Detecting Anomalies in Network Traffic Using Entropy and Mahalanobis distance J. Santiago-Paz † , D.Torres-Rom´ an † and P. Velarde-Alvarado ‡ † CINVESTAV IPN Department of Electrical Engineering and Computer Sciences Telecommunications Section, Guadalajara, Jalisco, Mexico Phone: (333) 770 3700 Ext.1020 ‡ University Autonomous of Nayarit, Tepic, Nay. Mexico Area of Basic Sciences and Engineering {jsantiago, dtorres}@gdl.cinvestav.mx, pvelarde@uan.edu.mx Abstract This paper proposes an Entropy-Mahalanobis- based methodology to detect certain anomalies in IP traffic. The balanced estimator II is used to model the normal behavior of two intrinsic traffic features: source and destination IP addresses. Mahalanobis dis- tance allows to describe an ellipse that characterizes the network entropy, which allows to determine whether a given actual traffic-slot is normal or anomalous. Ex- perimental tests were conducted to evaluate the perfor- mance detection of portscan and worm attacks deployed in a campus network, showing that the methodology is effective in timely and accurate detection of these at- tacks. 1. Introduction Network attacks represent a risk to the integrity, confidentiality and availability of the resources pro- vided by a network [1]. Likewise, the impact of the anomalous activity is clearly reflected in considerable economic losses for organizations. Early detection of network attacks is a fundamental process of secu- rity that is done automatically by a Network intrusion detection system (NIDS). This technological solution forms a second layer of security which complements the perimetral protection provided by a firewall. NIDS generally fall into one of two approaches: Misuse detection is also sometimes referred to as signature-based detection because alerts are generated based on specific attack signatures. These attack signa- tures encompass specific traffic that is based on known intrusive activity. Under this approach, signature-based NIDS (S-NIDS) cannot detect unknown attacks, either because the database is out of date or because no signa- ture is available yet. On the other hand, anomaly detec- tion needs to create a profile for the “typical” behavior of certain traffic features. Traffic profiles are then used as a baseline to define normal network activity. If any network activity deviates too far from this baseline, then the activity generates an alarm. Anomaly-based NIDS (A-NIDS) can potentially detect an attack the first time it is used. However, its implementation is more com- plex than S-NIDS. This paper aims to detect anomalies in networks (experiments were done in an Academic LAN) using characteristic features of the network traffic, such as: the source and destination IP addresses. Through, the balanced estimator II of entropy the profiles of free anomalies behaviors are generated using the training data traces. And, the Mahalanobis distance is used to establish a new threshold. 1.1. Related Work Entropy provides useful descriptions of the beha- vior of random processes. The key idea is that once malicious traffic is aggregated to normal traffic, the net- work entropy should immediately reflect this contami- nation. In [2], the authors propose a method based on the construction of a space of 3-dimensional entropy by reporting the contents of Shannon entropy of four in- trinsic characteristics of the traffic (srcIP, dstIP, srcPrt and dstPrt) as a mechanism for detecting intrusions. In [3], the author proposes the same 3-dimensional space, but firts apply PCA to the four traffic characteristic and observe the changes in the distribution. In [4] propose the use of the estimate of Shannon entropy as a measure