Next Article in Journal
A Hydrodynamical Model for Carriers and Phonons With Generation-Recombination, Including Auger Effect
Next Article in Special Issue
Towards the Development of a Universal Expression for the Configurational Entropy of Mixing
Previous Article in Journal
Correction on Davidson, R.M.; Lauritzen, A.; Seneff, S. Biological Water Dynamics and Entropy: A Biophysical Origin of Cancer and Other Diseases. Entropy 2013, 15, 3822-3876
Previous Article in Special Issue
Kinetic Theory Modeling and Efficient Numerical Simulation of Gene Regulatory Networks Based on Qualitative Descriptions
Article Menu

Export Article

Open AccessArticle
Entropy 2015, 17(9), 6239-6257; doi:10.3390/e17096239

Using Generalized Entropies and OC-SVM with Mahalanobis Kernel for Detection and Classification of Anomalies in Network Traffic

CINVESTAV, Campus Guadalajara, Av. del Bosque 1145, Col. El Bajio, Zapopan 45019, Mexico
*
Author to whom correspondence should be addressed.
Academic Editor: Deniz Gencaga
Received: 8 May 2015 / Revised: 20 August 2015 / Accepted: 2 September 2015 / Published: 8 September 2015
View Full-Text   |   Download PDF [1328 KB, uploaded 8 September 2015]   |  

Simple Summary

This paper is an extended version of our paper published in the 1st International Electronic Conference on Entropy and Its Applications (www.sciforum.net/conference/ecea-1).

Abstract

Network anomaly detection and classification is an important open issue in network security. Several approaches and systems based on different mathematical tools have been studied and developed, among them, the Anomaly-Network Intrusion Detection System (A-NIDS), which monitors network traffic and compares it against an established baseline of a “normal” traffic profile. Then, it is necessary to characterize the “normal” Internet traffic. This paper presents an approach for anomaly detection and classification based on Shannon, Rényi and Tsallis entropies of selected features, and the construction of regions from entropy data employing the Mahalanobis distance (MD), and One Class Support Vector Machine (OC-SVM) with different kernels (Radial Basis Function (RBF) and Mahalanobis Kernel (MK)) for “normal” and abnormal traffic. Regular and non-regular regions built from “normal” traffic profiles allow anomaly detection, while the classification is performed under the assumption that regions corresponding to the attack classes have been previously characterized. Although this approach allows the use of as many features as required, only four well-known significant features were selected in our case. In order to evaluate our approach, two different data sets were used: one set of real traffic obtained from an Academic Local Area Network (LAN), and the other a subset of the 1998 MIT-DARPA set. For these data sets, a True positive rate up to 99.35%, a True negative rate up to 99.83% and a False negative rate at about 0.16% were yielded. Experimental results show that certain q-values of the generalized entropies and the use of OC-SVM with RBF kernel improve the detection rate in the detection stage, while the novel inclusion of MK kernel in OC-SVM and k-temporal nearest neighbors improve accuracy in classification. In addition, the results show that using the Box-Cox transformation, the Mahalanobis distance yielded high detection rates with an efficient computation time, while OC-SVM achieved detection rates slightly higher, but is more computationally expensive. View Full-Text
Keywords: generalized entropies; network traffic; anomaly detection; OC-SVM; Mahalanobis kernel; Mahalanobis distance; non-Gaussian data generalized entropies; network traffic; anomaly detection; OC-SVM; Mahalanobis kernel; Mahalanobis distance; non-Gaussian data
Figures

This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. (CC BY 4.0).

Scifeed alert for new publications

Never miss any articles matching your research from any publisher
  • Get alerts for new papers matching your research
  • Find out the new papers from selected authors
  • Updated daily for 49'000+ journals and 6000+ publishers
  • Define your Scifeed now

SciFeed Share & Cite This Article

MDPI and ACS Style

Santiago-Paz, J.; Torres-Roman, D.; Figueroa-Ypiña, A.; Argaez-Xool, J. Using Generalized Entropies and OC-SVM with Mahalanobis Kernel for Detection and Classification of Anomalies in Network Traffic. Entropy 2015, 17, 6239-6257.

Show more citation formats Show less citations formats

Related Articles

Article Metrics

Article Access Statistics

1

Comments

[Return to top]
Entropy EISSN 1099-4300 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top