ANALYSIS OF SOFTWARE-DEFINED NETWORK TRAFFIC USING ENTROPY
DOI:
https://doi.org/10.32782/mathematical-modelling/2022-5-1-14Keywords:
anomaly detection, entropy, netflow, network traffic measurement, software-defined network, DDoSattackAbstract
Software-defined networking (SDN) is an approach to building a network that uses software controllers or application programming interfaces (APIs) to communicate with the underlying hardware infrastructure and route network traffic instead of physical routers and switches. Software-defined networks use a centralized controller, so ensuring the reliability of its operation is very important for the functioning of the network. The issue of security becomes especially acute when the number of network users increases. One of the biggest and most common threats to software-defined networks is a distributed denial of service (DDoS) attack. To detect network attacks, statistical characteristics of network traffic such as the sample mean, sample variance, Pearson's chi-square test, and the information-theoretic measure entropy can be used. Quantitatively, entropy is characterized using the entropy of C. Shannon's probability distribution. Information entropy is a measure of uncertainty associated with a random variable. Entropy characterizes the probability with which a certain state is established, it is a measure of chaos or irreversibility. The greater the chaos of the system, the higher the value of entropy, and vice versa. Software complexes are based on entropy analysis of network data recorded by NetFlow sensors. Typical sensors connect to TAP or SPAN ports on switches. Streams are analyzed during fixed time intervals. The collected streams are registered in a database and then analyzed. Anomaly filters are provided by direction, protocol, and subnet. Next, the entropy value of positive and negative values of α for the distribution of motion characteristics is calculated. In the detection step, the observed entropy is compared with the minimum and maximum values stored in the profile, and an anomaly threshold is determined. Threshold values less than 0 or greater than 1 indicate abnormal concentration or variance, respectively. One solution to detect such attacks is to use fusion entropy. This method allows you to detect DDoS attacks in a time close to real, and the entropy values for normal and malicious traffic differ by 90%.
References
G What is Software-Defined Networking (SDN)? [Електронний ресурс]. – Режим доступу: https://www.vmware.com/topics/glossary/content/software-defined-networking.html
DoS атака [Електронний ресурс]. – Режим доступу: uk.wikipedia.org/wiki/DoS attack 3. Fan C., Kaliyamurthy N.M., Che S., Jiang H., Zho Y. and Campbell C. Detection of DDoS Attacks in Software Defined Networking Using Entropy. 2022, 12, 370.
Bereziński P., Jasiul B. and Szpyrka M. An entropy-based network anomaly detection method, Entropy. 2015, 17(4). Р. 2367-2408.
Barford P., Plonka D. Characteristics of Network Traffic Flow Anomalies. Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement. 2001. Р. 69–73.
Kim S.S., Reddy A.L. Statistical techniques for detecting traffic anomalies through packet header data. IEEE/ACM TON. 2008. V. 16. Issue 3. P. 562–575.
Morlet wavelet [Електронний ресурс]. – Режим доступу: https://www.mathworks.com/help/wavelet/ref/morlet.html
Barford P., Kline J., Plonka D., Ron A. A signal analysis of network traffic anomalies. Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement. 2002. P. 71–82.
Lee K., Kim J., Kwon K.H., Han Y., Kim S. DDoS attack detection method using cluster analysis. Expert Systems with Applications. 2008. V. 34. Issue 3. P. 1659–1665.
Branitskiy A., Kotenko I. Analysis and Classification of Methods for Network Attack Detection. SPIIRAS Proceedings, 2016, 2(45):207.
Gu Y., McCallum A., Towsley D. Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation. Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement. 2005. P. 32–32.
Robert M.X. Wu, Yongwen Wang. Which Objective Weight Method Is Better: PCA or Entropy?. Scientific Journal of Research and Reviews, 2022.
Shannon C. A Mathematical Theory of Communication. Bell Syst. Tech. J. 1948, 27, 379–423.
Бабенко Т. В. Дослідження ентропії мережевого трафіка як індикатора DDOS-атак. Науковий вісник Національного гірничого університету. 2013. № 2. С. 86-89.
