Multi-scale Entropy Based Traffic Analysis and Anomaly Detection

The idea of using entropy measurement to detect anomalies or analyze traffic characteristics has been floating around the research community for some time. But all these entropy-based approaches are single-scale based "complexity" methods and fail to account for the multiple time scales inherent in time series. In order to fulfill this goal we have introduced Renyi entropy based method: multi-scale entropy (MSE). In this paper, a kind of Port-to-Port traffic in router is presented, which we call IF-flow. IF-flows can amplify the ratio of attack traffic to normal traffic. We apply MSE to the analysis of IF-flow time series in time scales, and find some interesting results. One of results supports a general view that flow count metric has a more powerful ability to detect many types of anomalies than byte and packet count metric. We also use MSE to detect anomaly existed in IF-flow time series. The experimental results indicate MSE can detect anomaly accurately.