A hybrid approach for anomaly detection on large-scale networks using HWDS and entropy

The constant growth in scale and complexity of computer networks in recent years has led to the need for more powerful anomaly detection tools and approaches. Several researches have been developed in this area, focusing on the detection of volume anomalies through the analysis of quantitative flow features, like bits or packages per second. This paper presents a hybrid approach of anomaly detection based on the traffic characterization of four qualitative flow features using the Shannon entropy: IP addresses and ports of origin and destination. In order to achieve a traffic characterization of the four analyzed dimensions, we use the Holt-Winters for Digital Signature (HWDS) method. It is an improvement of the traditional method which is able to efficiently characterize the traffic, generating a Digital Signature of Network Segment using Flow analysis (DSNSF) for each dimension. The presented approach is tested using real data collected at the State University of Londrina - Brazil aiming to determine the performance outcomes of the approach in both traffic characterization and anomaly detection processes.