Flow-based profile generation and network traffic detection for DNS anomalies using optimised entropy-based features selection and modified Holt Winter’s method

被引：2

作者：

Sharma R. ^{[1
]}

Guleria A. ^{[2
]}

Singla R.K. ^{[1
]}

机构：

[1] Department of Computer Science and Applications, Panjab University, Chandigarh

[2] Department of CSC, Indian Institute of Delhi, Delhi

来源：

International Journal of Security and Networks | 2021年 / 16卷 / 04期

关键词：

Domain name system; Entropy; Features selection; Holt Winter’s method; Network anomaly detection; Network flows; Normal profile;

D O I：

10.1504/IJSN.2021.119380

中图分类号：

学科分类号：

摘要：

Network anomaly detection systems detect zero-day anomalies but false positive rate is quite high. In this paper, a profile-based network anomaly detection system (P-NADS) is proposed that works in three phases. In the first phase, a minimal set of characteristic features for DNS service is identified using proposed optimal entropy-based features selection (OEFS) which helps in detecting anomalies with higher accuracy. In the second phase, modified Holt Winter’s method using partial trend (MHWT) that generates normal profile of a system to predict future normal behaviour is proposed. In the final phase, anomalies are detected and localised. Experimental results show that OEFS method works better than information gain and forward feature selection algorithm. The MHWT method gives better prediction accuracy for DNS when compared to HWDS. Experiments are performed on Panjab University flow-based dataset (PUF-dataset) which is created using real flows collected from Panjab University Chandigarh Campus and is freely available on request. Copyright © 2021 Inderscience Enterprises Ltd.

引用

页码：244 / 257

页数：13

共 31 条

[1] Amiri F., Yousefi M.R., Lucas C., Shakery A., Yazdani N., Mutual information-based feature selection for intrusion detection systems, Journal of Network and Computer Applications, 34, 4, pp. 1184-1199, (2011)
[2] Andrysiak T., Saganowski L., Choras M., Kozik R., Network traffic prediction and anomaly detection based on ARFIMA model, Proceedings of International Joint Conference SOCO‘14-CISIS‘14-ICEUTE‘14, pp. 545-554, (2014)
[3] Arshadi L., Jahangir A.H., On the TCP flow inter-arrival times distribution, Proceedings of Fifth UKSim European Symposium on Computer Modeling and Simulation (EMS), pp. 360-365, (2011)
[4] Brauckhoff D., Tellenbach B., Wagner A., May M., Lakhina A., Impact of packet sampling on anomaly detection metrics, Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, pp. 159-164, (2006)
[5] Brugner H., Holt-Winter’s traffic prediction on aggregated flow data, Future Internet (FI) and Innovative Internet Technologies and Mobile Communication (IITM) Focal Topic: Advanced Persistent Threats, 25, pp. 25-32, (2017)
[6] Brutlag J.D., Aberrant behavior detection in time series for network monitoring, Proceedings of LISA, 14, pp. 139-146, (2000)
[7] Callegari C., Gazzarrini L., Giordano S., Pagano M., Pepe T., A novel PCA-based network anomaly detection, Proceedings of the International Conference on Communications, pp. 1-5, (2011)
[8] Chang S., Qiu X., Gao Z., Qi F., Liu K., A flow-based anomaly detection method using entropy and multiple traffic features, Proceedings of the 3rd International Conference on Broadband Network and Multimedia Technology (IC-BNMT), pp. 223-227, (2010)
[9] Cottrell R.L., Logg C., Chhaparia M., Grigoriev M., Haro F., Nazir F., Sandford M., Evaluation of techniques to detect significant network performance problems using end-to-end active network measurements, Network Operations and Management Symposium NOMS, pp. 85-94, (2006)
[10] de Assis M.V., Rodrigues J.J., Proenca M.L., A seven-dimensional flow analysis to help autonomous network management, Information Sciences, 278, pp. 900-913, (2014)

← 1 2 3 4 →