Combining Renyi Entropy and EWMA to Detect Common Attacks in Network

摘要

How to timely and precisely identify attack behaviors in network without dealing with a large number of traffic features and historical data, such as training data, is an important research work in the field of network security. In this paper,firstly, the differences between Renyi entropy and Shannon entropy are analyzed and compared. In order to capture network traffic changes exactly, Renyi entropy instead of Shannon entropy is proposed to measure selected traffic features. Then EWMA control chart theory is used to check Renyi entropy time series for detecting and screening anomalies. And three kinds of network attacks are also analyzed and characterized by behavior feature vector for attack identification. Finally a feature similarity based method is used to identify attacks. The experimental results of real traffic traces show that the proposed method has good capability to detect and identify these attacks with less computation cost. To evaluate attack identification method conveniently, an approach is proposed to generate simulated attack traffics. Compared with Shannon entropy-based method, the experiments on simulation traffics show that Renyi entropy-based method has much higher overall accuracy, average precision and average true positive rate. Further comparison indicates the proposed method has more powerful performance to detect attacks than PCA-based method.