Flow-based profile generation and network traffic detection for DNS anomalies using optimised entropy-based features selection and modified Holt Winter’s method

被引:2
作者
Sharma R. [1 ]
Guleria A. [2 ]
Singla R.K. [1 ]
机构
[1] Department of Computer Science and Applications, Panjab University, Chandigarh
[2] Department of CSC, Indian Institute of Delhi, Delhi
来源
International Journal of Security and Networks | 2021年 / 16卷 / 04期
关键词
Domain name system; Entropy; Features selection; Holt Winter’s method; Network anomaly detection; Network flows; Normal profile;
D O I
10.1504/IJSN.2021.119380
中图分类号
学科分类号
摘要
Network anomaly detection systems detect zero-day anomalies but false positive rate is quite high. In this paper, a profile-based network anomaly detection system (P-NADS) is proposed that works in three phases. In the first phase, a minimal set of characteristic features for DNS service is identified using proposed optimal entropy-based features selection (OEFS) which helps in detecting anomalies with higher accuracy. In the second phase, modified Holt Winter’s method using partial trend (MHWT) that generates normal profile of a system to predict future normal behaviour is proposed. In the final phase, anomalies are detected and localised. Experimental results show that OEFS method works better than information gain and forward feature selection algorithm. The MHWT method gives better prediction accuracy for DNS when compared to HWDS. Experiments are performed on Panjab University flow-based dataset (PUF-dataset) which is created using real flows collected from Panjab University Chandigarh Campus and is freely available on request. Copyright © 2021 Inderscience Enterprises Ltd.
引用
收藏
页码:244 / 257
页数:13
相关论文
共 31 条
[21]  
Saxena H., Richariya V., Intrusion detection in KDD99 dataset using SVM-PSO and feature reduction with information gain, International Journal of Computer Applications, 98, 6, pp. 25-29, (2014)
[22]  
Shannon C.E., A mathematical theory of communication, ACM SIGMOBILE Mobile Computing and Communications Review, 5, 1, pp. 3-55, (2001)
[23]  
Sharma R., Guleria A., Singla R.K., An overview of flow-based anomaly detection, International Journal of Communication Networks and Distributed Systems, 21, 2, pp. 220-240, (2018)
[24]  
Sharma R., Guleria A., Singla R.K., Characterizing network flows for detecting DNS, NTP, and SNMP anomalies, Proceedings of Intelligent Computing and Information and Communication, pp. 327-340, (2018)
[25]  
Sharma R., Singla R.K., Guleria A., A new labeled flow-based DNS dataset for anomaly detection: PUF dataset, Procedia Journal of Computer Science, 132, 2, pp. 1458-1466, (2017)
[26]  
Smyl S., A hybrid method of exponential smoothing and recurrent neural networks for time series forecasting, International Journal of Forecasting, 36, 1, pp. 75-85, (2020)
[27]  
Sperotto A., Schaffrath G., Sadre R., Morariu C., Pras A., Stille B., An overview of IP flow-based intrusion detection, IEEE Communications Surveys and Tutorials, 12, 3, pp. 343-356, (2010)
[28]  
Usha M., Kavitha P., Anomaly based intrusion detection for 802.11 networks with optimal features using SVM classifier, Wireless Networks, 23, 8, pp. 2431-2446, (2017)
[29]  
Winters P.R., Forecasting sales by exponentially weighted moving averages, Management Science, 6, 3, pp. 324-342, (1960)
[30]  
Yaacob A.H., Tan I.K., Chien S.F., Tan H.K., ARIMA based network anomaly detection, Proceedings of 2nd International Conference on Communication Software and Networks ICCSN‘2010, pp. 205-209, (2010)
1234