Detection of packet traffic anomalous behaviour via information entropy

Abstract

Spatio-temporal dynamics of packet traffic in data networks is complex and its monitoring is a challenging task. We study if information entropy of packet traffic monitored at selected set of nodes may provide a method for monitoring network-wide behaviour of packet traffic and for detection of anomalous traffic, e.g., distributed denial-of-service attacks. We conduct our investigation for a packet switching network model for static and dynamic routings. We show that the proposed information entropy method may detect changes in "natural" randomness of spatio-temporal distributions of packets among routers caused by anomalous traffic and that the emerging anomalies are easier to detect for DDoS attacks with larger number of attackers and/or on networks using static rather than dynamic routing. © 2009 Springer-Verlag Berlin Heidelberg.