Using cross entropy to detect and classify network anomalous traffic

A traffic anomaly detection and classification method based on cross entropy is proposed to identify network attack behaviors accurately. Both features of traffic flow header and traffic behavior are used to characterize three types of common attacks, such as DoS attacks, port scans and network scans. The cross entropy is used to measure traffic distribution changes for each traffic feature, and a behavior vector for each attack type is built. Then exponentially weighted moving average control chart method is applied to multiple cross entropy indicators for anomaly detection, and an anomaly vector is generated. The similarity between the anomaly vector and each behavior vector is computed to classify attacks. Experimental results and comparisons with the Shannon entropy measurement on Netflow traffic in a router show that under relatively weaker attacks, the true positive rate, average precision and accuracy of the cross entropy measurement in attack classification rise by 13%, 15%, and 13%, respectively.