Network Anomaly Detection Method Based On Relative Entropy Theory

Traditional intrusion detection methods are divided into two types, the method based on misuse detection and the method based on anomaly detection. Anomaly detection is the main research direction of the intrusion detection whose cores are research of anomaly detection algorithms and establishment of the normal model. Through a lot of analyses of anomaly detection methods, it is found that there are two issues still needed to research. The first is limited range of attacks can be detected, and the second is inherent contradictions between improving detection rate and reducing false alarm rate. So, it has become a long-term problem to be researched in the field of anomaly detection that how to mine a new detection algorithm or ameliorate the existing algorithms to improve the detection rate with the lower false alarm rate.In order to solve the problems of network anomaly detection, firstly, a method of network anomaly detection with single measure based on relative entropy theory (RETSMAD) has been proposed, whose model was designed. The simulation experiment was achieved by using DARPA 99 standard date sets and the feasibility of the RETSMAD was showed through experiment. Because attacks of different types may result in abnormity of the different measurements, in allusion to the question that the detection rate of RETSMAD for some type of attack is unsatisfactory, a new method of network anomaly detection with multi-measure based on relative entropy theory (RETMMAD) has been proposed, whose architecture was designed. The simulation experiment was achieved by using DARPA 99 standard date sets. Experimental result shows that the average detection rate of RETMMAD can reach to 83.5%. Considering for practicability of the RETMMAD, arriving at a decision for the threshold is often difficult. So, by introuducing the euclidean distance theory, a new method of network anomaly detection based on relative entropy and euclidean distance analysis (REEDAAD) has been presented, in which the method to get treshold is convenient. Subsequently, the architecture of REEDAAD was designed. The simulation experiment was achieved by using DARPA 99 standard date sets and the feasibility of the REEDAAD was verified through experiment.On the basis of researching network anomaly detection algorithms based on relative entropy theory, a real-time network anomaly detection system has been achieved which takes the REEDAAD as an example. The application problem of the network anomaly detection algorithm was explored by this work. The test result of the real-time network anomaly detection system in actual network environment shows that many kinds of simulated attacks can be alarmed in time.