Abstract: The existing methods build a model describing normal flow characteristics which is used to identify deviating flows. However, building such a microscopic model is challenging due to the wide variability of flow characteristics. The distributions of packet features (IP addresses and ports) observed in traces which can be described by entropy reveal the presence and the structure of a wide range of anomalies. A novel method named Entropy of Characteristics based Anomaly Traffic Identification (ECATI) was proposed. It utilizes entropy of characteristics to detect anomalies and analyzes traffic in anomalous time bins of which detector iteratively removes flows that seem normal. We measured the accuracy of ECATI algorithm using manually labeled anomalies and anomaly injection. The results show that ECATI accurately isolates the anomalous traffic with only few or zero missed flows under over 89.5% of average identification rate.

Key words: Entropy of characteristics, Exponentially weighted moving average, Partition reduction, Anomaly traffic identification