(A) statistical approach to network detection on backbone links

Abstract

Several network attacks, such as distributed denial of service (DDoS) attack, presents a very serious threat to the stability of the internet. The threat posed by network attacks on large networks, such as the internet, demands effective detection method. Therefore, a simple intrusion detection system on large-scale backbone network is needed for the sake of real-time detection, preemption and detection efficiency. In this paper, in order to discriminate attack traffic from legitimate traffic on backbone links, we suggest a relatively simple statistical measure, entropy, which can track value frequency. Because according to network attacks, there should be unusual value frequency in source IP, destination IP and destination port, we observe changes of entropy value for three selected packet attributes. In order to evaluate our detecting algorithm, we experimented with 2000 DARPA Intrusion Detection Scenario Specific Data Sets. The result shows that network attack packets show anomalies in entropy values of selected packet attributes. In other words, there is conspicuous distinction of entropy values between attack traffic and legitimate traffic. And also according to the type of the network attacks, there are significant differences of the entropy values. Therefore, we can identify what kind of attack it is as well as detecting the attack traffic using entropy value.