Loading [a11y]/accessibility-menu.js
A Flow-Based Entropy Characterization of a NATed Network and Its Application on Intrusion Detection | IEEE Conference Publication | IEEE Xplore

A Flow-Based Entropy Characterization of a NATed Network and Its Application on Intrusion Detection


Abstract:

This paper presents a flow-based entropy characterization of a small/medium-sized campus network that uses network address translation (NAT). Although most networks follo...Show More

Abstract:

This paper presents a flow-based entropy characterization of a small/medium-sized campus network that uses network address translation (NAT). Although most networks follow this configuration, their entropy characterization has not been previously studied. Measurements from a production network show that the entropies of flow elements (external IP address, external port, campus IP address, campus port) and tuples have particular characteristics. Findings include: i) entropies may widely vary in the course of a day. For example, in a typical weekday, the entropies of the campus and external ports may vary from below 0.2 to above 0.8 (in a normalized entropy scale 0-1). A similar observation applies to the entropy of the campus IP address; ii) building a granular entropy characterization of the individual flow elements can help detect anomalies. Data shows that certain attacks produce entropies that deviate from the expected patterns; iii) the entropy of the 3-tuple {external IP, campus IP, campus port} is high and consistent over time, resembling the entropy of a uniform distribution's variable. A deviation from this pattern is an encouraging anomaly indicator; iv) strong negative and positive correlations exist between some entropy time-series of flow elements.
Date of Conference: 20-24 May 2019
Date Added to IEEE Xplore: 15 July 2019
ISBN Information:

ISSN Information:

Conference Location: Shanghai, China

References

References is not available for this document.