate a Denver USA. computational time by certain port, the entropy more than 90 % compared of this port number will be to conventional entropy, decreased. By contrast, but also increased the under normal conditions, detection accuracy com- the entropy of the port pared to conventional and number will be increased. compression entropy ap- This phenomenon can be proaches. applied to various net- work information such as source IP address, desti- nation IP address, source port, destination port, to- tal number of packets, and even in the data cluster- ing schemes. our Fast Entropy scheme reduced computational time by 90 /of conventional entropy scheme while maintaining detection accuracy. Fast Entropy is even faster than compression entropy scheme in computing en- tropy values with same or better detection accu- racy. For our future work, we have been developing an adaptive fast entropy algorithm that will fur- ther reduce the false posi- tives as well as false nega- tives without adding over- head by introducing dy- namic moving average and detection threshold value with respect to behavior of attacks. 1
  • 3. Table 2: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Effective Discovery Chan- 2009 This IDS is based on the We implemented the of Attacks using Kyu Han notion of packet dynam- proposed algorithm using Entropy of Packet Hyoung- ics, rather than packet perl and ran it on real Dynamics Kee Choi content, as a way to traffic traces available on Sungkyunkwan cope with the increasing the Internet. We used University complexity of attacks. four traces containing five We employ a concept of malicious attacks: they entropy to measure time- are Code Red Worm, variant packet dynamics Witty Worm, Slammer and, further, to extrapo- Worm, DoS and DDOS late this entropy to detect attacks.Here thermody- network attacks. The namic approach is used entropy of network traffic with moving average . It should vary abruptly once further uses ROC curve the distinct patterns of to find out thershold. packet dynamics embed- ded in attacks appear. The proposed classifier is evaluated by comparing independent statistics de- rived from five well-known attacks. Our classifier detects those five attacks with high accuracy1 and does so in a timely man- ner For instance, a Denial of Service (DoS) attack and flash crowds cause destination hosts to con- centrate the distribution of traffic on the victim. Network scanning has a dispersed distribution for destination hosts and a bottleneck distribution for destination services. This bottleneck distribution is concentrated on the vulnerable ports. Con- centration and dispersion are, respectively, two pat- terns of packet dynamics frequently perceived in a DoS attack and network scanning. The key idea is that once abnormal traffic contaminates long-term behavior, the entropy value of the system should 2 immediately reflect this contamination.This de- tection method takes advantage of fluctua- tions in the entropy values of flow-related metrics.Bogus requests do not generate immediate
  • 4. Table 3: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Entropy-Based Tsern-Huei 2009 we present an entropy- In this paper, we pro- Profiling of Net- Lee , Jyun- based network traffic posed a novel, two-stage work Traffic for De He profiling scheme for de- approach for detecting Detection of Secu- Department tecting security attacks. network attacks. In rity Attack of Com- The proposed scheme the first stage, normal munication consists of two stages. behavior profiles are Engineering The purpose of the first constructed based on National stage is to systematically Relative Uncertainty. In Chiao Tung construct the probability the second stage, the Chi- University distribution of Relative Square Goodness-of-Fit ,Taiwan Uncertainty for normal Test is performed for the network traffic behavior. distributions obtained In the second stage, from behavior profiling we use the Chi-Square and network activities Goodness-of-Fit Test, a collected online. We calculation that measures demonstrated the effec- the level of difference of tiveness of our proposed two probability distribu- scheme with the KDD tions, to detect abnormal 1999 dataset for DoS at- network activities. The tacks. Simulation results probability distribution of show that our proposed the Relative Uncertainty scheme achieves lower for short-term network complexity and higher behavior is compared accuracy than previous with that of the long- schemes. Based on the term profile constructed experimental results, we in the first stage. We believe that the proposed demonstrate the perfor- scheme could be a good mance of our proposed choice for network behav- scheme for DoS attacks ior profiling and attack with the dataset derived detection. from KDD CUP 1999. Experimental results show that our proposed scheme achieves high accuracy if the features are selected appropriately. The top six features ranked by the accuracy are srcbytes,dstbytes, srvdiffhos- trate,dsthostcount,dsthostsamesrcportrate and dsthostsrvdiffhos- trate.These features can be used to detect DoS attacks effectively. 3
  • 5. Table 4: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Entropy-Based Shui Yu 2008 A community network we focus on detection of Collaborative De- and Wanlei often operates with the DDoS attacks in commu- tection of DDOS Zhou School same Internet Service nity networks. Our mo- Attacks on Com- of Engi- Provider domain or the tivation comes from dis- munity Networks neering and virtual network of dif- criminate the DDoS at- Information ferent entities who are tacks from surge legiti- Technol- cooperating with each mate accessing, and iden- ogy Deakin other. In such a federated tify attacks at the early University, network environment, stage, even before the at- Burwood, routers can work closely tack packages reaching the VIC 3125, to raise early warning target server. The en- Australia of DDoS attacks to void tropy of flows at a router, catastrophic damages. router entropy, is calcu- However, the attackers lated, if the router entropy simulate the normal is less than a given thresh- network behaviors, e.g. old, then a attack alarm pumping the attack is raised; the routers on packages as Poisson the path of the suspected distribution, to disable flow will calculate the en- detection algorithms. tropy rate of the suspected We noticed that the flow. If the entropy rates attackers use the same are the same or the differ- mathematical functions ence is less than a given to control the speed of value, then we can confirm attack package pumping that it is an attack, other- to the victim. Based wise, it is a surge of legit- on this observation, the imate accessing. different attack flows of a DDoS attack share the same regularities, which is different from the real surging accessing in a short time period. We apply information theory parameter, entropy rate, to discriminate the DDoS attack from the surge legitimate accessing. We proved the effectiveness of our method in theory, Here number of packets to different destinations are used. 4
  • 6. Table 5: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Low-Rate DDoS Yang Xiang, 2011 A low-rate distributed de- we propose two new and Attacks Detection Member, nial of service (DDoS) at- effective information met- and Traceback by IEEE, Ke Li, tack has significant ability rics for low-rate DDoS at- Using New Infor- and Wanlei of concealing its traffic be- tacks detection: general- mation Metrics Zhou, Senior cause it is very much like ized en- tropy and in- Member, normal traffic. An infor- formation distance met- IEEE mation metric can quan- ric. The experimental re- tify the differences of net- sults show that these met- work traffic with various rics work effectively and probability distributions. stably. They out- per- In this paper, we innova- form the traditional Shan- tively propose using two non entropy and Kull- new information metrics back–Leibler distance ap- such as the generalized en- proaches, respectively, in tropy metric and the in- detecting anomaly traffic. formation distance metric In particular, these met- to detect low-rate DDoS rics can improve (or match attacks by measuring the the various re- quirements difference between legit- of) the systems’ detection imate traffic and attack sensitivity by effectively traffic. The proposed adjusting the value of or- generalized entropy met- der of the generalized en- ric can detect attacks sev- tropy and information dis- eral hops earlier than the tance metrics. As the traditional Shannon met- proposed metrics can in- ric. The proposed in- crease the information dis- formation distance met- tance (gap) between at- ric outperforms the pop- tack traffic and legitimate ular Kullback–Leibler di- traffic, they can effectively vergence approach as it detect low-rate DDoS at- can clearly enlarge the tacks early and reduce the adjudication distance and false positive rate clearly. then obtain the op- timal The pro- posed informa- detection sensitivity. The tion distance metric over- experimental results show comes the properties of that the proposed infor- asymmetric of both Kull- mation metrics can ef- back–Leibler and informa- fectively detect low-rate tion diver- gences. Fur- DDoS attacks and clearly thermore, the proposed IP reduce the false positive traceback scheme based rate. Furthermore, the on information metrics proposed IP traceback al- can effectively trace all gorithm can find all at- attacks until their own tacks as well as at- tackers LANs (zombies). In from their own local area conclusion, our proposed networks (LANs) and dis- infor- mation metrics can card attack packet substantially improve the performance of low-rate DDoS attacks detection 5 and IP traceback over the tra- ditional approaches.
  • 7. Table 6: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Joint Entropy Hamza 2009 Network traffic charac- In this paper, we have Analysis Model Rahmani, terization with behaviour proposed statistical ap- for DDoS Attack Nabil Sahli, modelling could be a proach for DDoS attacks Detection Farouk good indication of attack detection. Our experi- Kammoun detection witch can be ences were made on a real CRISTAL performed via abnormal traffic flow issued from Lab., Na- behaviour identification. a “CAIDA data collec- tional School Moreover, it is hard to tion” collected in 2007. for Com- distinguish the difference Our proposed approach is puter Sci- of an unusual high volume based on the evaluation ences of of traffic which is caused of the degree of coherence Tunis Uni- by the attack or occurs between the received traf- versity when a huge number of fic volume and the num- campus users occasionally ac- ber of connections per Manouba cess the target machine time interval with the aim Manouba, at the same time. We of thresholding calculated Tunisia observe that the time distances between a cur- series of IP-flow number rent observation window and aggregate traffic size and a given reference. The are strongly statistically main contribution of this dependant. The occur- paper is that our proposal rence of attack affects this model allows us to identify dependence and causes DDoS attacks regardless a rupture in time series of the traffic volume size. of joint entropy values. A legitimate augmenta- Experiment results show tion at large scale will not that this method could be detected through this lead to more accurate method which minimising and effective DDoS de- false alarms. In addition, tection.We propose a our proposal does need to measurement method inspect few fields for each which focuses on quan- packet. This makes it sim- tifying the information pler and more practical for expressed by the joint real-time implementation. system of two random variables in traffic-based network. By measuring the degree of coherence between the number of packets and the number of IP-flow first obtained in regular traffic, then in traffics presenting a large variety of anoma- lies including mainly legitimate anomalies, we can differentiate traffic changes caused by flash crowd (FC) or by DoS 6 attack. This method allows reducing signifi- cantly the false positives alarms. To study the network characteristics by generating the histogram of the size of IP-flow during a timeinterval T.
  • 8. Table 7: Entropy Based IEEE Papers Tittle Author Year Abstract Theme A Network Ya-ling 2009 A new network anomaly The RETAD sets up Anomaly De- Zhang, detection method has SVLNM by training the tection Method Zhao-guo been proposed in this normal network traffic. Based on Relative Han, Jiao- paper. The main idea of The network anomaly Entropy Theory xia Ren the method is network detection system based School of traffic is analyzed and es- on RET is achieved by Computer timated by using Relative comparing SVLD with Science and Entropy Theory (RET), SVLNM. The test results Engineering and a network anomaly show that the detection Xi’an Uni- detection model based on rate of RETAD is higher versity of RET is designed as well. than the EMERALD, Technology The numerical value of PHAD, ALAD, NETAD Xi’an, China relative entropy is used and FAD. The RETAD to alleviate the inherent has three advantages. contradictions between Firstly, algorithm compu- improving detection rate tation is so easy that it and reducing false alarm can be used to the high rate, which is more pre- speed network. Secondly, cise and can effectively the method has a strong reduce the error of es- detection capability, es- timation. On the 1999 pecially for the detection DARPA/Lincoln Labo- of intermittent anomalies. ratory IDS evaluation In addition, the RETAD data set, the detection has a good adaptability. results showed that the Based on RET, the packet method can reach a length has been chose higher detection rate at as measures to detect the premise of low false anomaly. Furthermore, alarm rate.These mea- the detection models sures have three features: using other measures need compose a full-probability to be further studied. event and cover all gath- ered information;be able to comprehensively reflect a variety of abnormal that cause the abnor- mal network traffic;does not contain sensitive information, such as IP address, port number or packet content informa- tion. Packet Lengths are taken into account to calculate relative entropy and drawing conclusions. 7
  • 9. Table 8: Entropy Based IEEE Papers Tittle Author Year Abstract Theme An Approach on Zhiwen 2011 In this paper we propose The test data set with Detecting Network Wang, Qin an approach on detecting more alerts is used to eval- Attack Based on Xia De- network attack based on uate our method. There Entropy partment of entropy from millions of are 166,326 alerts in the Computer alerts. Shannon entropy test data. 9.83them are Science and is developed firstly to ana- generated by 86 network Technol- lyze the distribution char- attack occurs within 430 ogy Xi’an acteristics of alert with seconds. We successfully Jiaotong five key attributes includ- detect all the attacks with University ing source IP address, 2 false detections.In this Xi’an, China destination IP address, paper, we proposed a new source threat, destina- network attack detection tion threat and datagram method base on entropy. length. Then, the Renyi Five features of IDS alerts cross entropy is employed are selected from tens of to fuse the Shannon en- Snort alert attributions. tropy vector and detect The Shannon entropy is the anomalies. The IDS used to analyze the alerts used in our experiment is to measure the regularity Snort, and the experimen- of current network status. tal results based on actual The Renyi cross entropy network data show that is employed to detect net- our approach can detect work attack. The Renyi network attack quickly cross entropy value is near and accurately. In this 0 when the network runs paper, Snort is used to in normal, otherwise the monitor the network and value will change abruptly five statistical features of when attack occurs. The the Snort alert are se- experimental results un- lected: source IP address, der actual data show that destination IP address, the framework in our work source threat, destina- can detect network attack tion threat and datagram quickly and accurately. In length. The Shannon en- next step, more alerts tropy is used to analyze from different time seg- the distribution character- ments will be collected to istics of alert that reflect test our method and an at- the regularity of network tack classification method status. When the moni- will be considered. tored network runs in nor- mal way, the entropy val- ues are relatively smooth. Otherwise, the entropy value of one or more fea- tures would change. The Renyi cross entropy of these features is calculated to measure the network status and detect network 8 attacks. Time series is cal- culated based on shannon entropy and which is used to calculate renny entropy and compared with previ- ous and alarm is generated based on thereshod.
  • 10. Table 9: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Detecting DDoS Yun Liu 2010 After analyzing the The results demonstrate Attacks Using Con- ,Jieren characteristics of DDoS that TFCE is more ro- ditional Entropy Cheng,Jianping attacks and the existing bust of the interference of Yin,Boyun approaches to detect background traffic. The Zhang DDoS attacks, a novel reason lies in the fact School of detection method based that the corresponding re- Computer, on conditional entropy lations between traffic fea- National is proposed in this pa- tures are considered here. University per. First, a group of TFCE compute the rele- of Defense statistical features based tive distribution between Technology on conditional entropy is traffic features and include Changsha, defined, which is named the information of joint China Traffic Feature Condi- probilities of traffic fea- tional Entropy (TFCE), tures, so has stronger abil- to depict the basic charac- ity to uncover the differ- teristics of DDoS attacks, ence of attack traffic and such as high traffic vol- normal traffic. ume and Multiple-to-one relationships. Then, a trained support vector machine (SVM) classifier is applied to identify the DDoS attacks. We experiment with the MIT Data Set in order to evaluate our approach. The results show that the proposed method not only can distinguish between attack traffic and normal traffic accurately, but also is more robustness to resist disturbance of back- ground traffic compared with its counterparts. Sr- cIP,DestIP,DestPort are taken into account.Then use three conditional entropy and sip sip dip H( ), H( )H( ) dip dport dport to characterize three kinds of multiple-to-one rela- tion in DDoS attacks, namely, called Traffic Fea- ture Conditional Entropy (TFCE).This measure the 9 diversity of sip to dip,sip to dport, dport to dip,or their uncertainity. After we include SVM into pic- ture ,train it with same set of factors and used it to detect real time anamoly.
  • 11. Table 10: Entropy Based IEEE Papers Tittle Author Year Abstract Theme A New Relative Jin 2010 Distributed Denial of Ser- This paper analyzes the Entropy Based Wang,Xiaolong vice (abbreviated DDoS) application layer DDoS App-DDoS Detec- Yang Keping attack is a serious problem and proposes a new rel- tion Method Long Re- to the network services. ative entropy based app- search This paper analyzed some DDoS detection method. Center for solutions to the appli- We validate our method Optical cation layer DDoS (ab- by simulation, and the Internet breviated app-DDoS) at- results suggest that our Mobile In- tack, and proposed a rel- method can be used to fonnation ative entropy based app- detect app-DDoS attacks. Network, DDoS detection method. This paper validates the University Our scheme includes two usefulness of the relative of Electronic stages: learning stage and entropy based app-DDoS Science detection stage. Firstly at detection method. Our Technology the learning stage, it ex- future work will focus on of China, tracts main click features how to handle false detec- Chengdu of web objects with the tion. Sichuan cluster methods. Then 610056,China. at the detection stages, it Network computes the relative en- Center of tropy for each session ac- Chengdu cording to the learning re- University, sult. The greater the ses- Chengdu sion’s relative entropy, the Sichuan more suspicious the ses- 610106, sion is. At last, simula- China tion results suggest that this method can differenti- ate the attack session with high detection rate and low false alarm. 10
  • 12. Table 11: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Entropy-based Suratose 2010 The most common type of In summary, an entropy- Input-Output Tritilanunt, DoS attack occurs when based technique provides Traffic Mode De- Suphannee adversaries flood a large more accurately denial-of- tection Scheme for Sivakorn, amount of bogus data service detection than a DoS/DDoS Attacks Choochern to interfere or disrupt volume-based technique. Juengjin- the service on the server. Moreover, the detecting charoen, Au- By using a volume- time to discover both sanee Siri- based scheme ,packe- long- term and short- pornpisan trate,bandwidth,packetsize term denial-of-service Computer to detect such attacks, attacks in our scheme Engineering this technique would not is another key strength Department, be able to inspect short- over a feature-based de- Faculty of term denial-of- service tection approach. These Engineering, attacks, as well as cannot two major advantages Mahidol distinguish between heavy are supported by the University, load from legitimate users experimental results as Thailand and huge number of bogus demonstrated in this sec- 25/25, messages from attackers. tion.Short term and long Salaya, As a result, this paper term attacks are detected. Phutta- provides a detection monthol, mechanism based on a Nakorn- technique of entropy- pathom, based input-output traffic Thailand, mode detection scheme. 73170 The experimental re- sults demonstrate that our approach is able to detect several kinds of denial-of-service attacks, even small spike of such attacks. This paper uses entropy of packet size to detect attacks. 11
  • 13. Table 12: Entropy Based IEEE Papers Tittle Author Year Abstract Theme Entropy Based Laleh Ar- 2011 In this paper we present a The point is that as SYN Flooding shadi Amir novel approach for detect- the arrival rate decreases Detection Hossein ing SYN flooding attacks the packets become less Jahangir by investigating the en- dependent and the en- Computer tropy of SYN packet inter- tropy increases as a re- Engineering arrival times as a mea- sult whereas an increase Department sure of randomness. We in the arrival rate re- Sharif Uni- argue that normal SYN sults in more dependency versity of packets are almost inde- between the packets and Iran Tehran, pendent leading to higher a decrease in the en- Iran values of entropy while tropy consequently. There SYN flooding attacks con- are two major challenges sist of a high volume of faced by the anomaly de- related SYN packets and tection techniques. First so the entropy of their is the problem of defin- inter-arrival times would ing a general rule for be less than normal. We the distinction of normal apply this entropy-based and anomalous traffic and method on different data the second is the high sets of network traffic both volume of the processing in off-line and real-time data. We see that our modes. In this paper we entropy based detection examine the changes in technique can easily over- the entropy of inter-arrival come both challenges by times of TCP SYN pack- investigating the random- ets to detect SYN flood- ness of TCP SYN packets’ ing attacks. Our ex- inter-arrival times. While periments are based upon deriving the SYN pack- this argument that nor- ets, extracting their inter- mal SYN packets are al- arrival times and comput- most independent leading ing the entropy is not com- to higher values of en- putationally intensive and tropy while SYN flooding can easily be performed attacks consist of many in real-time As for fu- related SYN packets sent ture work it may be use- from either the same ori- ful to observe the entropy gin to various destinations of other flow inter-arrival or from multiple sources times, e.g. TCP-SYN- to a single destination and ACK, TCP- ACK, TCP- consequently the entropy RST, UDP or ICMP pack- of their inter-arrival times ets. In case the entropy would be less than normal. changes as an anomaly oc- curs, it would be possible to identify the anomalous portions of the traffic in the same way we detect the SYN flooding attacks 12